Possible incorrect finalization?

[theakman2]

This appears incorrect: https://github.com/jedisct1/aegis-128X/blob/master/implementations/128x/zig/src/main-x4.zig#L145

The code is currently:

const tag32 = s[0].xorBlocks(s[1]).xorBlocks(s[2]).xorBlocks(s[3]).xorBlocks(s[4]).xorBlocks(s[5]).xorBlocks(s[5]).toBytes();

Shouldn't the last xorBlocks be s[6]?

main.zig has the same issue.

[jedisct1]

Not a typo :) This is how it's defined in the specification, and implemented everywhere.

The original paper indeed adds all the blocks, but the code submitted to the competition ignores the last one. The specification and all the test vectors use that finalisation function to remain compatible with what is already deployed.

It doesn't make a practical difference. In fact, using a single block of the key stream would be enough as an authenticator. As mentioned in the response to the CAESAR judges, the purpose of the addition is just to "increase randomness".

[theakman2]

Fair enough, thanks for looking into it. It didn't match the aegis128l implementations I'd come across so I thought something might be off.

[jedisct1]

This is surprising. What implementations are using a different finalization function?

[jedisct1]

Oh, I see what you mean, sorry for the confusion.

I thought you were referring to the last block.

xorBlocks(s[5]).xorBlocks(s[5]) is indeed a typo, and should be xorBlocks(s[5]).xorBlocks(s[6]).

Good catch!

This is fixed in e5e91202424f06d6f4d0768d629d6ffcbdcaceba

Thanks again!

I'll submit a new revision of the paper with updated test vectors soon.