search

floodyberry / chacha-opt

Optimized block functions for the ChaCha stream cipher
47 stars 16 forks source link

Failure when using incremental instead of one-shot #4

Closed lamasp closed 9 years ago

lamasp commented 9 years ago

Have been trying to verify some test vectors using chacha-opt, in particular two taken from http://tools.ietf.org/html/draft-nir-cfrg-chacha20-poly1305-04#appendix-A.2

Vector 1 passes in both one-shot and incremental approaches, while Vector 3 only passes in one-shot, and fails in incremental. The expected output in the example is different to the IETF doc, as I could not find a way to specify the counter for an invocation.

This issue is for the two problems:

The incremental approach passes on inputs 1-64 bytes in length, but fails for all inputs > 64 that aren't multiples of 64. So 127 and 129 bytes fail, but 128 passes. I'm not sure if this is because of a bug in chacha_final(?) or if it's intentional that it must be on 64-byte units for the incremental approach?

Output from my tests:

== vector-1-one (64 bytes) == `actual: 76B8E0ADA0F13D90405D6AE55386BD28BDD219B8A08DED1AA836EFCC8B770DC7DA41597C5157488D7724E03FB8D84A376A43B8F41518A11CC387B669B2EE6586

`expected: 76B8E0ADA0F13D90405D6AE55386BD28BDD219B8A08DED1AA836EFCC8B770DC7DA41597C5157488D7724E03FB8D84A376A43B8F41518A11CC387B669B2EE6586

`result: PASS

== vector-1-inc (64 bytes) == `actual: 76B8E0ADA0F13D90405D6AE55386BD28BDD219B8A08DED1AA836EFCC8B770DC7DA41597C5157488D7724E03FB8D84A376A43B8F41518A11CC387B669B2EE6586

`expected: 76B8E0ADA0F13D90405D6AE55386BD28BDD219B8A08DED1AA836EFCC8B770DC7DA41597C5157488D7724E03FB8D84A376A43B8F41518A11CC387B669B2EE6586

`result: PASS

== vector-3-one (127 bytes) == `actual: B10A4CA78ACC1CAB3F64649DB505D92A7D1BD201A2FE1FB8B130AAC2AB1364C1C597EE02D3DE97658A9316CA4F559B7572F7FDD2030A89116FCEBCCD8F1BD9B851E7FA0E00929795C88542CF722465D00155082B361F8B47791AF5E82393E252B63E16602978B4E8F55C5E7485F6A6B9A4A8CAAB09E0D14B4861D29F92613C

`expected: B10A4CA78ACC1CAB3F64649DB505D92A7D1BD201A2FE1FB8B130AAC2AB1364C1C597EE02D3DE97658A9316CA4F559B7572F7FDD2030A89116FCEBCCD8F1BD9B851E7FA0E00929795C88542CF722465D00155082B361F8B47791AF5E82393E252B63E16602978B4E8F55C5E7485F6A6B9A4A8CAAB09E0D14B4861D29F92613C

`result: PASS

== vector-3-inc (127 bytes) == `actual: 51E7FA0E00929795C88542CF722465D00155082B361F8B47791AF5E82393E252B63E16602978B4E8F55C5E7485F6A6B9A4A8CAAB09E0D14B4861D29F92613CB851E7FA0E00929795C88542CF722465D00155082B361F8B47791AF5E82393E252B63E16602978B4E8F55C5E7485F6A6B9A4A8CAAB09E0D14B4861D29F92613C

`expected: B10A4CA78ACC1CAB3F64649DB505D92A7D1BD201A2FE1FB8B130AAC2AB1364C1C597EE02D3DE97658A9316CA4F559B7572F7FDD2030A89116FCEBCCD8F1BD9B851E7FA0E00929795C88542CF722465D00155082B361F8B47791AF5E82393E252B63E16602978B4E8F55C5E7485F6A6B9A4A8CAAB09E0D14B4861D29F92613C

`result: FAIL

== vector-3-128B-one (128 bytes) == `actual: B10A4CA78ACC1CAB3F64649DB505D92A7D1BD201A2FE1FB8B130AAC2AB1364C1C597EE02D3DE97658A9316CA4F559B7572F7FDD2030A89116FCEBCCD8F1BD9B851E7FA0E00929795C88542CF722465D00155082B361F8B47791AF5E82393E252B63E16602978B4E8F55C5E7485F6A6B9A4A8CAAB09E0D14B4861D29F92613C1C

