Crypto Forum Research Group T. Kohno Internet-Draft UC San Diego Expires: October 14, 2003 J. Viega Secure Software D. Whiting Hifn April 14, 2003 The CWC-AES Dual-Use Mode draft-irtf-cfrg-cwc-00.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on October 14, 2003. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract The CWC dual-use mode is a fast, parallelizable, provably secure and patent-free mode of operation for providing both encryption and message integrity. In this document we specify CWC for the AES block cipher, though its principles can easily be applied to other block ciphers. Kohno, Viega, Whiting [Page 1] Internet Draft March 2003 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1 Conventions Used in This Document . . . . . . . . . . . . . . 3 2. CWC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 The CWC-ENCRYPT operation . . . . . . . . . . . . . . . . . . 4 2.3 The CWC-DECRYPT operation . . . . . . . . . . . . . . . . . . 5 2.4 The CWC-CTR operation . . . . . . . . . . . . . . . . . . . . 5 2.5 The CWC-MAC operation . . . . . . . . . . . . . . . . . . . . 6 2.6 The CWC-HASH operation . . . . . . . . . . . . . . . . . . . . 6 2.7 The CWC-HPAD operation . . . . . . . . . . . . . . . . . . . . 7 3. Implementation Notes . . . . . . . . . . . . . . . . . . . . . 7 4. Hardware Performance . . . . . . . . . . . . . . . . . . . . . 8 5. Software Performance . . . . . . . . . . . . . . . . . . . . . 9 6. Intellectual Property Statements . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7.1 Rekeying recommendations . . . . . . . . . . . . . . . . . . . 10 7.2 Weak Hash Keys . . . . . . . . . . . . . . . . . . . . . . . . 10 8. Interoperability Considerations . . . . . . . . . . . . . . . 10 9. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 11 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17 References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 18 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 18 Appendix A: Reference Code . . . . . . . . . . . . . . . . . . 19 1. Introduction The Carter-Wegman + Counter dual-use mode (CWC mode) is a mode of operation for providing both encryption and message integrity. This mode is parallelizable, fast in both software and hardware (where it can achieve speeds of 10 Gigabits per second), unencumbered by patents and provably secure to a good bound under the assumption that the underlying block cipher is a pseudo-random permutation. This construct has the following benefits: * CWC is fast in both software and hardware. In hardware it can process 10Gbits/second using conventional ASIC technology, making it an attractive choice for future 10Gbit/second links. * CWC is parallelizable to an arbitrary degree, while maintaining complete interoperability. * CWC is a simple combination of well-known techniques, under a well-understood model of combining those techniques. It is basically the "generic composition" approach, except with a Kohno, Viega, Whiting [Page 2] Internet Draft March 2003 single block cipher key. * CWC has provable security to very good bounds under standard assumptions. For provable security, we use the AED notions from [Rogaway]. * CWC only requires AES encryption. For example, hardware implementations only need to implement an encryption module. Software implementations can also avoid the memory overhead of AES' 4 K decryption lookup table. CWC does, however, require a multiplication unit. * CWC can reject bogus messages without decrypting the ciphertext. * CWC has minimal expansion (each ciphertext is as long as the plaintext, with the addition of a message authenticator). * CWC is unencumbered by patents to the best of our knowledge. * CWC can authenticate both encrypted messages and associated plaintext data such as headers. CWC still authenticates properly if a message contains no plaintext headers, and if it contains no ciphertext. * CWC is well suited for memory-limited environments. * CWC is designed to promote interoperability. That is, there is a minimal set of parameters. 1.1. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. CWC CWC is a generic mode of operation for block ciphers, and is described in [CWC]. Here, we specify a binding of CWC mode for AES. In this section, we will take a top-down approach. First, we will specify the CWC encryption and decryption operations in terms of high-level functions, and then we will specify each of the functions we use in detail. In this document, we will use || to represent string concatenation, "" to denote the empty string and AES_K(M) to indicate applying AES to a 128-bit message M, using key K. The underscore (_) indicates Kohno, Viega, Whiting [Page 3] Internet Draft March 2003 subscripts. Array indices all begin at 0. The function LEN(x) returns the length of the input string in octets. Note that the generic CWC mode allows arbitrary bit-length messages in a way that is compatible with the specification in this document. Additionally, the notation X[Y:Z] indicates a substring of octet string X consisting of the consecutive octets of X from index Y to Z-1. For example, evaluating X[0:3] where X is the octet string "ABCDEFG" would yield "ABC". The function CEILING(X) returns the smallest integer greater than or equal to its argument. 2.1. Parameters CWC takes two parameters: Y, the AES key length to use in octets (16, 24 or 32). Z, the size of the message authentication tag. That is, Z determines how many octets are added at the end of the message for purposes of modification detection. Z MUST be an even number between 4 and 16. Implementations SHOULD allow for Z being 16. When parties are communicating with CWC mode, they SHOULD agree on parameters authentically. Instantiations of CWC for AES MUST be referred to as CWC-AES, with an indication of the key size in octets and the tag size in octets. The tag size MAY be omitted if it is 16 octets. In the case where both the key and the tag are 16 octets, both may be omitted. For example, CWC-AES-32 and CWC-AES-32-16 both refer to AES in CWC mode, with 256-bit AES keys and a 16-octet tag. 2.2. The CWC-ENCRYPT operation CWC-ENCRYPT takes the following inputs: K, a key that is Y octets in length. A, a string of arbitrary length consisting of data to be authenticated, but not encrypted. The length of A MUST NOT exceed 2^36-16 octets. M, a string of arbitrary length consisting of the plaintext message. This message will be both encrypted and authenticated. The length of M MUST NOT exceed 2^36-16 octets. N, a nonce, 11 octets in length. Each value of N MUST NOT be used Kohno, Viega, Whiting [Page 4] Internet Draft March 2003 more than once for any given key K. The layout of the nonce is unspecified, but we recommend using part of the nonce for a salt of at least 4 octets that is randomly chosen at key setup time and using the rest for a message counter. Note that the length restrictions on A and M are an implementation- level decision specific to CWC-AES. Please see [CWC] for a discussion of the considerations. CWC-ENCRYPT is computed as follows: 1) C = CWC-CTR(K, N, M) 2) T = CWC-MAC(K, A, N, C) 3) OUTPUT = C || T 2.3. The CWC-DECRYPT operation CWC-DECRYPT takes the following inputs: K, a key that is Y octets in length. A, a string of arbitrary length up to 2^36-16 octets, consisting of data to be authenticated. C, a string of arbitrary length up to 2^36-16+Z octets, consisting of ciphertext to be decrypted and authenticated. N, a nonce of 11 octets in length, corresponding to the nonce for encryption. Note that if either A or C is longer than specified above, authentication will fail, as no messages may be that long. Implementations MAY explicitly check for overlong inputs and reject them up front. CWC-DECRYPT is computed as follows: 1) IF LEN(C) < Z THEN FAIL 2) C' = C[0 : LEN(C)-Z] 3) T' = C[LEN(C)-Z : LEN(C)] 4) T = CWC-MAC(K, A, N, C') 6) IF T <> T' THEN FAIL 7) OUTPUT = CWC-CTR(K, N, C') 2.4. The CWC-CTR operation This use of counter mode uses a layout for plaintexts that is Kohno, Viega, Whiting [Page 5] Internet Draft March 2003 compatible with the draft specification of Integer Counter Mode presented in [ICM]. The first two bits of the block being encrypted are used to distinguish the different types of AES encryption. In the context of the counter mode encryption, the first bit will always be 1, and the second will always be 0. The next 6 bits are reserved, and must always be zero. The next 11 octets consist of the nonce, and the final 4 octets encode a counter in big endian format that indicates which block of keystream is being produced by the current AES operation. Here's a visual representation of the octets in the counter plaintext blocks: 0 1 2 3 4 5 6 7 +-------+-------+-------+-------+-------+-------+-------+-------+ | 0x80 | Nonce +-------+-------+-------+-------+-------+-------+-------+-------+ Nonce (continued) | Counter | +-------+-------+-------+-------+-------+-------+-------+-------+ 8 9 10 11 12 13 14 15 CWC-CTR(K, N, M): 1) J = CEILING(LEN(M)/16) 2) S = "" 3) FOR I in 1 TO J: S = S || AES_K(0x80 || N || I) 4) OUTPUT = S[0:LEN(M)] XOR M Note that, in step 3, the number I is represented as a string in big endian format, and MUST be exactly 4 octets in length. 2.5. The CWC-MAC operation The CWC-MAC operation takes the results of CWC-HASH and then performs two post-processing AES operations. The first operation directly encrypts the hash result. Note that, in a correct implementation, the first bit of that plaintext will always be zero. The second AES operation is identical to the operation in 2.4., with the counter value set to 0. CWC-MAC(K, A, N, C): 1) R = AES_K(CWC-HASH(K, A, C)) 2) OUTPUT = (AES_K(0x80||N||0x00000000) XOR R)[0:Z] 2.6. The CWC-HASH operation Kohno, Viega, Whiting [Page 6] Internet Draft March 2003 This hash function is the traditional Carter-Wegman polynomial hash, with a field of GF(2^127-1). In practice, this means that, for each 12 octets of the message (where those octets are treated like a number in big endian notation), we add the message block to the ongoing result, modulo 2^127-1. We then multiply by the hash key (itself treated as a number), again modulo 2^127-1. The result is the ongoing result, represented as a 16-octet big endian value. The most significant bit will always be 0. CWC-HASH(K, A, C): 1) Z = AES_K(0xC0000000000000000000000000000000) & 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 2) X = CWC-HPAD(A) || CWC-HPAD(C) 3) B = LEN(X) / 12 4) OUTPUT = 0 5) FOR I FROM 0 TO B-1: a) OUTPUT = OUTPUT + X[12*I : 12*I+12] MOD 2^127-1 b) OUTPUT = OUTPUT * Z MOD 2^127-1 6) OUTPUT = OUTPUT + (LEN(C) + 2^64*LEN(A)) MOD 2^127-1 Note that most implementations will want to compute Z at key setup time, instead of recomputing it for each message. 2.7. The CWC-HPAD operation The input to the hash function needs to be a multiple of 96 bits. CWC-HPAD(STR): 1) OUTPUT = STR 2) WHILE LEN(OUTPUT) MOD 12: OUTPUT = OUTPUT + 0x00 3. Implementation Notes This mode consists of counter mode encryption, and a MAC computed over the ciphertext. Parallelization of the counter mode encryption is straightforward, and the keystream can be precomputed once the nonce is known. The hash key can be computed at key setup time. One of the two AES operations for the MAC can be precomputed once the nonce is known. An efficient way to evaluate polynomials is to perform factoring using Hoerner's rule. For example, the polynomial: a*K^5 + b*K^4 + c*K^3 + +d*K^2 + e*K + LEN(A)*2^64 + LEN(C) Kohno, Viega, Whiting [Page 7] Internet Draft March 2003 Can be rewritten as the following expression: (((((a)K + b)K + c)K + d)K + e)K + LEN(A)*2^64 + LEN(C) Such a factoring approach saves numerous multiplications, which are quite expensive. Additionally, the CWC-hash computation is arbitrarily parallelizable. For example, one might consider interleaving subsequent message blocks to different processing units. For example, given the above polynomial, we could instead use the following two (factored) polynomials in K^2: 1) ((a*K^2 + c)K^2 + e)K 2) ((b*K^2 + d)K^2 + LEN(A)*2^64+LEN(C) After we plug a message into each of the two polynomials and evaluate them, adding the two results together will give the same result as evaluating the original polynomial serially. Clearly, if you expect to do this kind of parallelization, there is great value in precomputing K^2 at key setup time. Another thing to note is that many instruction sets have issues with multiply speed that may suggest alternate implementations. For example, the relative speed of a 32-bit integer multiply on Intel x86 hardware (in terms of the number of cycles that it takes to run) is worse on Pentium 4s than it is on Pentium IIIs, which are worse than Pentium II's. On Pentium 4s, it is more desirable to use either the floating-point or XMM multiply operation instead of the integer multiply, because it takes fewer cycles to run, can multiply two numbers at once, and does not always introduce pipeline stalls. On all recent Intel architectures, one can parallelize by factoring as above, having one polynomial computed by the integer registers and the other computed in the floating point registers. See [hash127] for a description of how to calculate this hash using floating point operations. 4. Hardware Performance A driving motivation for this work was to construct a patent-free dual-use mode capable of processing 10Gbits/second using conventional ASIC technology. Such a patent-free dual-use mode is need for the upcoming 10Gbit/second links. Because CWC is parallelizable (as discussed above), it can achieve 10Gbits/second in conventional hardware. Kohno, Viega, Whiting [Page 8] Internet Draft March 2003 5. Software Performance We have approximated the speed of AES-CTR mode using performance data on the Internet, and timed the speed of a well-optimized version of the underlying hash function. The remaining per-message operations are two AES operations and an XOR, that can run in under 500 cycles on a Pentium III. The current fastest AES implementation is written in assembly and encrypts at 14.125 cycles per octet. The counter increment and XOR requires about an extra 1.25 cycles per octet. We have produced an optimized C-based version of CWC mode, where the CWC hash function runs at about 14 cycles per octet. A similar assembly-based implementation will undoubtedly run faster than 10 cycles per octet. Note that the hash function is similar to Bernstein's hash127, except that it operates on unsigned 96-bit coefficients instead of signed 32-bit coefficients. The larger coefficients result in a couple of cycles lost per byte, but otherwise the CWC hash can have similar performance characteristics, if implemented in the same manner. On Pentium 4 hardware, hash127 can run below 5 cycles per byte. A straightforward x86 assembly implementation using no precomputation and 32-bit multiplies runs slower than the fastest implementations of AES, at just under 30 cycles per octet. A version using 64-bit multiplies should run at speeds competitive with the hash127-style approach. The hash runs at approximately constant speed, unlike MD5. The optimized implementation of the CWC hash is faster than an optimized MD5 for small messages, but is about the same speed for messages 2K octets in length or larger. 