One document matched: draft-irtf-cfrg-cwc-00.txt
Crypto Forum Research Group T. Kohno
Internet-Draft UC San Diego
Expires: October 14, 2003 J. Viega
Secure Software
D. Whiting
Hifn
April 14, 2003
The CWC-AES Dual-Use Mode
draft-irtf-cfrg-cwc-00.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 14, 2003.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
The CWC dual-use mode is a fast, parallelizable, provably secure and
patent-free mode of operation for providing both encryption and
message integrity. In this document we specify CWC for the AES block
cipher, though its principles can easily be applied to other block
ciphers.
Kohno, Viega, Whiting [Page 1]
Internet Draft March 2003
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1 Conventions Used in This Document . . . . . . . . . . . . . . 3
2. CWC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 The CWC-ENCRYPT operation . . . . . . . . . . . . . . . . . . 4
2.3 The CWC-DECRYPT operation . . . . . . . . . . . . . . . . . . 5
2.4 The CWC-CTR operation . . . . . . . . . . . . . . . . . . . . 5
2.5 The CWC-MAC operation . . . . . . . . . . . . . . . . . . . . 6
2.6 The CWC-HASH operation . . . . . . . . . . . . . . . . . . . . 6
2.7 The CWC-HPAD operation . . . . . . . . . . . . . . . . . . . . 7
3. Implementation Notes . . . . . . . . . . . . . . . . . . . . . 7
4. Hardware Performance . . . . . . . . . . . . . . . . . . . . . 8
5. Software Performance . . . . . . . . . . . . . . . . . . . . . 9
6. Intellectual Property Statements . . . . . . . . . . . . . . . 9
7. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7.1 Rekeying recommendations . . . . . . . . . . . . . . . . . . . 10
7.2 Weak Hash Keys . . . . . . . . . . . . . . . . . . . . . . . . 10
8. Interoperability Considerations . . . . . . . . . . . . . . . 10
9. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 11
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17
References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 18
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 18
Appendix A: Reference Code . . . . . . . . . . . . . . . . . . 19
1. Introduction
The Carter-Wegman + Counter dual-use mode (CWC mode) is a mode of
operation for providing both encryption and message integrity. This
mode is parallelizable, fast in both software and hardware (where it
can achieve speeds of 10 Gigabits per second), unencumbered by
patents and provably secure to a good bound under the assumption that
the underlying block cipher is a pseudo-random permutation.
This construct has the following benefits:
* CWC is fast in both software and hardware. In hardware it can
process 10Gbits/second using conventional ASIC technology, making
it an attractive choice for future 10Gbit/second links.
* CWC is parallelizable to an arbitrary degree, while maintaining
complete interoperability.
* CWC is a simple combination of well-known techniques, under a
well-understood model of combining those techniques. It is
basically the "generic composition" approach, except with a
Kohno, Viega, Whiting [Page 2]
Internet Draft March 2003
single block cipher key.
* CWC has provable security to very good bounds under standard
assumptions. For provable security, we use the AED notions
from [Rogaway].
* CWC only requires AES encryption. For example, hardware
implementations only need to implement an encryption module.
Software implementations can also avoid the memory overhead of
AES' 4 K decryption lookup table. CWC does, however, require
a multiplication unit.
* CWC can reject bogus messages without decrypting the ciphertext.
* CWC has minimal expansion (each ciphertext is as long as the
plaintext, with the addition of a message authenticator).
* CWC is unencumbered by patents to the best of our knowledge.
* CWC can authenticate both encrypted messages and associated
plaintext data such as headers. CWC still authenticates
properly if a message contains no plaintext headers, and if it
contains no ciphertext.
* CWC is well suited for memory-limited environments.
* CWC is designed to promote interoperability. That is, there is
a minimal set of parameters.
1.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. CWC
CWC is a generic mode of operation for block ciphers, and is
described in [CWC]. Here, we specify a binding of CWC mode for AES.
In this section, we will take a top-down approach. First, we will
specify the CWC encryption and decryption operations in terms of
high-level functions, and then we will specify each of the functions
we use in detail.
In this document, we will use || to represent string concatenation,
"" to denote the empty string and AES_K(M) to indicate applying AES
to a 128-bit message M, using key K. The underscore (_) indicates
Kohno, Viega, Whiting [Page 3]
Internet Draft March 2003
subscripts. Array indices all begin at 0. The function LEN(x)
returns the length of the input string in octets. Note that the
generic CWC mode allows arbitrary bit-length messages in a way that
is compatible with the specification in this document.
Additionally, the notation X[Y:Z] indicates a substring of octet
string X consisting of the consecutive octets of X from index Y to
Z-1. For example, evaluating X[0:3] where X is the octet string
"ABCDEFG" would yield "ABC".
The function CEILING(X) returns the smallest integer greater than or
equal to its argument.
2.1. Parameters
CWC takes two parameters:
Y, the AES key length to use in octets (16, 24 or 32).
