One document matched: draft-irtf-cfrg-cwc-01.txt
Differences from draft-irtf-cfrg-cwc-00.txt
Crypto Forum Research Group T. Kohno
Internet-Draft UC San Diego
Expires: November 20, 2003 J. Viega
Secure Software
D. Whiting
Hifn
May 20, 2003
The CWC-AES Dual-Use Mode
draft-irtf-cfrg-cwc-01.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 20, 2003.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
The CWC dual-use mode is a fast, parallelizable, provably secure and
patent-free mode of operation for providing both encryption and
message integrity. In this document we specify CWC for the AES block
cipher, though its principles can easily be applied to other block
ciphers.
Kohno, Viega, Whiting [Page 1]
Internet Draft May 2003
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1 Conventions Used in This Document . . . . . . . . . . . . . . 3
2. CWC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 The CWC-ENCRYPT operation . . . . . . . . . . . . . . . . . . 4
2.3 The CWC-DECRYPT operation . . . . . . . . . . . . . . . . . . 5
2.4 The CWC-CTR operation . . . . . . . . . . . . . . . . . . . . 5
2.5 The CWC-MAC operation . . . . . . . . . . . . . . . . . . . . 6
2.6 The CWC-HASH operation . . . . . . . . . . . . . . . . . . . . 6
2.7 The CWC-HPAD operation . . . . . . . . . . . . . . . . . . . . 7
3. Implementation Notes . . . . . . . . . . . . . . . . . . . . . 7
4. Hardware Performance . . . . . . . . . . . . . . . . . . . . . 8
5. Software Performance . . . . . . . . . . . . . . . . . . . . . 9
6. Intellectual Property Statements . . . . . . . . . . . . . . . 10
7. Security Considerations . . . . . . . . . . . . . . . . . . . 10
7.1 Rekeying recommendations . . . . . . . . . . . . . . . . . . . 10
7.2 Weak Hash Keys . . . . . . . . . . . . . . . . . . . . . . . . 11
8. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 11
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17
Normative References . . . . . . . . . . . . . . . . . . . . . 17
Informative References . . . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 18
Appendix A: Reference Code . . . . . . . . . . . . . . . . . . 18
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 24
1. Introduction
The Carter-Wegman + Counter dual-use mode (CWC mode) is a mode of
operation for providing both encryption and message integrity. This
mode is parallelizable, fast in both software and hardware (where it
can achieve speeds of 10 Gigabits per second), unencumbered by
patents and provably secure to a good bound under the assumption that
the underlying block cipher is a pseudo-random permutation. To the
best of our knowledge, CWC is currently the only such mode of
operation that simultaneously has all of these properties.
This construct has the following benefits:
* CWC is fast in both software and hardware. In hardware it can
process 10Gbits/second using conventional ASIC technology, making
it an attractive choice for future 10Gbit/second links.
* CWC is parallelizable to an arbitrary degree, while maintaining
complete interoperability.
* CWC is a simple combination of well-known techniques, under a
Kohno, Viega, Whiting [Page 2]
Internet Draft May 2003
well-understood model of combining those techniques. It is
basically the "generic composition" approach, except with a
single block cipher key.
* CWC has provable security to very good bounds under standard
assumptions. For provable security, we use the AEAD notions
from [Rogaway].
* CWC only requires AES encryption. For example, hardware
implementations only need to implement an encryption module.
CWC does, however, require a multiplication unit.
* CWC can reject bogus messages without decrypting the ciphertext.
* CWC has minimal expansion (each ciphertext is as long as the
plaintext, with the addition of a message authenticator).
* CWC is unencumbered by patents to the best of our knowledge.
* CWC can authenticate both encrypted messages and associated
plaintext data such as headers. CWC still authenticates
properly if a message contains no plaintext headers, and if it
contains no ciphertext.
* CWC can be implemented using only a modest amount of memory.
* CWC is designed to promote interoperability. That is, there is
a minimal set of parameters.
1.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. CWC
CWC is a generic mode of operation for block ciphers, and is
described in [CWC]. Here, we specify a binding of CWC mode for AES
[AES].
In this section, we will take a top-down approach. First, we will
specify the CWC encryption and decryption operations in terms of
high-level functions, and then we will specify each of the functions
we use in detail.
In this document, we will use || to represent string concatenation,
"" to denote the empty string and AES_K(M) to indicate applying AES
Kohno, Viega, Whiting [Page 3]
Internet Draft May 2003
to a 128-bit message M, using key K. The underscore (_) indicates
subscripts. Array indices all begin at 0. The function LEN(x)
returns the length of the input string in octets. Note that the
generic CWC mode allows arbitrary bit-length messages in a way that
is compatible with the specification in this document.
Additionally, the notation X[Y:Z] indicates a substring of octet
string X consisting of the consecutive octets of X from index Y to
Z-1. For example, evaluating X[0:3] where X is the octet string
"ABCDEFG" would yield "ABC".
The function CEILING(X) returns the smallest integer greater than or
equal to its argument.
2.1. Parameters
CWC takes two parameters:
Y, the AES key length to use in octets (16, 24 or 32).
