Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ocb and eax modes with aes #26

Merged
merged 18 commits into from
Sep 3, 2019

Conversation

zugzwang
Copy link
Contributor

@zugzwang zugzwang commented Aug 16, 2019

OCB and EAX modes of operation as AEAD interfaces

Implemented OCB and EAX modes of operation from RFC7253 and BRW04, respectively. This pull request is a follow-up from 24, and it implements the AEAD interface (defined in gcm) for both modes.

Both packages include sets of randomly generated test vectors, which validated against OpenPGPjs.

OCB package

Supports any block cipher of block size 128 bits, and any tag and nonce sizes. Provided a new set of test vectors with AES-{128, 192, 256} and different tag and nonce lengths, in order to cover average cases (see comment below).

Optimized en/decryption speed when using incremental nonces

Storing a ciphertext accross en/decryptions allows to reduce the internal block cipher encryptions 63 out of 64 times, when using incremental nonces.

Tests

  • TestOCBImplementsAEADInterface, see gcm.go
  • Test length parameters
  • Test a design property of the hash function defined in RFC7253
  • Test against all test vectors from RFC7253
  • Test against random vectors provided in random_vectors.go
  • Test random cases (Encrypt-then-Decrypt)
  • Test tampered ciphertext rejection

Benchmarks
Plaintext length 2 ** 18 bytes, header length 16 bytes, crypto/rand generated

  • Seal (encrypt and authenticate procedure of the AEAD interface)
  • Open (decrypt and validate procedure of the AEAD interface)

EAX package

Tests

  • TestEAXImplementsAEADInterface, see gcm.go
  • Check against test vectors from BRW04
  • Correctness of crypto/rand generated vectors (Encrypt-then-Decrypt)
  • Test against random vectors provided in random_vectors.go
  • Test on unsupported/incorrect parameters
  • Rejection of tampered ciphertexts (either on data or tag tampering)

Benchmarks
Plaintext length 2 ** 18 bytes, header length 16 bytes, crypto/rand generated

  • Seal (encrypt and authenticate procedure of the AEAD interface)
  • Open (decrypt and validate procedure of the AEAD interface)

Thanks to @twiss for help with debugging

Comment: The motivation for including a new set of test vectors for OCB comes from the fact that, in the test vectors provided by RFC7253, the bottom internal variable (which defines offset for the first time), does not exceed the value of 15. However, it can attain values up to 63, which are covered by these new vectors. This set of vectors includes key length in {128, 192, 256}, tag size 128 bits, and random nonce, header, and plaintext lengths.

Copy link
Contributor Author

@zugzwang zugzwang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pointing out aforementioned typo.

openpgp/ocb/ocb.go Outdated Show resolved Hide resolved
openpgp/eax/eax_test.go Outdated Show resolved Hide resolved
openpgp/ocb/ocb.go Outdated Show resolved Hide resolved
Copy link
Member

@twiss twiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be nice, once we have EAX, OCB, and GCM, to be able to use all of them interchangeably, and also to do

var aeadInstance AEAD
if (...) {
  aeadInstance = NewGCM(block)
} else {
  aeadInstance = NewEAX(block)
}
aeadInstance.Seal(...)

So it might in fact be a good idea to implement the AEAD interface defined here: https://golang.org/src/crypto/cipher/gcm.go

openpgp/ocb/ocb.go Outdated Show resolved Hide resolved
openpgp/ocb/ocb.go Outdated Show resolved Hide resolved
openpgp/ocb/ocb.go Outdated Show resolved Hide resolved
openpgp/eax/eax.go Outdated Show resolved Hide resolved
@zugzwang zugzwang closed this Aug 20, 2019
@zugzwang zugzwang reopened this Aug 20, 2019
@zugzwang
Copy link
Contributor Author

zugzwang commented Aug 20, 2019

The last check failed at TestEndToEnd, which has nothing to do with this branch. The whole log is here.

EDIT: The following commit passed, so this is definitely an issue with EdDSA.

EDIT: Fixed

eax/eax.go Outdated Show resolved Hide resolved
eax/eax.go Outdated Show resolved Hide resolved
eax/eax.go Outdated Show resolved Hide resolved
eax/eax.go Outdated Show resolved Hide resolved
eax/eax.go Outdated Show resolved Hide resolved
eax/eax.go Outdated Show resolved Hide resolved
eax/eax.go Outdated Show resolved Hide resolved
eax/eax.go Outdated Show resolved Hide resolved
eax/eax.go Outdated Show resolved Hide resolved
eax/eax.go Show resolved Hide resolved
@zugzwang zugzwang force-pushed the ocb-and-eax-modes-with-aes branch 4 times, most recently from 5ef8281 to 5f074ba Compare August 23, 2019 12:24
eax/eax.go Show resolved Hide resolved
eax/eax.go Show resolved Hide resolved
eax/eax.go Outdated Show resolved Hide resolved
ocb/ocb.go Outdated Show resolved Hide resolved
eax/eax.go Outdated Show resolved Hide resolved
eax/eax.go Outdated Show resolved Hide resolved
eax/eax.go Outdated Show resolved Hide resolved
eax/eax_test.go Outdated Show resolved Hide resolved
eax/random_vectors_generate_script.go Outdated Show resolved Hide resolved
ocb/random_vectors_generate_script.go Outdated Show resolved Hide resolved
ocb/ocb.go Outdated Show resolved Hide resolved
@twiss twiss merged commit ac9b7da into ProtonMail:master Sep 3, 2019
@zugzwang zugzwang deleted the ocb-and-eax-modes-with-aes branch September 6, 2019 07:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants