utils/advmodes: Implement (only) a toy version of OCB2.
I doubt this will ever end up as a high-quality mode implementation in
Catacomb, because it doesn't actually provide authenticity. See
`Cryptanalysis of OCB2' by Akiko Inoue and Kazuhiko Minamatsu,
https://eprint.iacr.org/2018/1040.
This is enough to confirm their result.
* First, choose an arbitrary key and nonce, and encrypt a two-block
message whose first block contains len(0^{128}) = 128; the second
block is arbitrary.
$ ./advmodes ocb2-enc rijndael
00112233445566778899aabbccddeeff 00112233445566778899aabbccddeeff "" 0000000000000000000000000000008000112233445566778899aabbccddeeff
0e6475201e14155a2744eb78f396581c3ffbfcf1d7a2505ef8f5e56b2824f4bb
5973f3fdd62e411b05c9d9d982769bbc
* Ask Python to XOR pieces of message and ciphertext:
>>> import catacomb as C
>>> C.bytes('
00000000000000000000000000000080') ^ C.bytes('
0e6475201e14155a2744eb78f396581c')
bytes('
0e6475201e14155a2744eb78f396589c')
>>> C.bytes('
00112233445566778899aabbccddeeff') ^ C.bytes('
3ffbfcf1d7a2505ef8f5e56b2824f4bb')
bytes('
3feadec293f73629706c4fd0e4f91a44')
* Use the first result as the ciphertext and the second as the MAC.
$ ./advmodes ocb2-dec rijndael
00112233445566778899aabbccddeeff 00112233445566778899aabbccddeeff ""
0e6475201e14155a2744eb78f396589c 3feadec293f73629706c4fd0e4f91a44
c5ecf37c57e1b262c83c0739468037e4
Oops.