Z, the size of the message authentication tag. That is, Z
determines how many octets are added at the end of the message
for purposes of modification detection. Z MUST be an even
number between 4 and 16. Implementations SHOULD allow for Z
being 16.
When parties are communicating with CWC mode, they SHOULD agree on
parameters authentically. Instantiations of CWC for AES MUST be
referred to as CWC-AES, with an indication of the key size in octets
and the tag size in octets. The tag size MAY be omitted if it is 16
octets. In the case where both the key and the tag are 16 octets,
both may be omitted. For example, CWC-AES-32 and CWC-AES-32-16 both
refer to AES in CWC mode, with 256-bit AES keys and a 16-octet tag.
2.2. The CWC-ENCRYPT operation
CWC-ENCRYPT takes the following inputs:
K, a key that is Y octets in length.
A, a string of arbitrary length consisting of data to be
authenticated, but not encrypted. The length of A MUST NOT
exceed 2^36-16 octets.
M, a string of arbitrary length consisting of the plaintext
message. This message will be both encrypted and
authenticated. The length of M MUST NOT exceed 2^36-16 octets.
N, a nonce, 11 octets in length. Each value of N MUST NOT be used
Kohno, Viega, Whiting [Page 4]
Internet Draft March 2003
more than once for any given key K. The layout of the nonce is
unspecified, but we recommend using part of the nonce for a
salt of at least 4 octets that is randomly chosen at key setup
time and using the rest for a message counter.
Note that the length restrictions on A and M are an implementation-
level decision specific to CWC-AES. Please see [CWC] for a
discussion of the considerations.
CWC-ENCRYPT is computed as follows:
1) C = CWC-CTR(K, N, M)
2) T = CWC-MAC(K, A, N, C)
3) OUTPUT = C || T
2.3. The CWC-DECRYPT operation
CWC-DECRYPT takes the following inputs:
K, a key that is Y octets in length.
A, a string of arbitrary length up to 2^36-16 octets, consisting of
data to be authenticated.
C, a string of arbitrary length up to 2^36-16+Z octets, consisting
of
ciphertext to be decrypted and authenticated.
N, a nonce of 11 octets in length, corresponding to the nonce for
encryption.
Note that if either A or C is longer than specified above,
authentication will fail, as no messages may be that long.
Implementations MAY explicitly check for overlong inputs and
reject them up front.
CWC-DECRYPT is computed as follows:
1) IF LEN(C) < Z THEN FAIL
2) C' = C[0 : LEN(C)-Z]
3) T' = C[LEN(C)-Z : LEN(C)]
4) T = CWC-MAC(K, A, N, C')
6) IF T <> T' THEN FAIL
7) OUTPUT = CWC-CTR(K, N, C')
2.4. The CWC-CTR operation
This use of counter mode uses a layout for plaintexts that is
Kohno, Viega, Whiting [Page 5]
Internet Draft March 2003
compatible with the draft specification of Integer Counter Mode
presented in [ICM].
The first two bits of the block being encrypted are used to
distinguish the different types of AES encryption. In the context of
the counter mode encryption, the first bit will always be 1, and the
second will always be 0. The next 6 bits are reserved, and must
always be zero. The next 11 octets consist of the nonce, and the
final 4 octets encode a counter in big endian format that indicates
which block of keystream is being produced by the current AES
operation.
Here's a visual representation of the octets in the counter plaintext
blocks:
0 1 2 3 4 5 6 7
+-------+-------+-------+-------+-------+-------+-------+-------+
| 0x80 | Nonce
+-------+-------+-------+-------+-------+-------+-------+-------+
Nonce (continued) | Counter |
+-------+-------+-------+-------+-------+-------+-------+-------+
8 9 10 11 12 13 14 15
CWC-CTR(K, N, M):
1) J = CEILING(LEN(M)/16)
2) S = ""
3) FOR I in 1 TO J: S = S || AES_K(0x80 || N || I)
4) OUTPUT = S[0:LEN(M)] XOR M
Note that, in step 3, the number I is represented as a string in big
endian format, and MUST be exactly 4 octets in length.
2.5. The CWC-MAC operation
The CWC-MAC operation takes the results of CWC-HASH and then performs
two post-processing AES operations. The first operation directly
encrypts the hash result. Note that, in a correct implementation,
the first bit of that plaintext will always be zero. The second AES
operation is identical to the operation in 2.4., with the counter
value set to 0.
CWC-MAC(K, A, N, C):
1) R = AES_K(CWC-HASH(K, A, C))
2) OUTPUT = (AES_K(0x80||N||0x00000000) XOR R)[0:Z]
2.6. The CWC-HASH operation
Kohno, Viega, Whiting [Page 6]
Internet Draft March 2003
This hash function is the traditional Carter-Wegman polynomial hash,
with a field of GF(2^127-1). In practice, this means that, for each
12 octets of the message (where those octets are treated like a
number in big endian notation), we add the message block to the
ongoing result, modulo 2^127-1. We then multiply by the hash key
(itself treated as a number), again modulo 2^127-1.
