search

cfrg / draft-irtf-cfrg-aegis-aead

Specification for the AEGIS family of authenticated encryption algorithms.
https://cfrg.github.io/draft-irtf-cfrg-aegis-aead/draft-irtf-cfrg-aegis-aead.html
Other
10 stars 2 forks source link

spec: Off-by-one error in the definition of RFC 5116 constants #45

Closed Yawning closed 1 month ago

Yawning commented 1 month ago

RFC 5116 defines A_MAX and P_MAX as an inclusive range (Section 4)

Each AEAD algorithm MUST accept any plaintext with a length between zero and P_MAX octets, inclusive, where the value P_MAX is specific to that algorithm.

Each AEAD algorithm MUST accept any associated data with a length between zero and A_MAX octets, inclusive, where the value A_MAX is specific to that algorithm.

The draft algorithm high-level definitions appear to follow this convention (Section 3, 4):

https://github.com/cfrg/draft-irtf-cfrg-aegis-aead/blob/dc1f4805eba4c4305b16f9741524dbde0ccea586/draft-irtf-cfrg-aegis-aead.md?plain=1#L362-L363

https://github.com/cfrg/draft-irtf-cfrg-aegis-aead/blob/dc1f4805eba4c4305b16f9741524dbde0ccea586/draft-irtf-cfrg-aegis-aead.md?plain=1#L698-L699

However, it is clear from the algorithm pseduocode sections and how the tag is generated that this P_MAX/A_MAX must be exclusive (Links to the AEGIS-256 copies omitted for brevity).

https://github.com/cfrg/draft-irtf-cfrg-aegis-aead/blob/dc1f4805eba4c4305b16f9741524dbde0ccea586/draft-irtf-cfrg-aegis-aead.md?plain=1#L385-L386

https://github.com/cfrg/draft-irtf-cfrg-aegis-aead/blob/dc1f4805eba4c4305b16f9741524dbde0ccea586/draft-irtf-cfrg-aegis-aead.md?plain=1#L679

While it is a combination of impossible/impractical/unlikely that data will every reach the length where this discrepancy actually matters, P_MAX and A_MAX should be changed to be 2^61 - 1 bytes (2^64 - 8 bits), and C_MAX should be updated accordingly.

jedisct1 commented 1 month ago

Good catch! Thank you!