Z, the size of the message authentication tag. That is, Z
determines how many octets are added at the end of the message
for purposes of modification detection. Implementations MUST
support a value of 16 for Z. Implementations MAY support other
values, which MUST be between 4 and 16, inclusive.
When parties are communicating with CWC mode, they SHOULD agree on
parameters authentically. Instantiations of CWC for AES SHOULD be
referred to as CWC-AES, with an indication of the key size in bits
and the tag size in bits. The tag size MAY be omitted if it is 128
bits. In the case where both the key and the tag are 128 bits, both
may be omitted. For example, CWC-AES-256 and CWC-AES-256-128 both
refer to AES in CWC mode, with 256-bit AES keys and a 128-bit tag.
2.2. The CWC-ENCRYPT operation
CWC-ENCRYPT takes the following inputs:
K, a key that is Y octets in length.
A, a string of arbitrary length consisting of data to be
authenticated, but not encrypted. The length of A SHOULD NOT
exceed 2^36-16 octets.
M, a string of arbitrary length consisting of the plaintext
message. This message will be both encrypted and
authenticated. The length of M SHOULD NOT exceed 2^36-16
Kohno, Viega, Whiting [Page 4]
Internet Draft May 2003
octets.
N, a nonce, 11 octets in length. Each value of N SHOULD NOT be used
more than once for any given key K, as reusing values of N can
lead to critical security failures. The layout of the nonce is
unspecified, but we recommend using part of the nonce for a
salt of at least 4 octets that is randomly chosen at key setup
time and using the rest for a message counter.
Please see [CWC] for discussions on why the nonce is 11 octets long
and why A and M are limited to 2^36-16 octets (or 2^32-1 blocks).
CWC-ENCRYPT is computed as follows:
1) C = CWC-CTR(K, N, M)
2) T = CWC-MAC(K, A, N, C)
3) OUTPUT = C || T
2.3. The CWC-DECRYPT operation
CWC-DECRYPT takes the following inputs:
K, a key that is Y octets in length.
A, a string of arbitrary length up to 2^36-16 octets, consisting of
data to be authenticated.
C, a string of arbitrary length up to 2^36-16+Z octets, consisting
of ciphertext to be decrypted and authenticated.
N, a nonce of 11 octets in length, corresponding to the nonce for
encryption.
If either A or C is longer than specified above, authentication will
fail, as no messages may be that long.
CWC-DECRYPT is computed as follows:
1) IF LEN(C) < Z THEN FAIL
2) C' = C[0 : LEN(C)-Z]
3) T' = C[LEN(C)-Z : LEN(C)]
4) T = CWC-MAC(K, A, N, C')
6) IF T <> T' THEN FAIL
7) OUTPUT = CWC-CTR(K, N, C')
2.4. The CWC-CTR operation
This use of counter mode uses a layout for plaintexts that is
Kohno, Viega, Whiting [Page 5]
Internet Draft May 2003
compatible with the draft specification of Integer Counter Mode
presented in [ICM].
The first two bits of the block being encrypted are used to
distinguish the different types of AES encryption. In the context of
the counter mode encryption, the first bit will always be 1, and the
second will always be 0. The next 6 bits are reserved, and must
always be zero. The next 11 octets consist of the nonce, and the
final 4 octets encode a counter in big endian format that indicates
which block of keystream is being produced by the current AES
operation.
Here's a visual representation of the octets in the counter plaintext
blocks:
0 1 2 3 4 5 6 7
+-------+-------+-------+-------+-------+-------+-------+-------+
| 0x80 | Nonce
+-------+-------+-------+-------+-------+-------+-------+-------+
Nonce (continued) | Counter |
+-------+-------+-------+-------+-------+-------+-------+-------+
8 9 10 11 12 13 14 15
CWC-CTR(K, N, M):
1) J = CEILING(LEN(M)/16)
2) S = ""
3) FOR I in 1 TO J: S = S || AES_K(0x80 || N || I)
4) OUTPUT = S[0:LEN(M)] XOR M
Note that, in step 3, the number I is represented as a string in big
endian format, and MUST be exactly 4 octets in length.
2.5. The CWC-MAC operation
The CWC-MAC operation takes the results of CWC-HASH and then performs
two post-processing AES operations. The first operation directly
encrypts the hash result. Note that, in a correct implementation,
the first bit of that plaintext will always be zero. The second AES
operation is identical to the operation in 2.4., with the counter
value set to 0.
CWC-MAC(K, A, N, C):
1) R = AES_K(CWC-HASH(K, A, C))
2) OUTPUT = (AES_K(0x80||N||0x00000000) XOR R)[0:Z]
2.6. The CWC-HASH operation
Kohno, Viega, Whiting [Page 6]
Internet Draft May 2003
This hash function is essentially a traditional Carter-Wegman
polynomial hash, with a field of GF(2^127-1). At a high level, CWC-
HASH breaks its input messages into 96-bit blocks, interprets those
blocks as 96-bit integer coefficients to a polynomial, and then
evaluates that polynomial, modulo 2^127-1, at a secret point Z. The
output is encoded as a 16-octet string, the most significant bit of
which is always 0.
For simplicity, we describe the computation of this polynomial using
Horner's rule, although other implementation strategies are possible
(see Section 3). Using Horner's rule, for each 12 octets of the
message (where those octets are treated like a number in big endian
notation), we add the message block to the ongoing result, modulo
2^127-1. We then multiply by the hash key (itself treated as a
number), again modulo 2^127-1.
The output is the ongoing result, represented as a 16-octet big
endian value.
CWC-HASH(K, A, C):
1) Z = AES_K(0xC0000000000000000000000000000000) &
0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
2) X = CWC-HPAD(A) || CWC-HPAD(C)
3) B = LEN(X) / 12
4) OUTPUT = 0
5) FOR I FROM 0 TO B-1:
a) OUTPUT = OUTPUT + X[12*I : 12*I+12] MOD 2^127-1
b) OUTPUT = OUTPUT * Z MOD 2^127-1
6) OUTPUT = OUTPUT + (LEN(C) + 2^64*LEN(A)) MOD 2^127-1
Note that many implementations will want to compute Z at key setup
time. Other implementations, where managing extra key material is
expensive, will likely recompute Z upon every invocation.
2.7. The CWC-HPAD operation
The input to the hash function needs to be a multiple of 96 bits.
CWC-HPAD(STR):
1) OUTPUT = STR
2) WHILE LEN(OUTPUT) MOD 12: OUTPUT = OUTPUT + 0x00
3. Implementation Notes
This mode consists of counter mode encryption, and a MAC computed
over the ciphertext. Parallelization of the counter mode encryption
Kohno, Viega, Whiting [Page 7]
Internet Draft May 2003
is straightforward, and the keystream can be precomputed once the
nonce is known. The hash key can be computed at key setup time. One
of the two AES operations for the MAC can be precomputed once the
nonce is known.
There are a number of different ways an implementation could evaluate
the CWC-HASH polynomial. For example, the current description of
CWC-HASH shows how to evaluate the polynomial using Horner's rule.
For example, an implementation following the current CWC-HASH
description would evaluate the polynomial
a*K^5 + b*K^4 + c*K^3 + +d*K^2 + e*K + LEN(A)*2^64 + LEN(C)
as follows:
(((((a)K + b)K + c)K + d)K + e)K + LEN(A)*2^64 + LEN(C)
Doing so saves numerous multiplications compared to the naive
approach for evaluating the original polynomial.
On some architectures it may be more efficient (but more memory
intensive) to precompute powers of the key, and then evaluate the
polynomial directly. See [CWC] for details on this strategy.
Additionally, the CWC-hash computation is arbitrarily parallelizable.
For example, one might consider interleaving subsequent message
blocks to different processing units. For example, given the above
polynomial, we could instead use the following two (factored)
polynomials in K^2:
1) ((a*K^2 + c)K^2 + e)K
2) ((b*K^2 + d)K^2 + LEN(A)*2^64+LEN(C)
After we plug a message into each of the two polynomials and evaluate
them, adding the two results together will give the same result as
evaluating the original polynomial serially.
Another thing to note is that many instruction sets have issues with
multiply speed that may suggest alternate implementations. For
example, the relative speed of a 32-bit integer multiply on Intel x86
hardware (in terms of the number of cycles that it takes to run) is
worse on Pentium 4s than it is on Pentium IIIs, which are worse than
Pentium II's. On Pentium 4s, it is more desirable to use either the
floating-point or XMM multiply operation instead of the integer
multiply, because it takes fewer cycles to run, can multiply two
numbers at once, and does not always introduce pipeline stalls.
4. Hardware Performance
A driving motivation for this work was to construct a patent-free
dual-use mode capable of processing 10Gbits/second using conventional
Kohno, Viega, Whiting [Page 8]
Internet Draft May 2003
ASIC technology. Such a patent-free dual-use mode is need for the
upcoming 10Gbit/second links.
Because CWC is parallelizable (as discussed above), it can achieve
10Gbits/second in conventional hardware.
5. Software Performance
Software performance of the counter mode encryption is directly
related to the speed of AES encryption. The additional per-block
overhead (counter maintenance, XOR and memory operations) should
never add more overhead than a cycle per octet. Experience shows
that on popular platforms, two tenths of a cycle per octet can be
achieved. Furthermore, performance can be improved since part of the
first and second AES rounds can be re-used between block cipher
invocations (since a counter increment will typically effect the
input to only one S-box in the first round and a few S-boxes in the
second round).
Performance of the hash function is highly dependent on the
implementation strategy. The reference implementation provided in
this document runs a bit faster per octet than the OpenSSL version of
AES on a Pentium III. Using floating point operations, the CWC hash
function can run about as fast as the fastest PIII-based AES
implementation (which runs at better than half the cycles per byte of
the OpenSSL version). Precomputing key material provides even more
speed for CWC. See [CWC] for a more detailed discussion of
performance.
Note that the hash function is similar to Bernstein's hash127. The
major difference is that CWC-HASH operates on unsigned 96-bit
coefficients instead of signed 32-bit coefficients. The larger
coefficients result in a couple of cycles lost per byte, but
otherwise the CWC hash can have similar performance characteristics,
if implemented in the same manner. On Pentium 4 hardware, hash127
can run below 5 cycles per octet, and we expect that CWC can run no
worse than twice the speed. In contrast, the best AES implementation
is a commercial one that is generally three to four times slower than
hash127, when doing measurements per octet.
The hash runs at approximately constant speed, in practice, unlike
traditional cryptographic hash functions such as MD5, which tend to
have high startup costs, making them far more expensive for short
messages than long ones.
On all recent Intel architectures, the integer unit and the floating
point unit are largely independent. One should be able to speed up
CWC by computing the hash in the floating point registers, and
Kohno, Viega, Whiting [Page 9]
Internet Draft May 2003
performing encryption in the integer registers.
6. Intellectual Property Statements
The authors hereby explicitly release any intellectual property
rights to CWC mode into the public domain. Further, the authors are
not aware of any patent or patent application anywhere in the world
that cover this encryption mode. This mode is a simple combination
of two techniques that have been in the literature for over 20 years
(a polynomial universal hash and counter mode).
7. Security Considerations
The primary concern with CWC mode is that a K,N pair MUST NOT be
reused, otherwise the security properties of the mode are lost. To
help prevent such disasters, we recommend that software APIs
implementing CWC-AES have a high-level API to prevent this kind of
problem. In protocols where new symmetric keys are randomly chosen
for each connection, such as TLS, this is not much of an issue, as
long as the message number is involved in nonce selection.
However, it can be a problem when using fixed shared secrets in an
all-symmetric system. In such a case, you may have an abstract data
type representing a key, which contains a data field that notes how
many times the key has been used to key a cipher. Given such a base
key, an API might derive the actual CWC key for CWC-AES-128 by
encrypting the count with the given key.
A high-level API has other advantages, as well. For example, such an
API could perform automatic nonce management, particularly providing
defense against capture-replay attacks.
There is a proof showing that CWC is secure to very good bounds,
assuming that the underlying block cipher acts as a pseudo-random
permutation. Modern block ciphers, including AES, are believed to be
pseudo-random. In our proofs, we use the authenticated encryption
with associated data (AEAD) privacy and integrity notions defined in
[Rogaway]. See [CWC] for details.
7.1. Rekeying recommendations
Developers should understand the provable security results in [CWC]
and rekey appropriately. For example, assuming no attacks directly
against AES, to limit the advantage of a privacy or authenticity
adversary (under the definitions in [Rogaway] and [CWC]) to around
1/2^30, implementations should re-key after 2^47 packets or 2^51
encrypted octets, whichever comes first. Or, to limit the advantage
Kohno, Viega, Whiting [Page 10]
Internet Draft May 2003
of an adversary to approximately 1/2^60, implementations should re-
key after encrypting 2^32 packets or 2^36 octets, whichever comes
first.
7.2. Weak Hash Keys
The all-bits-zero hash key and the all-bits-one hash key are both
weak in the sense that the output of the hash function will depend
only on the lengths, and not the contents, of the inputs A and M.
The odds of selecting one of these two keys are so small that this is
not a problem to worry about. In fact, the presence of these two
keys is considered in the proof of security of the hash function.
Therefore, to avoid unnecessary implementation complexities and
potential (albeit incredibly unlikely) interoperability issues,
implementations MUST NOT detect this condition.
8. Test Vectors
Vector #1: CWC-AES-128
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
PLAINTEXT: 00 01 02 03 04 05 06 07
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C
HASH VALUE: 2B 9E AE BE 67 3F AE 03 6B 16 EA 31 DC A7 AE 6B
AES(HVAL): FC DC 06 4C CD CA FE E3 DE 7A A3 CF 5C 5D B9 7B
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2
CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 57 55 DB A5 09 9F 3F 1D
60 04 44 97 DE 89 33 A9
Vector #2: CWC-AES-192
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80
PLAINTEXT: 00 01 02 03 04 05 06 07
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5
HASH VALUE: 40 E6 24 83 4B 27 9A 7B 15 42 C7 FE 29 EB 29 A3
AES(HVAL): 69 CC 0E 3D 96 98 EB 75 1F 06 A5 90 9B C2 4F 5A
