|
|
@@ -0,0 +1,249 @@
|
|
|
+/*
|
|
|
+ NoekeonVects.java - Generate Noekeon test vectors using BouncyCastle.
|
|
|
+
|
|
|
+ Written in 2011 by Patrick Pelletier <[email protected]>
|
|
|
+
|
|
|
+ To the extent possible under law, the author(s) have dedicated all
|
|
|
+ copyright and related and neighboring rights to this software to
|
|
|
+ the public domain worldwide. This software is distributed without
|
|
|
+ any warranty.
|
|
|
+
|
|
|
+ This file is dedicated to the public domain with the CC0 Public Domain
|
|
|
+ Dedication: http://creativecommons.org/publicdomain/zero/1.0/legalcode.txt
|
|
|
+
|
|
|
+ You may also consider this file to be covered by the WTFPL, as contained
|
|
|
+ in the LibTomCrypt LICENSE file, if that makes you happier for some reason.
|
|
|
+
|
|
|
+ ----------------------------------------------------------------------
|
|
|
+
|
|
|
+ This program was inspired by the comment in Botan 1.10.1's
|
|
|
+ doc/examples/eax_test.cpp:
|
|
|
+
|
|
|
+ // Noekeon: unknown cause, though LTC's lone test vector does not
|
|
|
+ // match Botan
|
|
|
+
|
|
|
+ So, I investigated the discrepancy by comparing them with a third
|
|
|
+ implementation, BouncyCastle: http://www.bouncycastle.org/java.html
|
|
|
+
|
|
|
+ I determined that there are two reasons why LibTomCrypt's Noekeon does
|
|
|
+ not match Botan:
|
|
|
+
|
|
|
+ 1) Botan uses "indirect Noekeon" (with a key schedule), while
|
|
|
+ LibTomCrypt and BouncyCastle both use "direct Noekeon" (without
|
|
|
+ a key schedule). See slide 14 of
|
|
|
+ http://gro.noekeon.org/Noekeon-slides.pdf
|
|
|
+
|
|
|
+ 2) However, LibTomCrypt's direct Noekeon still does not match
|
|
|
+ BouncyCastle's direct Noekeon. This is because of a bug in
|
|
|
+ LibTomCrypt's PI1 and PI2 functions:
|
|
|
+ https://github.com/libtom/libtomcrypt/issues/5
|
|
|
+
|
|
|
+ This program uses BouncyCastle to produce test vectors which are
|
|
|
+ suitable for Botan (by explicitly scheduling the key, thus
|
|
|
+ building indirect Noekeon out of BouncyCastle's direct Noekeon),
|
|
|
+ and also produces test vectors which would be suitable for
|
|
|
+ LibTomCrypt (direct Noekeon) once its PI1 and PI2 functions are
|
|
|
+ fixed to match the Noekeon specification.
|
|
|
+
|
|
|
+ Although this program uses a PRNG from BouncyCastle to generate
|
|
|
+ data for the test vectors, it uses a fixed seed and thus will
|
|
|
+ produce the same output every time it is run.
|
|
|
+*/
|
|
|
+
|
|
|
+import java.io.ByteArrayOutputStream;
|
|
|
+import java.io.IOException;
|
|
|
+import java.util.Locale;
|
|
|
+import org.bouncycastle.crypto.digests.RIPEMD128Digest;
|
|
|
+import org.bouncycastle.crypto.engines.NoekeonEngine;
|
|
|
+import org.bouncycastle.crypto.modes.EAXBlockCipher;
|
|
|
+import org.bouncycastle.crypto.params.AEADParameters;
|
|
|
+import org.bouncycastle.crypto.params.KeyParameter;
|
|
|
+import org.bouncycastle.crypto.prng.DigestRandomGenerator;
|
|
|
+import org.bouncycastle.util.encoders.HexEncoder;
|
|
|
+
|
|
|
+public class NoekeonVects
|
|
|
+{
|
|
|
+ private final DigestRandomGenerator r =
|
|
|
+ new DigestRandomGenerator(new RIPEMD128Digest());
|
|
|
+
|
|
|
+ private final HexEncoder h = new HexEncoder();
|
|
|
+
|
|
|
+ private final NoekeonEngine noekeon = new NoekeonEngine();
|
|
|
+
|
|
|
+ private final KeyParameter null_key = new KeyParameter(new byte[16]);
|
|
|
+
|
|
|
+ private final boolean schedule_key;
|
|
|
+
|
|
|
+ private final boolean botan_format;
|
|
|
+
|
|
|
+ private byte[] randomBytes(int n)
|
|
|
+ {
|
|
|
+ byte[] b = new byte[n];
|
|
|
+ r.nextBytes(b);
|
|
|
+ return b;
|
|
|
+ }
|
|
|
+
|
|
|
+ private void hexOut(byte[] b) throws IOException
|
|
|
+ {
|
|
|
+ // HexEncoder uses lowercase, and Botan's test vectors must
|
|
|
+ // be in uppercase, so...