The result is the ongoing result, represented as a 16-octet big
endian value. The most significant bit will always be 0.
CWC-HASH(K, A, C):
1) Z = AES_K(0xC0000000000000000000000000000000) &
0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
2) X = CWC-HPAD(A) || CWC-HPAD(C)
3) B = LEN(X) / 12
4) OUTPUT = 0
5) FOR I FROM 0 TO B-1:
a) OUTPUT = OUTPUT + X[12*I : 12*I+12] MOD 2^127-1
b) OUTPUT = OUTPUT * Z MOD 2^127-1
6) OUTPUT = OUTPUT + (LEN(C) + 2^64*LEN(A)) MOD 2^127-1
Note that most implementations will want to compute Z at key setup
time, instead of recomputing it for each message.
2.7. The CWC-HPAD operation
The input to the hash function needs to be a multiple of 96 bits.
CWC-HPAD(STR):
1) OUTPUT = STR
2) WHILE LEN(OUTPUT) MOD 12: OUTPUT = OUTPUT + 0x00
3. Implementation Notes
This mode consists of counter mode encryption, and a MAC computed
over the ciphertext. Parallelization of the counter mode encryption
is straightforward, and the keystream can be precomputed once the
nonce is known. The hash key can be computed at key setup time. One
of the two AES operations for the MAC can be precomputed once the
nonce is known.
An efficient way to evaluate polynomials is to perform factoring
using Hoerner's rule. For example, the polynomial:
a*K^5 + b*K^4 + c*K^3 + +d*K^2 + e*K + LEN(A)*2^64 + LEN(C)
Kohno, Viega, Whiting [Page 7]
Internet Draft March 2003
Can be rewritten as the following expression:
(((((a)K + b)K + c)K + d)K + e)K + LEN(A)*2^64 + LEN(C)
Such a factoring approach saves numerous multiplications, which are
quite expensive.
Additionally, the CWC-hash computation is arbitrarily parallelizable.
For example, one might consider interleaving subsequent message
blocks to different processing units. For example, given the above
polynomial, we could instead use the following two (factored)
polynomials in K^2:
1) ((a*K^2 + c)K^2 + e)K
2) ((b*K^2 + d)K^2 + LEN(A)*2^64+LEN(C)
After we plug a message into each of the two polynomials and evaluate
them, adding the two results together will give the same result as
evaluating the original polynomial serially.
Clearly, if you expect to do this kind of parallelization, there is
great value in precomputing K^2 at key setup time.
Another thing to note is that many instruction sets have issues with
multiply speed that may suggest alternate implementations. For
example, the relative speed of a 32-bit integer multiply on Intel x86
hardware (in terms of the number of cycles that it takes to run) is
worse on Pentium 4s than it is on Pentium IIIs, which are worse than
Pentium II's. On Pentium 4s, it is more desirable to use either the
floating-point or XMM multiply operation instead of the integer
multiply, because it takes fewer cycles to run, can multiply two
numbers at once, and does not always introduce pipeline stalls.
On all recent Intel architectures, one can parallelize by factoring
as above, having one polynomial computed by the integer registers and
the other computed in the floating point registers. See [hash127]
for a description of how to calculate this hash using floating point
operations.
4. Hardware Performance
A driving motivation for this work was to construct a patent-free
dual-use mode capable of processing 10Gbits/second using conventional
ASIC technology. Such a patent-free dual-use mode is need for the
upcoming 10Gbit/second links.
Because CWC is parallelizable (as discussed above), it can achieve
10Gbits/second in conventional hardware.
Kohno, Viega, Whiting [Page 8]
Internet Draft March 2003
5. Software Performance
We have approximated the speed of AES-CTR mode using performance data
on the Internet, and timed the speed of a well-optimized version of
the underlying hash function. The remaining per-message operations
are two AES operations and an XOR, that can run in under 500 cycles
on a Pentium III.
The current fastest AES implementation is written in assembly and
encrypts at 14.125 cycles per octet. The counter increment and XOR
requires about an extra 1.25 cycles per octet.
We have produced an optimized C-based version of CWC mode, where the
CWC hash function runs at about 14 cycles per octet. A similar
assembly-based implementation will undoubtedly run faster than 10
cycles per octet.
Note that the hash function is similar to Bernstein's hash127, except
that it operates on unsigned 96-bit coefficients instead of signed
32-bit coefficients. The larger coefficients result in a couple of
cycles lost per byte, but otherwise the CWC hash can have similar
performance characteristics, if implemented in the same manner. On
Pentium 4 hardware, hash127 can run below 5 cycles per byte.
A straightforward x86 assembly implementation using no precomputation
and 32-bit multiplies runs slower than the fastest implementations of
AES, at just under 30 cycles per octet. A version using 64-bit
multiplies should run at speeds competitive with the hash127-style
approach.
The hash runs at approximately constant speed, unlike MD5. The
optimized implementation of the CWC hash is faster than an optimized
MD5 for small messages, but is about the same speed for messages 2K
octets in length or larger.
6. Intellectual Property Statements
The authors hereby explicitly release any intellectual property
rights to CWC mode into the public domain. Further, the authors are
not aware of any patent or patent application anywhere in the world
that covers this encryption mode. This mode is a simple combination
of two techniques that have been in the literature for over 20 years
(a polynomial universal hash and counter mode).
7. Security Considerations
The primary concern with CWC mode is that a K,N pair MUST NOT be
reused, otherwise the security properties of the mode are lost. To
Kohno, Viega, Whiting [Page 9]
Internet Draft March 2003
help prevent such disasters, we recommend that software APIs
implementing CWC-AES have a high-level API to prevent this kind of
problem. In protocols where new symmetric keys are randomly chosen
for each connection, such as TLS, this is not much of an issue.
However, it can be a problem when using fixed shared secrets in an
all-symmetric system. In such a case, you may have an abstract data
type representing a key, which contains a data field that notes how
many times the key has been used to key a cipher. Given such a base
key, an API might derive the actual CWC key for CWC-AES-16 by
encrypting the count with the given key.
A high-level API has other advantages, as well. For example, such an
API could perform automatic nonce management, particularly providing
defense against capture-replay attacks.
There is a proof showing that CWC is secure to very good bounds,
assuming that the underlying block cipher acts as a pseudo-random
permutation. Modern block ciphers, including AES, are believed to be
pseudo-random. In our proofs, we use the authenticated encryption
with associated data (AEAD) privacy and integrity notions defined in
[Rogaway]. See [CWC] for details.
7.1. Rekeying recommendations
Applications SHOULD rekey at least once every 2^48 messages.
7.2. Weak Hash Keys
The all-bits-zero hash key and the all-bits-one hash key are both
weak. The odds of selecting one of these two keys are so small that
this is not a problem to worry about. In fact, the presence of these
two keys is considered in the proof of security of the hash function.
Implementations MUST NOT detect this condition.
8. Interoperability Considerations
There is one obvious modification to CWC-AES that people may be
useful to those in resource constrained environments. In this
section, we will discuss this extension, and outline how one SHOULD
use it, if desirable. However, if implementing this change, the
result MUST NOT be referred to as "CWC-AES" (it is sufficient to
refer to it as a variant, however).
Some environments (e.g., 16-bit environments) may wish to use key
sizes smaller than 127 bits in order to save in the number of
multiplications that need to be performed. This can be accomplished
by setting the most significant hash keys to zero, until a key of the
Kohno, Viega, Whiting [Page 10]
Internet Draft March 2003
desired length is derived. For example, if you wish to use 64-bit
keys, you could derive the hash key as follows:
AES_K(0xC0000000000000000000000000000000) &
0x0000000000000000FFFFFFFFFFFFFFFF
Using shorter hash keys does, however, significantly decrease the
mode's resistance to forgery attacks.
9. Test Vectors
Vector #1: CWC-AES-16
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
PLAINTEXT: 00 01 02 03 04 05 06 07
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C
HASH VALUE: 2B 9E AE BE 67 3F AE 03 6B 16 EA 31 DC A7 AE 6B
AES(HVAL): FC DC 06 4C CD CA FE E3 DE 7A A3 CF 5C 5D B9 7B
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2
CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 57 55 DB A5 09 9F 3F 1D
60 04 44 97 DE 89 33 A9
Vector #2: CWC-AES-24
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80
PLAINTEXT: 00 01 02 03 04 05 06 07
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5
HASH VALUE: 40 E6 24 83 4B 27 9A 7B 15 42 C7 FE 29 EB 29 A3
AES(HVAL): 69 CC 0E 3D 96 98 EB 75 1F 06 A5 90 9B C2 4F 5A
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72
CIPHERTEXT: F0 DB A9 74 12 30 01 B0 AF 7A FA 0E 6F 8A D2 3A
75 8A 1C 43 69 B9 43 28
Vector #3: CWC-AES-32
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00
PLAINTEXT: 00 01 02 03 04 05 06 07
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
Kohno, Viega, Whiting [Page 11]
Internet Draft March 2003
HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5
HASH VALUE: 18 99 E1 A6 1E 6E 37 65 C6 3A 41 99 56 8C D1 BF
AES(HVAL): 1C 56 65 0A 22 BC B5 94 AC F3 CA 24 46 03 B8 5E
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0
CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 8E 5C 5E 4C A0 99 A3 65
F6 50 D1 8A CB E8 CA FE
Vector #4: CWC-AES-16
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
PLAINTEXT: 00 01 02 03 04 05 06 07
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C
HASH VALUE: 2E A9 2A A5 28 B1 1C 08 1C C8 2F 24 9B E4 19 8D
AES(HVAL): EA 54 F8 3D 56 7F 53 05 88 B1 EA 96 36 79 CD AC
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2
CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 41 DD 25 D4 92 2A 92 FB
36 CF 0D CE B4 AD 47 7E
Vector #5: CWC-AES-24
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80
PLAINTEXT: 00 01 02 03 04 05 06 07
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5
HASH VALUE: 60 3F FC 24 71 64 2E D9 57 E1 B1 EA F2 F8 B0 34
AES(HVAL): D8 39 86 2A 33 5A 54 68 C8 16 DA 47 69 A2 10 EB
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72
CIPHERTEXT: F0 DB A9 74 12 30 01 B0 1E 8F 72 19 CA 48 6D 27
A2 9A 63 94 9B D9 1C 99
Vector #6: CWC-AES-32
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00
PLAINTEXT: 00 01 02 03 04 05 06 07
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5
Kohno, Viega, Whiting [Page 12]
Internet Draft March 2003
HASH VALUE: 0A C6 B1 39 57 7F 26 DA 94 16 42 E1 6D 73 EC B5
AES(HVAL): 4B A5 AD 1E 74 A2 C5 BE AB D0 DA 4D F4 29 83 0C
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0
CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B D9 AF 96 58 F6 87 D3 4F
F1 73 C1 E3 79 C2 F1 AC
Vector #7: CWC-AES-16
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C
HASH VALUE: 79 00 74 72 E1 C8 36 96 ED 7A B1 F9 03 6E 94 8B
AES(HVAL): 2B 0F 24 69 B1 2B BE 39 C9 40 67 BA F1 25 E2 5B
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2
CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 80
86 F9 80 75 7E 7F C7 77 3E 80 E2 73 F1 68 89
Vector #8: CWC-AES-24
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5
HASH VALUE: 2C 5E 3A A4 37 1C 27 D6 E8 6B 76 DC 3D 93 BC 87
AES(HVAL): 48 6E 9C E5 C3 16 3E A6 9C D4 D7 E2 7C 9D 92 D2
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72
CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 8E
D8 68 D6 3A 04 07 E9 F6 58 6E 31 8E E6 9E A0
Vector #9: CWC-AES-32
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5
HASH VALUE: 4A 70 29 CC 58 25 52 CB 75 AD C9 60 FF B3 F7 55
AES(HVAL): 2B 64 0E 02 CE 51 DE 22 B2 0F 2A 8D C4 23 CD C0
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0
Kohno, Viega, Whiting [Page 13]
Internet Draft March 2003
CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 B9
6E 35 44 4C 74 C8 D3 E8 AC 31 23 49 C8 BF 60
Vector #10: CWC-AES-16
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C
HASH VALUE: 51 AE 9D 7E 86 BD E0 B2 AA 18 2C 91 87 0A 9C A5
AES(HVAL): DF 48 30 BD 1D DC E0 59 B1 C2 0B 29 01 4F 80 10
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2
CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 74
C1 ED 54 D9 89 21 A7 0F BC EC 71 83 9B 0A C2
Vector #11: CWC-AES-24
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5
HASH VALUE: 51 60 E7 81 DC 64 F9 CD 54 BA 02 40 A2 E8 EE 99
AES(HVAL): A0 30 58 13 22 B6 80 53 64 B0 3E 52 41 D2 2D 0A
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72
CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 66
86 AC 20 DB A4 B9 1C 0E 3C 87 81 B3 A9 21 78
Vector #12: CWC-AES-32
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5
HASH VALUE: 3F F5 0C 60 E6 01 7A 3C A1 BB B3 54 65 02 85 7C
AES(HVAL): 3E EF A2 E4 97 91 82 86 73 0C F6 E9 46 2C CA 15
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0
CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 AC
Kohno, Viega, Whiting [Page 14]
Internet Draft March 2003
E5 99 A2 15 B4 94 77 29 AF ED 47 CB C7 B8 B5
Vector #13: CWC-AES-16
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C
HASH VALUE: 58 D5 28 89 4F 1F 6A 52 A6 44 FA 69 65 C0 73 A6
AES(HVAL): A3 9E F3 6F 67 1F FA F8 71 0C 83 BB 49 A6 6E BC
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2
CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 0F
48 5B 82 64 6E CF B9 F9 A0 B0 75 4F D5 94 36 5A
08 17 2E 86 A3 4A 3B 06 CF 72 64 E3 CB 72 E4 6E
Vector #14: CWC-AES-24
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5
HASH VALUE: 0D 0A D2 78 1E 8F E8 47 00 85 31 28 B1 E3 49 3A
AES(HVAL): 5A 05 AA 45 88 06 A9 C1 DC 5A F6 AF 6F 8F EC F6
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72
CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 A3
A4 C4 70 6D 40 41 F4 F9 58 E1 3F D0 D7 60 4D 1E
9C B3 5E 76 71 14 90 8E B6 D6 4F 7C 9D F4 E0 84
Vector #15: CWC-AES-32
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5
HASH VALUE: 02 F2 DA E9 83 72 0E BC DC 77 89 3B 67 CB 3D B7
AES(HVAL): B7 F6 AE DE A3 95 35 FE 03 93 08 DF E0 C7 F1 78
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0
Kohno, Viega, Whiting [Page 15]
Internet Draft March 2003
CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 B5
D2 41 06 CA 5D EB 80 A7 B5 71 0A 38 A4 39 8D BA
25 FC 95 98 21 B0 23 0F 59 30 13 71 6D 2C 83 D8
Vector #16: CWC-AES-16
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C
HASH VALUE: 05 EE B6 CB DF A6 E5 B8 4C 65 DD F4 8C C8 25 23
AES(HVAL): 62 E5 23 FE 48 8F BC 14 E3 77 15 6C 4D 0F D0 8B
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2
CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 0F
48 5B 82 64 6E CF B9 F9 A0 B0 75 4F D5 94 36 5A
C9 6C FE 17 8C DA 7D EA 5D 09 F2 34 CF DB 5A 59
Vector #17: CWC-AES-24
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5
HASH VALUE: 10 E1 48 E2 D0 68 39 EC C4 0A 6C A3 D6 8B 47 54
AES(HVAL): 23 0A 37 C3 48 7C 9F 76 05 B9 5D 1A 21 D5 D5 FD
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72
CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 A3
A4 C4 70 6D 40 41 F4 F9 58 E1 3F D0 D7 60 4D 1E
E5 BC C3 F0 B1 6E A6 39 6F 35 E4 C9 D3 AE D9 8F
Vector #18: CWC-AES-32
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
Kohno, Viega, Whiting [Page 16]
Internet Draft March 2003
HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5
HASH VALUE: 09 4D C5 21 94 79 E0 58 4E E9 C1 2C 29 6A E3 A4
AES(HVAL): E9 69 49 47 09 07 62 3B A9 8D AD 51 9F D5 D1 F7
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0
CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 B5
D2 41 06 CA 5D EB 80 A7 B5 71 0A 38 A4 39 8D BA
7B 63 72 01 8B 22 74 CA F3 2E B6 FF 12 3E A3 57
9. Acknowledgements
We would like to thank Peter Gutmann, David McGrew, and David Wagner
for their comments on this document. Additionally, we would like to
thank Brian Gladman for helping to validate our test vectors and for
providing us timing information for an optimized CWC implementation.
Tadayoshi Kohno was supported by a National Defense Science and
Engineering Fellowship.
References
[CWC] Kohno, T., Viega, J. and Whiting, D. "A Carter-Wegman
and Counter-Based Dual-Use Mode (CWC)". Manuscript,
February, 2003.
[hash127] Bernstein, D.J. "Floating-point arithmetic and
message authentication".
http://cr.yp.to/hash127.html
[ICM] McGrew, D. "Integer Counter Mode", Internet Draft,
October, 2003. http://www.ietf.org/internet-drafts/
draft-irtf-cfrg-icm-00.txt
[PolyR] Krovetz, T. and Rogaway, P., "Fast universal hashing
with small keys and no preprocessing: the PolyR
construction". Proceedings of Information Security
and Cryptology - ICICS 2000, Lecture Notes in
Computer Science, vol 2015, D.H. Won, ed.,
Springer-Verlag, 2000.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels," RFC 2119, March 1997.
[Rogaway] Rogaway, P., "Authenticated encryption with
associated data." Proceedings of the 9th ACM
Conference on Computer and Communications Security,
Nov. 2002.
Kohno, Viega, Whiting [Page 17]
Internet Draft March 2003
Authors' Addresses:
Tadayoshi Kohno
Department of Computer Science and Engineering
University of California at San Diego
9500 Gilman Drive, MC 0114
La Jolla, CA 92093-0114
Phone: +1 858-822-2977
EMail: tkohno@cs.ucsd.edu
John Viega
Secure Software, Inc.
6066 Leesburg Pike, Suite 500
Falls Church, VA 22041
Phone: +1 703-998-1512
EMail: viega@securesoftware.com
Doug Whiting
Hifn
EMail: dwhiting@hifn.com
Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Kohno, Viega, Whiting [Page 18]
Internet Draft March 2003
Appendix A: Reference Code
This reference code is not meant to be fast. Instead, it is meant to
be reasonably easy to understand, to help clarify the algorithm. See
[hash127] and [PolyR] for suggestions on efficient implementations of
the underlying hash function.
If you wish to use a pre-existing implementation, there are likely to
be suitable implementations faster than this one. See a list of
known implementations at: http://www.zork.org/cwc
This reference code needs a working AES implementation. It requires
you to define three macros. We provide implementations of those
macros using the AES implementation found in OpenSSL versions 0.9.7
and later. Note that, if using OpenSSL, one should also include the
header file <openssl/aes.h>.
#include <arpa/inet.h> /* For htonl() */
/* These typedefs must change when appropriate for the architecture. */
typedef unsigned int uint32;
typedef unsigned long long uint64;
/* The type alias AES_KS_T must be set to the type of the AES key
* schedule you're using.
*/
typedef AES_KEY AES_KS_T;
/* This macro must implement the basic AES key expansion operation for
* ECB encryption. The parameters are a key, the bit length of the
* key and a pointer to a key schedule to use for output.
*/
#define CWC_AES_SETUP(key, bitlen, ks) AES_set_encrypt_key(key, bitlen, ks)
/* This macro must implement the basic AES block encryption operation.
* It takes a pointer to a key schedule, a pointer to an input block
* and a pointer to the output block.
*/
#define CWC_AES_ENCRYPT(ks, in, out) AES_encrypt(in, out, ks)
typedef unsigned char uchar;
typedef struct {
uint32 hashkey[4];
AES_KS_T aeskey;
} cwc_t;
/* The public API. */
/* Warning: cwc_init zeros out the key before exiting! */
Kohno, Viega, Whiting [Page 19]
Internet Draft March 2003
int cwc_init(cwc_t ctx[1], uchar key[], int keybits);
void cwc_encrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar pt[],
uint32 ptlen, uchar nonce[11], uchar output[]);
int cwc_decrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar ct[],
uint32 ctlen, uchar nonce[11], uchar output[]);
void cwc_cleanup(cwc_t ctx[1]);
/* Private prototypes. */
static void cwc_ctr(cwc_t ctx[1], uchar p[], uint32 plen, uchar
nonce[11],
uchar output[]);
static void cwc_mac(cwc_t ctx[1], uchar a[], uint32 alen, uchar p[],
uint32 plen, uchar nonce[11], uchar output[16]);
static void cwc_hash(cwc_t ctx[1], uchar a[], uint32 alen, uchar p[],
uint32 plen, uchar output[16]);
static void cwc_memset(volatile void *dst, int c, uint32 len) {
volatile char *buf = (volatile char *)dst;
while(len--) buf[len] = c;
}
/* This always takes in a 96-bit input and produces a 128-bit
* output.
*/
static void cwc_str2int(uchar buf[], uint32 res[4]) {
res[0] = 0;
res[1] = htonl(((uint32 *)buf)[0]);
res[2] = htonl(((uint32 *)buf)[1]);
res[3] = htonl(((uint32 *)buf)[2]);
}
static void cwc_mod_add(uint32 a[4], uint32 res[4]) {
int i, carry[4] = {0,};
for (i=0;i<4;i++) {
res[i] += a[i];
if (res[i] < a[i])
carry[i-1] = 1;
}
if (res[0] & 0x80000000) {
carry[3] = 1;
res[0] &= 0x7fffffff;
}
while (i--) {
if (carry[i]) {
res[i] += carry[i];
if (res[i] < carry[i])
Kohno, Viega, Whiting [Page 20]
Internet Draft March 2003
carry[i-1]++;
}
}
}
static void cwc_multiply_128(uint32 a[4], uint32 b[4], uint32 res[8]) {
int i, j;
uint32 upper, lower, carry[8] = {0,};
uint64 tmp;
cwc_memset(res, 0, sizeof(uint32)*8);
for (i=0;i<4;i++) {
for (j=0;j<4;j++) {
tmp = (uint64)(a[i]) * (uint64)(b[j]);
upper = tmp >> 32;
lower = tmp & 0xffffffff;
res[i+j] += upper;
if (res[i+j] < upper)
carry[i+j-1]++;
res[i+j+1] += lower;
if (res[i+j+1] < lower)
carry[i+j]++;
}
}
i = 8;
while (i--) {
res[i] += carry[i];
if (carry[i] > res[i])
carry[i-1]++;
}
}
static void cwc_mod_256(uint32 v[8]) {
int i;
for (i=0;i<4;i++) {
v[i] <<= 1;
v[i] |= v[i+1] >> 31;
}
v[4] &= 0x7fffffff;
cwc_mod_add(v,v+4);
}
static void cwc_mod_mul(uint32 a[4], uint32 res[4]) {
uint32 b[8] = {0,};
cwc_multiply_128(a, res, b);
cwc_mod_256(b);
Kohno, Viega, Whiting [Page 21]
Internet Draft March 2003
res[0] = b[4]; res[1] = b[5]; res[2] = b[6]; res[3] = b[7];
}
/* Warning: This zeros out the key before exiting! */