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72
CIPHERTEXT: F0 DB A9 74 12 30 01 B0 AF 7A FA 0E 6F 8A D2 3A
75 8A 1C 43 69 B9 43 28
Vector #3: CWC-AES-256
Kohno, Viega, Whiting [Page 11]
Internet Draft May 2003
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00
PLAINTEXT: 00 01 02 03 04 05 06 07
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5
HASH VALUE: 18 99 E1 A6 1E 6E 37 65 C6 3A 41 99 56 8C D1 BF
AES(HVAL): 1C 56 65 0A 22 BC B5 94 AC F3 CA 24 46 03 B8 5E
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0
CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 8E 5C 5E 4C A0 99 A3 65
F6 50 D1 8A CB E8 CA FE
Vector #4: CWC-AES-128
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
PLAINTEXT: 00 01 02 03 04 05 06 07
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C
HASH VALUE: 2E A9 2A A5 28 B1 1C 08 1C C8 2F 24 9B E4 19 8D
AES(HVAL): EA 54 F8 3D 56 7F 53 05 88 B1 EA 96 36 79 CD AC
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2
CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 41 DD 25 D4 92 2A 92 FB
36 CF 0D CE B4 AD 47 7E
Vector #5: CWC-AES-192
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80
PLAINTEXT: 00 01 02 03 04 05 06 07
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5
HASH VALUE: 60 3F FC 24 71 64 2E D9 57 E1 B1 EA F2 F8 B0 34
AES(HVAL): D8 39 86 2A 33 5A 54 68 C8 16 DA 47 69 A2 10 EB
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72
CIPHERTEXT: F0 DB A9 74 12 30 01 B0 1E 8F 72 19 CA 48 6D 27
A2 9A 63 94 9B D9 1C 99
Vector #6: CWC-AES-256
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00
Kohno, Viega, Whiting [Page 12]
Internet Draft May 2003
PLAINTEXT: 00 01 02 03 04 05 06 07
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5
HASH VALUE: 0A C6 B1 39 57 7F 26 DA 94 16 42 E1 6D 73 EC B5
AES(HVAL): 4B A5 AD 1E 74 A2 C5 BE AB D0 DA 4D F4 29 83 0C
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0
CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B D9 AF 96 58 F6 87 D3 4F
F1 73 C1 E3 79 C2 F1 AC
Vector #7: CWC-AES-128
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C
HASH VALUE: 79 00 74 72 E1 C8 36 96 ED 7A B1 F9 03 6E 94 8B
AES(HVAL): 2B 0F 24 69 B1 2B BE 39 C9 40 67 BA F1 25 E2 5B
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2
CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 80
86 F9 80 75 7E 7F C7 77 3E 80 E2 73 F1 68 89
Vector #8: CWC-AES-192
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5
HASH VALUE: 2C 5E 3A A4 37 1C 27 D6 E8 6B 76 DC 3D 93 BC 87
AES(HVAL): 48 6E 9C E5 C3 16 3E A6 9C D4 D7 E2 7C 9D 92 D2
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72
CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 8E
D8 68 D6 3A 04 07 E9 F6 58 6E 31 8E E6 9E A0
Vector #9: CWC-AES-256
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
Kohno, Viega, Whiting [Page 13]
Internet Draft May 2003
--------------------------------------------------------------
HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5
HASH VALUE: 4A 70 29 CC 58 25 52 CB 75 AD C9 60 FF B3 F7 55
AES(HVAL): 2B 64 0E 02 CE 51 DE 22 B2 0F 2A 8D C4 23 CD C0
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0
CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 B9
6E 35 44 4C 74 C8 D3 E8 AC 31 23 49 C8 BF 60
Vector #10: CWC-AES-128
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C
HASH VALUE: 51 AE 9D 7E 86 BD E0 B2 AA 18 2C 91 87 0A 9C A5
AES(HVAL): DF 48 30 BD 1D DC E0 59 B1 C2 0B 29 01 4F 80 10
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2
CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 74
C1 ED 54 D9 89 21 A7 0F BC EC 71 83 9B 0A C2
Vector #11: CWC-AES-192
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5
HASH VALUE: 51 60 E7 81 DC 64 F9 CD 54 BA 02 40 A2 E8 EE 99
AES(HVAL): A0 30 58 13 22 B6 80 53 64 B0 3E 52 41 D2 2D 0A
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72
CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 66
86 AC 20 DB A4 B9 1C 0E 3C 87 81 B3 A9 21 78
Vector #12: CWC-AES-256
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
Kohno, Viega, Whiting [Page 14]
Internet Draft May 2003
HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5
HASH VALUE: 3F F5 0C 60 E6 01 7A 3C A1 BB B3 54 65 02 85 7C
AES(HVAL): 3E EF A2 E4 97 91 82 86 73 0C F6 E9 46 2C CA 15
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0
CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 AC
E5 99 A2 15 B4 94 77 29 AF ED 47 CB C7 B8 B5
Vector #13: CWC-AES-128
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C
HASH VALUE: 58 D5 28 89 4F 1F 6A 52 A6 44 FA 69 65 C0 73 A6
AES(HVAL): A3 9E F3 6F 67 1F FA F8 71 0C 83 BB 49 A6 6E BC
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2
CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 0F
48 5B 82 64 6E CF B9 F9 A0 B0 75 4F D5 94 36 5A
08 17 2E 86 A3 4A 3B 06 CF 72 64 E3 CB 72 E4 6E
Vector #14: CWC-AES-192
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5