|
|
|
+ ByteArrayOutputStream os = new ByteArrayOutputStream();
|
|
|
+ h.encode(b, 0, b.length, os);
|
|
|
+ String s = os.toString("US-ASCII");
|
|
|
+ System.out.print(s.toUpperCase(Locale.US));
|
|
|
+ }
|
|
|
+
|
|
|
+ private void printCArray(byte[] a) throws IOException
|
|
|
+ {
|
|
|
+ byte[] b = new byte[1];
|
|
|
+ for (int i = 0; i < a.length; i++)
|
|
|
+ {
|
|
|
+ if (i > 0)
|
|
|
+ System.out.print(", ");
|
|
|
+ System.out.print("0x");
|
|
|
+ b[0] = a[i];
|
|
|
+ hexOut(b);
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ private void printVector(byte[] key, byte[] plaintext, byte[] ciphertext)
|
|
|
+ throws IOException
|
|
|
+ {
|
|
|
+ if (botan_format)
|
|
|
+ {
|
|
|
+ hexOut(plaintext);
|
|
|
+ System.out.print(":");
|
|
|
+ hexOut(ciphertext);
|
|
|
+ System.out.println(":\\");
|
|
|
+ hexOut(key);
|
|
|
+ System.out.println();
|
|
|
+ }
|
|
|
+ else
|
|
|
+ {
|
|
|
+ System.out.println(" {");
|
|
|
+ System.out.println(" 16,");
|
|
|
+ System.out.print(" { ");
|
|
|
+ printCArray (key);
|
|
|
+ System.out.println(" },");
|
|
|
+ System.out.print(" { ");
|
|
|
+ printCArray (plaintext);
|
|
|
+ System.out.println(" },");
|
|
|
+ System.out.print(" { ");
|
|
|
+ printCArray (ciphertext);
|
|
|
+ System.out.println(" }");
|
|
|
+ System.out.println(" },");
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ private KeyParameter maybe_schedule_key(byte[] key)
|
|
|
+ {
|
|
|
+ if (schedule_key)
|
|
|
+ {
|
|
|
+ noekeon.init(true, null_key);
|
|
|
+ byte[] scheduled = new byte[16];
|
|
|
+ noekeon.processBlock(key, 0, scheduled, 0);
|
|
|
+ return new KeyParameter(scheduled);
|
|
|
+ }
|
|
|
+ else
|
|
|
+ return new KeyParameter(key);
|
|
|
+ }
|
|
|
+
|
|
|
+ private byte[] encrypt(byte[] plaintext, byte[] key)
|
|
|
+ {
|
|
|
+ KeyParameter kp = maybe_schedule_key(key);
|
|
|
+ noekeon.init(true, kp);
|
|
|
+ byte[] ciphertext = new byte[16];
|
|
|
+ noekeon.processBlock(plaintext, 0, ciphertext, 0);
|
|
|
+ return ciphertext;
|
|
|
+ }
|
|
|
+
|
|
|
+ public NoekeonVects(long seed, boolean schedule_key, boolean botan_format)
|
|
|
+ {
|
|
|
+ this.schedule_key = schedule_key;
|
|
|
+ this.botan_format = botan_format;
|
|
|
+ r.addSeedMaterial(seed);
|
|
|
+ }
|
|
|
+
|
|
|
+ public void ecb_vectors() throws IOException
|
|
|
+ {
|
|
|
+ for (int i = 0; i < 8; i++)
|
|
|
+ {
|
|
|
+ byte[] key = randomBytes(16);
|
|
|
+ byte[] plaintext = randomBytes(16);
|
|
|
+ byte[] ciphertext = encrypt(plaintext, key);
|
|
|
+ printVector(key, plaintext, ciphertext);
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ public void eax_vectors() throws Exception
|
|
|
+ {
|
|
|
+ System.out.println("EAX-noekeon (16 byte key)");
|
|
|
+ EAXBlockCipher eax = new EAXBlockCipher(new NoekeonEngine());
|
|
|
+ byte[] output = new byte[48];
|
|
|
+ byte[] tag = new byte[16];
|
|
|
+
|
|
|
+ for (int j = 0; j < 16; j++)