int cwc_init(cwc_t ctx[1], uchar key[], int keybits) {
uchar hashkey[16];
uchar hash_generator[16] = {0xC0, }; /* all zeros after byte 1... */
if (keybits != 128 && keybits != 192 && keybits != 256)
return 0;
CWC_AES_SETUP(key, keybits, &ctx->aeskey);
CWC_AES_ENCRYPT(&ctx->aeskey, hash_generator, hashkey);
hashkey[0] &= 0x7F;
ctx->hashkey[0] = htonl(((uint32 *)hashkey)[0]);
ctx->hashkey[1] = htonl(((uint32 *)hashkey)[1]);
ctx->hashkey[2] = htonl(((uint32 *)hashkey)[2]);
ctx->hashkey[3] = htonl(((uint32 *)hashkey)[3]);
cwc_memset(key, 0, keybits/8);
return 1;
}
void cwc_encrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar pt[],
uint32 ptlen, uchar nonce[11], uchar output[]) {
cwc_ctr(ctx, pt, ptlen, nonce, output);
cwc_mac(ctx, a, alen, output, ptlen, nonce, output+ptlen);
}
int cwc_decrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar ct[],
uint32 ctlen, uchar nonce[11], uchar output[]) {
uchar checktag[16];
int i;
if (ctlen < 16)
return 0;
cwc_mac(ctx, a, alen, ct, ctlen-16, nonce, checktag);
for (i=1;i<=16;i++)
if (ct[ctlen-i] != checktag[16-i])
return 0;
cwc_ctr(ctx, ct, ctlen-16, nonce, output);
return 1;
}
void cwc_cleanup(cwc_t *ctx) {
cwc_memset((void *)ctx, 0, sizeof(cwc_t));
}
static void cwc_ctr(cwc_t ctx[1], uchar p[], uint32 plen, uchar
Kohno, Viega, Whiting [Page 22]
Internet Draft March 2003
nonce[11],
uchar output[]) {
uchar last[16], ctrblk[16] = {0x80,};
uint32 i, l = plen/16;
memcpy(ctrblk+1, nonce, 11);
ctrblk[15] = 0x01;
for (i=0;i<l;i++) {
CWC_AES_ENCRYPT(&ctx->aeskey, ctrblk, output);
((uint32 *)output)[0] ^= ((uint32 *)p)[0];
((uint32 *)output)[1] ^= ((uint32 *)p)[1];
((uint32 *)output)[2] ^= ((uint32 *)p)[2];
((uint32 *)output)[3] ^= ((uint32 *)p)[3];
output += 16;
p += 16;
/* On a big endian box we could simply do one 32 bit increment. */
if (!++ctrblk[15])
if (!++ctrblk[14])
if (!++ctrblk[13])
++ctrblk[12];
}
l = plen%16;
if (l) {
CWC_AES_ENCRYPT(&ctx->aeskey, ctrblk, last);
for (i=0;i<l;i++)
output[i] = last[i] ^ p[i];
}
}
static void cwc_mac(cwc_t ctx[1], uchar a[], uint32 alen, uchar p[],
uint32 plen, uchar nonce[11], uchar output[16]) {
uchar hashvalue[16], encrhash[16], ctrblk[16] = {0x80,};
int i;
cwc_hash(ctx, a, alen, p, plen, hashvalue);
CWC_AES_ENCRYPT(&ctx->aeskey, hashvalue, encrhash);
memcpy(ctrblk+1, nonce, 11);
CWC_AES_ENCRYPT(&ctx->aeskey, ctrblk, output);
for (i=0;i<16;i++)
output[i] ^= encrhash[i];
}
static void cwc_hash(cwc_t ctx[1], uchar a[], uint32 alen, uchar p[],
uint32 plen, uchar out[16]) {
uint32 i, lo;
uint32 t[4], res[4] = {0,};
uchar padblock[12];
Kohno, Viega, Whiting [Page 23]
Internet Draft March 2003
for (i=0;i<alen/12;i++) {
cwc_str2int(a+i*12, t);
cwc_mod_add(t, res);
cwc_mod_mul(ctx->hashkey, res);
}
lo = alen%12;
if (lo) {
a = a+i*12;
for (i=0;i<lo;i++)
padblock[i] = *a++;
for (;i<12;i++)
padblock[i] = 0;
cwc_str2int(padblock, t);
cwc_mod_add(t, res);
cwc_mod_mul(ctx->hashkey, res);
}
for (i=0;i<plen/12;i++) {
cwc_str2int(p+i*12, t);
cwc_mod_add(t, res);
cwc_mod_mul(ctx->hashkey, res);
}
lo = plen%12;
if (lo) {
p = p+i*12;
for (i=0;i<lo;i++)
padblock[i] = *p++;
for (;i<12;i++)
padblock[i] = 0;
cwc_str2int(padblock, t);
cwc_mod_add(t, res);
cwc_mod_mul(ctx->hashkey, res);
}
t[0] = t[2] = 0;
t[1] = alen;
t[3] = plen;
cwc_mod_add(t, res);
for (i=0;i<4;i++)
((uint32 *)out)[i] = htonl(res[i]);
}
Kohno, Viega, Whiting [Page 24]
| PAFTECH AB 2003-2026 | 2026-04-24 03:06:35 |