HASH VALUE: 0D 0A D2 78 1E 8F E8 47 00 85 31 28 B1 E3 49 3A
AES(HVAL): 5A 05 AA 45 88 06 A9 C1 DC 5A F6 AF 6F 8F EC F6
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72
CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 A3
A4 C4 70 6D 40 41 F4 F9 58 E1 3F D0 D7 60 4D 1E
9C B3 5E 76 71 14 90 8E B6 D6 4F 7C 9D F4 E0 84
Vector #15: CWC-AES-256
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
ASSOC DATA: <None>
NONCE: FF EE DD CC BB AA 99 88 77 66 55
Kohno, Viega, Whiting [Page 15]
Internet Draft May 2003
--------------------------------------------------------------
HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5
HASH VALUE: 02 F2 DA E9 83 72 0E BC DC 77 89 3B 67 CB 3D B7
AES(HVAL): B7 F6 AE DE A3 95 35 FE 03 93 08 DF E0 C7 F1 78
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0
CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 B5
D2 41 06 CA 5D EB 80 A7 B5 71 0A 38 A4 39 8D BA
25 FC 95 98 21 B0 23 0F 59 30 13 71 6D 2C 83 D8
Vector #16: CWC-AES-128
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C
HASH VALUE: 05 EE B6 CB DF A6 E5 B8 4C 65 DD F4 8C C8 25 23
AES(HVAL): 62 E5 23 FE 48 8F BC 14 E3 77 15 6C 4D 0F D0 8B
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2
CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 0F
48 5B 82 64 6E CF B9 F9 A0 B0 75 4F D5 94 36 5A
C9 6C FE 17 8C DA 7D EA 5D 09 F2 34 CF DB 5A 59
Vector #17: CWC-AES-192
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5
HASH VALUE: 10 E1 48 E2 D0 68 39 EC C4 0A 6C A3 D6 8B 47 54
AES(HVAL): 23 0A 37 C3 48 7C 9F 76 05 B9 5D 1A 21 D5 D5 FD
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72
CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 A3
A4 C4 70 6D 40 41 F4 F9 58 E1 3F D0 D7 60 4D 1E
E5 BC C3 F0 B1 6E A6 39 6F 35 E4 C9 D3 AE D9 8F
Vector #18: CWC-AES-256
AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00
Kohno, Viega, Whiting [Page 16]
Internet Draft May 2003
PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74
65 78 74 20 68 65 61 64 65 72 2E 00
NONCE: FF EE DD CC BB AA 99 88 77 66 55
--------------------------------------------------------------
HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5
HASH VALUE: 09 4D C5 21 94 79 E0 58 4E E9 C1 2C 29 6A E3 A4
AES(HVAL): E9 69 49 47 09 07 62 3B A9 8D AD 51 9F D5 D1 F7
MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00
AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0
CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 B5
D2 41 06 CA 5D EB 80 A7 B5 71 0A 38 A4 39 8D BA
7B 63 72 01 8B 22 74 CA F3 2E B6 FF 12 3E A3 57
9. Acknowledgements
We would like to thank Peter Gutmann, David McGrew, and David Wagner
for their comments on this document. Additionally, we would like to
thank Brian Gladman for helping to validate our test vectors and for
providing us timing information for an optimized CWC implementation.
Tadayoshi Kohno was supported by a National Defense Science and
Engineering Fellowship.
Normative References
[AES] Federal Information Processing Standards Publication
197. "Specification for the Advanced Encryption
Standard". November 2001.
[CWC] Kohno, T., Viega, J. and Whiting, D. "The CWC
authenticated encryption (associated data) mode".
IACR ePrint Archive. May 2003.
Informative References
[hash127] Bernstein, D.J. "Floating-point arithmetic and
message authentication".
http://cr.yp.to/hash127.html
[ICM] McGrew, D. "Integer Counter Mode", Internet Draft,
October, 2003. Internet-Draft, work in progress.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels," RFC 2119, March 1997.
[Rogaway] Rogaway, P., "Authenticated encryption with
Kohno, Viega, Whiting [Page 17]
Internet Draft May 2003
associated data." Proceedings of the 9th ACM
Conference on Computer and Communications Security,
November 2002.
Authors' Addresses:
Tadayoshi Kohno
Department of Computer Science and Engineering
University of California at San Diego
9500 Gilman Drive, MC 0114
La Jolla, CA 92093-0114
Phone: +1 858-822-2977
EMail: tkohno@cs.ucsd.edu
John Viega
Secure Software, Inc.
6066 Leesburg Pike, Suite 500
Falls Church, VA 22041
Phone: +1 703-998-1512
EMail: viega@securesoftware.com
Doug Whiting
Hifn
5973 Avenida Encinas, Suite 110
Carlsbad, CA 92009
EMail: dwhiting@hifn.com
Appendix A: Reference Code
This reference code is not meant to be fast. Instead, it is meant to
be reasonably easy to understand, to help clarify the algorithm. See
[CWC] and [hash127] for suggestions on efficient implementations of
the underlying hash function.
If you wish to use a pre-existing implementation, there are likely to
be suitable implementations faster than this one. See a list of
known implementations at: http://www.zork.org/cwc
This reference code needs a working AES implementation. It requires
you to define three macros. We provide implementations of those
macros using the AES implementation found in OpenSSL versions 0.9.7
and later. Note that, if using OpenSSL, one should also include the
header file <openssl/aes.h>.
