Mercurial > dropbear
view libtomcrypt/notes/etc/NoekeonVects.java @ 1672:3a97f14c0235
Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
* Add Chacha20-Poly1305 authenticated encryption
* Add general AEAD approach.
* Add [email protected] algo using LibTomCrypt chacha and
poly1305 routines.
Chacha20-Poly1305 is generally faster than AES256 on CPU w/o dedicated
AES instructions, having the same key size.
Compiling in will add ~5,5kB to binary size on x86-64.
function old new delta
chacha_crypt - 1397 +1397
_poly1305_block - 608 +608
poly1305_done - 595 +595
dropbear_chachapoly_crypt - 457 +457
.rodata 26976 27392 +416
poly1305_process - 290 +290
poly1305_init - 221 +221
chacha_setup - 218 +218
encrypt_packet 1068 1270 +202
dropbear_chachapoly_getlength - 147 +147
decrypt_packet 756 897 +141
chacha_ivctr64 - 137 +137
read_packet 543 637 +94
dropbear_chachapoly_start - 94 +94
read_kex_algos 792 880 +88
chacha_keystream - 69 +69
dropbear_mode_chachapoly - 48 +48
sshciphers 280 320 +40
dropbear_mode_none 24 48 +24
dropbear_mode_ctr 24 48 +24
dropbear_mode_cbc 24 48 +24
dropbear_chachapoly_mac - 24 +24
dropbear_chachapoly - 24 +24
gen_new_keys 848 854 +6
------------------------------------------------------------------------------
(add/remove: 14/0 grow/shrink: 10/0 up/down: 5388/0) Total: 5388 bytes
* Add AES128-GCM and AES256-GCM authenticated encryption
* Add general AES-GCM mode.
* Add [email protected] and [email protected] algo using
LibTomCrypt gcm routines.
AES-GCM is combination of AES CTR mode and GHASH, slower than AES-CTR on
CPU w/o dedicated AES/GHASH instructions therefore disabled by default.
Compiling in will add ~6kB to binary size on x86-64.
function old new delta
gcm_process - 1060 +1060
.rodata 26976 27808 +832
gcm_gf_mult - 820 +820
gcm_add_aad - 660 +660
gcm_shift_table - 512 +512
gcm_done - 471 +471
gcm_add_iv - 384 +384
gcm_init - 347 +347
dropbear_gcm_crypt - 309 +309
encrypt_packet 1068 1270 +202
decrypt_packet 756 897 +141
gcm_reset - 118 +118
read_packet 543 637 +94
read_kex_algos 792 880 +88
sshciphers 280 360 +80
gcm_mult_h - 80 +80
dropbear_gcm_start - 62 +62
dropbear_mode_gcm - 48 +48
dropbear_mode_none 24 48 +24
dropbear_mode_ctr 24 48 +24
dropbear_mode_cbc 24 48 +24
dropbear_ghash - 24 +24
dropbear_gcm_getlength - 24 +24
gen_new_keys 848 854 +6
------------------------------------------------------------------------------
(add/remove: 14/0 grow/shrink: 10/0 up/down: 6434/0) Total: 6434 bytes
| author | Vladislav Grishenko <themiron@users.noreply.github.com> |
|---|---|
| date | Mon, 25 May 2020 20:50:25 +0500 |
| parents | 6dba84798cd5 |
| children |
line wrap: on
line source
/* NoekeonVects.java - Generate Noekeon test vectors using BouncyCastle. Written in 2011 by Patrick Pelletier <[email protected]> To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty. This file is dedicated to the public domain with the CC0 Public Domain Dedication: http://creativecommons.org/publicdomain/zero/1.0/legalcode.txt You may also consider this file to be covered by the WTFPL, as contained in the LibTomCrypt LICENSE file, if that makes you happier for some reason. ---------------------------------------------------------------------- This program was inspired by the comment in Botan 1.10.1's doc/examples/eax_test.cpp: // Noekeon: unknown cause, though LTC's lone test vector does not // match Botan So, I investigated the discrepancy by comparing them with a third implementation, BouncyCastle: http://www.bouncycastle.org/java.html I determined that there are two reasons why LibTomCrypt's Noekeon does not match Botan: 1) Botan uses "indirect Noekeon" (with a key schedule), while LibTomCrypt and BouncyCastle both use "direct Noekeon" (without a key schedule). See slide 14 of http://gro.noekeon.org/Noekeon-slides.pdf 2) However, LibTomCrypt's direct Noekeon still does not match BouncyCastle's direct Noekeon. This is because of a bug in LibTomCrypt's PI1 and PI2 functions: https://github.com/libtom/libtomcrypt/issues/5 This program uses BouncyCastle to produce test vectors which are suitable for Botan (by explicitly scheduling the key, thus building indirect Noekeon out of BouncyCastle's direct Noekeon), and also produces test vectors which would be suitable for LibTomCrypt (direct Noekeon) once its PI1 and PI2 functions are fixed to match the Noekeon specification. Although this program uses a PRNG from BouncyCastle to generate data for the test vectors, it uses a fixed seed and thus will produce the same output every time it is run. */ import java.io.ByteArrayOutputStream; import java.io.IOException; import java.util.Locale; import org.bouncycastle.crypto.digests.RIPEMD128Digest; import org.bouncycastle.crypto.engines.NoekeonEngine; import org.bouncycastle.crypto.modes.EAXBlockCipher; import org.bouncycastle.crypto.params.AEADParameters; import org.bouncycastle.crypto.params.KeyParameter; import org.bouncycastle.crypto.prng.DigestRandomGenerator; import