|
|
|
+ tag[j] = (byte) j;
|
|
|
+
|
|
|
+ for (int i = 0; i <= 32; i++)
|
|
|
+ {
|
|
|
+ byte[] header_nonce_plaintext = new byte[i];
|
|
|
+ for (int j = 0; j < i; j++)
|
|
|
+ header_nonce_plaintext[j] = (byte) j;
|
|
|
+ AEADParameters params =
|
|
|
+ new AEADParameters(maybe_schedule_key(tag),
|
|
|
+ 128,
|
|
|
+ header_nonce_plaintext,
|
|
|
+ header_nonce_plaintext);
|
|
|
+ eax.init(true, params);
|
|
|
+ int off = eax.processBytes(header_nonce_plaintext, 0, i,
|
|
|
+ output, 0);
|
|
|
+ off += eax.doFinal(output, off);
|
|
|
+ if (off != i + 16)
|
|
|
+ throw new RuntimeException("didn't expect that");
|
|
|
+ byte[] ciphertext = new byte[i];
|
|
|
+ for (int j = 0; j < i; j++)
|
|
|
+ ciphertext[j] = output[j];
|
|
|
+ for (int j = 0; j < 16; j++)
|
|
|
+ tag[j] = output[i + j];
|
|
|
+ System.out.print(i < 10 ? " " : " ");
|
|
|
+ System.out.print(i);
|
|
|
+ System.out.print(": ");
|
|
|
+ hexOut(ciphertext);
|
|
|
+ System.out.print(", ");
|
|
|
+ hexOut(tag);
|
|
|
+ System.out.println();
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ public static void main(String[] argv) throws Exception
|
|
|
+ {
|
|
|
+ NoekeonVects bot = new NoekeonVects(0xdefacedbadfacadeL, true, true);
|
|
|
+ NoekeonVects tom = new NoekeonVects(0xdefacedbadfacadeL, false, false);
|
|
|
+ System.out.println("# ECB vectors for indirect Noekeon, in Botan's");
|
|
|
+ System.out.println("# test vector format, suitable for insertion");
|
|
|
+ System.out.println("# into Botan's file checks/validate.dat");
|
|
|
+ System.out.println("# Block cipher format is plaintext:ciphertext:key");
|
|
|
+ bot.ecb_vectors();
|
|
|
+ System.out.println();
|
|
|
+ System.out.println("/* ECB vectors for direct Noekeon, as C arrays");
|
|
|
+ System.out.println(" * suitable for insertion into LibTomCrypt's");
|
|
|
+ System.out.println(" * noekeon_test() in src/ciphers/noekeon.c,");
|
|
|
+ System.out.println(" * once LTC's PI1/PI2 bug is fixed. */");
|
|
|
+ tom.ecb_vectors();
|
|
|
+ System.out.println();
|
|
|
+ System.out.println("# EAX vectors for indirect Noekeon, in the format");
|
|
|
+ System.out.println("# generated by LTC's demos/tv_gen.c and consumed");
|
|
|
+ System.out.println("# by Botan's doc/examples/eax_test.cpp, suitable");
|
|
|
+ System.out.println("# for insertion in Botan's doc/examples/eax.vec");
|
|
|
+ bot.eax_vectors();
|
|
|
+ System.out.println();
|
|
|
+ System.out.println("# EAX vectors for direct Noekeon, in the format");
|
|
|
+ System.out.println("# generated by LTC's demos/tv_gen.c and consumed");
|
|
|
+ System.out.println("# by Botan's doc/examples/eax_test.cpp, which");
|
|
|
+ System.out.println("# should match LTC's notes/eax_tv.txt, once");
|
|
|
+ System.out.println("# LTC's PI1/PI2 bug is fixed.");
|
|
|
+ tom.eax_vectors();
|
|
|
+ System.out.flush();
|
|
|
+ }
|
|
|
+}
|
Patrick Pelletier