#include <arpa/inet.h> /* For htonl() */
/* Typedefs must change when appropriate for the architecture. */
typedef unsigned int uint32;
Kohno, Viega, Whiting [Page 18]
Internet Draft May 2003
typedef unsigned long long uint64;
/* The type alias AES_KS_T must be set to the type of the AES key
* schedule you're using.
*/
typedef AES_KEY AES_KS_T;
/* This macro must implement the basic AES key expansion operation
* for ECB encryption. The parameters are a key, the bit length of
* the key and a pointer to a key schedule to use for output.
*/
#define CWC_AES_SETUP(key, bitlen, ks) \
AES_set_encrypt_key(key, bitlen, ks)
/* This macro must implement the basic AES block encryption
* operation. It takes a pointer to a key schedule, a pointer to an
* input block and a pointer to the output block.
*/
#define CWC_AES_ENCRYPT(ks, in, out) AES_encrypt(in, out, ks)
typedef unsigned char uchar;
typedef struct {
uint32 hashkey[4];
AES_KS_T aeskey;
} cwc_t;
/* The public API. */
/* Warning: cwc_init zeros out the key before exiting! */
int cwc_init(cwc_t ctx[1], uchar key[], int keybits);
void cwc_encrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar pt[],
uint32 ptlen, uchar nonce[11], uchar output[]);
int cwc_decrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar ct[],
uint32 ctlen, uchar nonce[11], uchar output[]);
void cwc_cleanup(cwc_t ctx[1]);
/* Private prototypes. */
static void cwc_ctr(cwc_t ctx[1], uchar p[], uint32 plen,
uchar nonce[11], uchar output[]);
static void cwc_mac(cwc_t ctx[1], uchar a[], uint32 alen, uchar p[],
uint32 plen, uchar nonce[11], uchar output[16]);
static void cwc_hash(cwc_t ctx[1], uchar a[], uint32 alen,
uchar p[], uint32 plen, uchar output[16]);
static void cwc_memset(volatile void *dst, int c, uint32 len) {
volatile char *buf = (volatile char *)dst;
while(len--) buf[len] = c;
}
Kohno, Viega, Whiting [Page 19]
Internet Draft May 2003
/* This always takes in a 96-bit input and produces a 128-bit
* output.
*/
static void cwc_str2int(uchar buf[], uint32 res[4]) {
res[0] = 0;
res[1] = htonl(((uint32 *)buf)[0]);
res[2] = htonl(((uint32 *)buf)[1]);
res[3] = htonl(((uint32 *)buf)[2]);
}
static void cwc_mod_add(uint32 a[4], uint32 res[4]) {
int i, carry[4] = {0,};
for (i=0;i<4;i++) {
res[i] += a[i];
if (res[i] < a[i])
carry[i-1] = 1;
}
if (res[0] & 0x80000000) {
carry[3] = 1;
res[0] &= 0x7fffffff;
}
while (i--) {
if (carry[i]) {
res[i] += carry[i];
if (res[i] < carry[i])
carry[i-1]++;
}
}
}
static void cwc_multiply_128(uint32 a[4], uint32 b[4],
uint32 res[8]) {
int i, j;
uint32 upper, lower, carry[8] = {0,};
uint64 tmp;
cwc_memset(res, 0, sizeof(uint32)*8);
for (i=0;i<4;i++) {
for (j=0;j<4;j++) {
tmp = (uint64)(a[i]) * (uint64)(b[j]);
upper = tmp >> 32;
lower = tmp & 0xffffffff;
res[i+j] += upper;
if (res[i+j] < upper)
carry[i+j-1]++;
res[i+j+1] += lower;
if (res[i+j+1] < lower)
Kohno, Viega, Whiting [Page 20]
Internet Draft May 2003
carry[i+j]++;
}
}
i = 8;
while (i--) {
res[i] += carry[i];
if (carry[i] > res[i])
carry[i-1]++;
}
}
static void cwc_mod_256(uint32 v[8]) {
int i;
for (i=0;i<4;i++) {
v[i] <<= 1;
v[i] |= v[i+1] >> 31;
}
v[4] &= 0x7fffffff;
cwc_mod_add(v,v+4);
}
static void cwc_mod_mul(uint32 a[4], uint32 res[4]) {
uint32 b[8] = {0,};
cwc_multiply_128(a, res, b);
cwc_mod_256(b);
res[0] = b[4]; res[1] = b[5]; res[2] = b[6]; res[3] = b[7];
}
/* Warning: This zeros out the key before exiting! */
int cwc_init(cwc_t ctx[1], uchar key[], int keybits) {
uchar hashkey[16];