org.bouncycastle.util.encoders.HexEncoder; public class NoekeonVects { private final DigestRandomGenerator r = new DigestRandomGenerator(new RIPEMD128Digest()); private final HexEncoder h = new HexEncoder(); private final NoekeonEngine noekeon = new NoekeonEngine(); private final KeyParameter null_key = new KeyParameter(new byte[16]); private final boolean schedule_key; private final boolean botan_format; private byte[] randomBytes(int n) { byte[] b = new byte[n]; r.nextBytes(b); return b; } private void hexOut(byte[] b) throws IOException { // HexEncoder uses lowercase, and Botan's test vectors must // be in uppercase, so... ByteArrayOutputStream os = new ByteArrayOutputStream(); h.encode(b, 0, b.length, os); String s = os.toString("US-ASCII"); System.out.print(s.toUpperCase(Locale.US)); } private void printCArray(byte[] a) throws IOException { byte[] b = new byte[1]; for (int i = 0; i < a.length; i++) { if (i > 0) System.out.print(", "); System.out.print("0x"); b[0] = a[i]; hexOut(b); } } private void printVector(byte[] key, byte[] plaintext, byte[] ciphertext) throws IOException { if (botan_format) { hexOut(plaintext); System.out.print(":"); hexOut(ciphertext); System.out.println(":\\"); hexOut(key); System.out.println(); } else { System.out.println(" {"); System.out.println(" 16,"); System.out.print(" { "); printCArray (key); System.out.println(" },"); System.out.print(" { "); printCArray (plaintext); System.out.println(" },"); System.out.print(" { "); printCArray (ciphertext); System.out.println(" }"); System.out.println(" },"); } } private KeyParameter maybe_schedule_key(byte[] key) { if (schedule_key) { noekeon.init(true, null_key); byte[] scheduled = new byte[16]; noekeon.processBlock(key, 0, scheduled, 0); return new KeyParameter(scheduled); } else return new KeyParameter(key); } private byte[] encrypt(byte[] plaintext, byte[] key) { KeyParameter kp = maybe_schedule_key(key); noekeon.init(true, kp); byte[] ciphertext = new byte[16]; noekeon.processBlock(plaintext, 0, ciphertext, 0); return ciphertext; } public NoekeonVects(long seed, boolean schedule_key, boolean botan_format) { this.schedule_key = schedule_key; this.botan_format = botan_format; r.addSeedMaterial(seed); } public void ecb_vectors() throws IOException { for (int i = 0; i < 8; i++) { byte[] key = randomBytes(16); byte[] plaintext = randomBytes(16); byte[] ciphertext = encrypt(plaintext, key); printVector(key, plaintext, ciphertext); } } public void eax_vectors() throws Exception { System.out.println("EAX-noekeon (16 byte key)"); EAXBlockCipher eax = new EAXBlockCipher(new NoekeonEngine()); byte[] output = new byte[48]; byte[] tag = new byte[16]; for (int j = 0; j < 16; j++) tag[j] = (byte) j; for (int i = 0; i <= 32; i++) { byte[] header_nonce_plaintext = new byte[i]; for (int j = 0; j < i; j++) header_nonce_plaintext[j] = (byte) j; AEADParameters params = new AEADParameters(maybe_schedule_key(tag), 128, header_nonce_plaintext, header_nonce_plaintext); eax.init(true, params); int off = eax.processBytes(header_nonce_plaintext, 0, i, output, 0); off += eax.doFinal(output, off); if (off != i + 16) throw new RuntimeException("didn't expect that"); byte[] ciphertext = new byte[i]; for (int j = 0; j < i; j++) ciphertext[j] = output[j]; for (int j = 0; j < 16; j++) tag[j] = output[i + j]; System.out.print(i < 10 ? " " : " "); System.out.print(i); System.out.print(": "); hexOut(ciphertext); System.out.print(", "); hexOut(tag); System.out.println(); } } public static void main(String[] argv) throws Exception { NoekeonVects bot = new NoekeonVects(0xdefacedbadfacadeL, true, true); NoekeonVects tom = new NoekeonVects(0xdefacedbadfacadeL, false, false); System.out.println("# ECB vectors for indirect Noekeon, in Botan's"); System.out.println("# test vector format, suitable for insertion"); System.out.println("# into Botan's file checks/validate.dat"); System.out.println("# Block cipher format is plaintext:ciphertext:key"); bot.ecb_vectors(); System.out.println(); System.out.println("/* ECB vectors for direct Noekeon, as C arrays"); System.out.println(" * suitable for insertion into LibTomCrypt's"); System.out.println(" * noekeon_test() in src/ciphers/noekeon.c,"); System.out.println(" * once LTC's PI1/PI2 bug is fixed. */"); tom.ecb_vectors(); System.out.println(); System.out.println("# EAX vectors for indirect Noekeon, in the format"); System.out.println("# generated by LTC's demos/tv_gen.c and consumed"); System.out.println("# by Botan's doc/examples/eax_test.cpp, suitable"); System.out.println("# for insertion in Botan's doc/examples/eax.vec"); bot.eax_vectors(); System.out.println(); System.out.println("# EAX vectors for direct Noekeon, in the format"); System.out.println("# generated by LTC's demos/tv_gen.c and consumed"); System.out.println("# by Botan's doc/examples/eax_test.cpp, which"); System.out.println("# should match LTC's notes/eax_tv.txt, once"); System.out.println("# LTC's PI1/PI2 bug is fixed."); tom.eax_vectors(); System.out.flush(); } }