`expected: B10A4CA78ACC1CAB3F64649DB505D92A7D1BD201A2FE1FB8B130AAC2AB1364C1C597EE02D3DE97658A9316CA4F559B7572F7FDD2030A89116FCEBCCD8F1BD9B851E7FA0E00929795C88542CF722465D00155082B361F8B47791AF5E82393E252B63E16602978B4E8F55C5E7485F6A6B9A4A8CAAB09E0D14B4861D29F92613C1C

`result: PASS

== vector-3-128B-inc (128 bytes) == `actual: B10A4CA78ACC1CAB3F64649DB505D92A7D1BD201A2FE1FB8B130AAC2AB1364C1C597EE02D3DE97658A9316CA4F559B7572F7FDD2030A89116FCEBCCD8F1BD9B851E7FA0E00929795C88542CF722465D00155082B361F8B47791AF5E82393E252B63E16602978B4E8F55C5E7485F6A6B9A4A8CAAB09E0D14B4861D29F92613C1C

`expected: B10A4CA78ACC1CAB3F64649DB505D92A7D1BD201A2FE1FB8B130AAC2AB1364C1C597EE02D3DE97658A9316CA4F559B7572F7FDD2030A89116FCEBCCD8F1BD9B851E7FA0E00929795C88542CF722465D00155082B361F8B47791AF5E82393E252B63E16602978B4E8F55C5E7485F6A6B9A4A8CAAB09E0D14B4861D29F92613C1C

`result: PASS

== vector-3-129B-one (129 bytes) == `actual: B10A4CA78ACC1CAB3F64649DB505D92A7D1BD201A2FE1FB8B130AAC2AB1364C1C597EE02D3DE97658A9316CA4F559B7572F7FDD2030A89116FCEBCCD8F1BD9B851E7FA0E00929795C88542CF722465D00155082B361F8B47791AF5E82393E252B63E16602978B4E8F55C5E7485F6A6B9A4A8CAAB09E0D14B4861D29F92613C1C36

`expected: B10A4CA78ACC1CAB3F64649DB505D92A7D1BD201A2FE1FB8B130AAC2AB1364C1C597EE02D3DE97658A9316CA4F559B7572F7FDD2030A89116FCEBCCD8F1BD9B851E7FA0E00929795C88542CF722465D00155082B361F8B47791AF5E82393E252B63E16602978B4E8F55C5E7485F6A6B9A4A8CAAB09E0D14B4861D29F92613C1C36

`result: PASS

== vector-3-129B-inc (129 bytes) == `actual: 360A4CA78ACC1CAB3F64649DB505D92A7D1BD201A2FE1FB8B130AAC2AB1364C1C597EE02D3DE97658A9316CA4F559B7572F7FDD2030A89116FCEBCCD8F1BD9B851E7FA0E00929795C88542CF722465D00155082B361F8B47791AF5E82393E252B63E16602978B4E8F55C5E7485F6A6B9A4A8CAAB09E0D14B4861D29F92613C1C36

`expected: B10A4CA78ACC1CAB3F64649DB505D92A7D1BD201A2FE1FB8B130AAC2AB1364C1C597EE02D3DE97658A9316CA4F559B7572F7FDD2030A89116FCEBCCD8F1BD9B851E7FA0E00929795C88542CF722465D00155082B361F8B47791AF5E82393E252B63E16602978B4E8F55C5E7485F6A6B9A4A8CAAB09E0D14B4861D29F92613C1C36

`result: FAIL

lamasp commented 9 years ago

See gist for test source: https://gist.github.com/lamasp/485b5f33b539cc9f83dd

lamasp commented 9 years ago

Also if possible, would prefer to see support for setting the counter via the one-shot chacha() method, rather than the incremental approach.

lamasp commented 9 years ago

Nevermind - my problem was due to not adjusting the output parameter in chacha_final() with the byte count provided by chacha_update().

Would still like ability to set the internal counter via the one-shot call though (only way I can do it at the moment is via incremental and accessing the internal state).