uchar hash_generator[16] = {0xC0, }; /* all 0s after byte 1.. */
if (keybits != 128 && keybits != 192 && keybits != 256)
return 0;
CWC_AES_SETUP(key, keybits, &ctx->aeskey);
CWC_AES_ENCRYPT(&ctx->aeskey, hash_generator, hashkey);
hashkey[0] &= 0x7F;
ctx->hashkey[0] = htonl(((uint32 *)hashkey)[0]);
ctx->hashkey[1] = htonl(((uint32 *)hashkey)[1]);
ctx->hashkey[2] = htonl(((uint32 *)hashkey)[2]);
ctx->hashkey[3] = htonl(((uint32 *)hashkey)[3]);
cwc_memset(key, 0, keybits/8);
return 1;
}
Kohno, Viega, Whiting [Page 21]
Internet Draft May 2003
void cwc_encrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar pt[],
uint32 ptlen, uchar nonce[11], uchar output[]) {
cwc_ctr(ctx, pt, ptlen, nonce, output);
cwc_mac(ctx, a, alen, output, ptlen, nonce, output+ptlen);
}
int cwc_decrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar ct[],
uint32 ctlen, uchar nonce[11], uchar output[]) {
uchar checktag[16];
int i;
if (ctlen < 16)
return 0;
cwc_mac(ctx, a, alen, ct, ctlen-16, nonce, checktag);
for (i=1;i<=16;i++)
if (ct[ctlen-i] != checktag[16-i])
return 0;
cwc_ctr(ctx, ct, ctlen-16, nonce, output);
return 1;
}
void cwc_cleanup(cwc_t *ctx) {
cwc_memset((void *)ctx, 0, sizeof(cwc_t));
}
static void cwc_ctr(cwc_t ctx[1], uchar p[], uint32 plen,
uchar nonce[11], uchar output[]) {
uchar last[16], ctrblk[16] = {0x80,};
uint32 i, l = plen/16;
memcpy(ctrblk+1, nonce, 11);
ctrblk[15] = 0x01;
for (i=0;i<l;i++) {
CWC_AES_ENCRYPT(&ctx->aeskey, ctrblk, output);
((uint32 *)output)[0] ^= ((uint32 *)p)[0];
((uint32 *)output)[1] ^= ((uint32 *)p)[1];
((uint32 *)output)[2] ^= ((uint32 *)p)[2];
((uint32 *)output)[3] ^= ((uint32 *)p)[3];
output += 16;
p += 16;
/* On a big endian box we could do one 32 bit increment. */
if (!++ctrblk[15])
if (!++ctrblk[14])
if (!++ctrblk[13])
++ctrblk[12];
}
l = plen%16;
Kohno, Viega, Whiting [Page 22]
Internet Draft May 2003
if (l) {
CWC_AES_ENCRYPT(&ctx->aeskey, ctrblk, last);
for (i=0;i<l;i++)
output[i] = last[i] ^ p[i];
}
}
static void cwc_mac(cwc_t ctx[1], uchar a[], uint32 alen, uchar p[],
uint32 plen, uchar nonce[11], uchar output[16]) {
uchar hashvalue[16], encrhash[16], ctrblk[16] = {0x80,};
int i;
cwc_hash(ctx, a, alen, p, plen, hashvalue);
CWC_AES_ENCRYPT(&ctx->aeskey, hashvalue, encrhash);
memcpy(ctrblk+1, nonce, 11);
CWC_AES_ENCRYPT(&ctx->aeskey, ctrblk, output);
for (i=0;i<16;i++)
output[i] ^= encrhash[i];
}
static void cwc_hash(cwc_t ctx[1], uchar a[], uint32 alen, uchar p[],
uint32 plen, uchar out[16]) {
uint32 i, lo;
uint32 t[4], res[4] = {0,};
uchar padblock[12];
for (i=0;i<alen/12;i++) {
cwc_str2int(a+i*12, t);
cwc_mod_add(t, res);
cwc_mod_mul(ctx->hashkey, res);
}
lo = alen%12;
if (lo) {
a = a+i*12;
for (i=0;i<lo;i++)
padblock[i] = *a++;
for (;i<12;i++)
padblock[i] = 0;
cwc_str2int(padblock, t);
cwc_mod_add(t, res);
cwc_mod_mul(ctx->hashkey, res);
}
for (i=0;i<plen/12;i++) {
cwc_str2int(p+i*12, t);
cwc_mod_add(t, res);
cwc_mod_mul(ctx->hashkey, res);
}
lo = plen%12;
Kohno, Viega, Whiting [Page 23]
Internet Draft May 2003
if (lo) {
p = p+i*12;
for (i=0;i<lo;i++)
padblock[i] = *p++;
for (;i<12;i++)
padblock[i] = 0;
cwc_str2int(padblock, t);
cwc_mod_add(t, res);
cwc_mod_mul(ctx->hashkey, res);
}
t[0] = t[2] = 0;
t[1] = alen;
t[3] = plen;
cwc_mod_add(t, res);
for (i=0;i<4;i++)
((uint32 *)out)[i] = htonl(res[i]);
}
Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Kohno, Viega, Whiting [Page 24]
Internet Draft May 2003
Kohno, Viega, Whiting [Page 25]
| PAFTECH AB 2003-2026 | 2026-04-24 03:05:11 |