Closed theakman2 closed 1 year ago
Not a typo :) This is how it's defined in the specification, and implemented everywhere.
The original paper indeed adds all the blocks, but the code submitted to the competition ignores the last one. The specification and all the test vectors use that finalisation function to remain compatible with what is already deployed.
It doesn't make a practical difference. In fact, using a single block of the key stream would be enough as an authenticator. As mentioned in the response to the CAESAR judges, the purpose of the addition is just to "increase randomness".
Fair enough, thanks for looking into it. It didn't match the aegis128l implementations I'd come across so I thought something might be off.
This is surprising. What implementations are using a different finalization function?
Oh, I see what you mean, sorry for the confusion.
I thought you were referring to the last block.
xorBlocks(s[5]).xorBlocks(s[5])
is indeed a typo, and should be xorBlocks(s[5]).xorBlocks(s[6])
.
Good catch!
This is fixed in e5e91202424f06d6f4d0768d629d6ffcbdcaceba
Thanks again!
I'll submit a new revision of the paper with updated test vectors soon.
This appears incorrect: https://github.com/jedisct1/aegis-128X/blob/master/implementations/128x/zig/src/main-x4.zig#L145
The code is currently:
Shouldn't the last
xorBlocks
bes[6]
?main.zig
has the same issue.