6. Intellectual Property Statements The authors hereby explicitly release any intellectual property rights to CWC mode into the public domain. Further, the authors are not aware of any patent or patent application anywhere in the world that covers this encryption mode. This mode is a simple combination of two techniques that have been in the literature for over 20 years (a polynomial universal hash and counter mode). 7. Security Considerations The primary concern with CWC mode is that a K,N pair MUST NOT be reused, otherwise the security properties of the mode are lost. To Kohno, Viega, Whiting [Page 9] Internet Draft March 2003 help prevent such disasters, we recommend that software APIs implementing CWC-AES have a high-level API to prevent this kind of problem. In protocols where new symmetric keys are randomly chosen for each connection, such as TLS, this is not much of an issue. However, it can be a problem when using fixed shared secrets in an all-symmetric system. In such a case, you may have an abstract data type representing a key, which contains a data field that notes how many times the key has been used to key a cipher. Given such a base key, an API might derive the actual CWC key for CWC-AES-16 by encrypting the count with the given key. A high-level API has other advantages, as well. For example, such an API could perform automatic nonce management, particularly providing defense against capture-replay attacks. There is a proof showing that CWC is secure to very good bounds, assuming that the underlying block cipher acts as a pseudo-random permutation. Modern block ciphers, including AES, are believed to be pseudo-random. In our proofs, we use the authenticated encryption with associated data (AEAD) privacy and integrity notions defined in [Rogaway]. See [CWC] for details. 7.1. Rekeying recommendations Applications SHOULD rekey at least once every 2^48 messages. 7.2. Weak Hash Keys The all-bits-zero hash key and the all-bits-one hash key are both weak. The odds of selecting one of these two keys are so small that this is not a problem to worry about. In fact, the presence of these two keys is considered in the proof of security of the hash function. Implementations MUST NOT detect this condition. 8. Interoperability Considerations There is one obvious modification to CWC-AES that people may be useful to those in resource constrained environments. In this section, we will discuss this extension, and outline how one SHOULD use it, if desirable. However, if implementing this change, the result MUST NOT be referred to as "CWC-AES" (it is sufficient to refer to it as a variant, however). Some environments (e.g., 16-bit environments) may wish to use key sizes smaller than 127 bits in order to save in the number of multiplications that need to be performed. This can be accomplished by setting the most significant hash keys to zero, until a key of the Kohno, Viega, Whiting [Page 10] Internet Draft March 2003 desired length is derived. For example, if you wish to use 64-bit keys, you could derive the hash key as follows: AES_K(0xC0000000000000000000000000000000) & 0x0000000000000000FFFFFFFFFFFFFFFF Using shorter hash keys does, however, significantly decrease the mode's resistance to forgery attacks. 9. Test Vectors Vector #1: CWC-AES-16 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F PLAINTEXT: 00 01 02 03 04 05 06 07 ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C HASH VALUE: 2B 9E AE BE 67 3F AE 03 6B 16 EA 31 DC A7 AE 6B AES(HVAL): FC DC 06 4C CD CA FE E3 DE 7A A3 CF 5C 5D B9 7B MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2 CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 57 55 DB A5 09 9F 3F 1D 60 04 44 97 DE 89 33 A9 Vector #2: CWC-AES-24 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 PLAINTEXT: 00 01 02 03 04 05 06 07 ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5 HASH VALUE: 40 E6 24 83 4B 27 9A 7B 15 42 C7 FE 29 EB 29 A3 AES(HVAL): 69 CC 0E 3D 96 98 EB 75 1F 06 A5 90 9B C2 4F 5A MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72 CIPHERTEXT: F0 DB A9 74 12 30 01 B0 AF 7A FA 0E 6F 8A D2 3A 75 8A 1C 43 69 B9 43 28 Vector #3: CWC-AES-32 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00 PLAINTEXT: 00 01 02 03 04 05 06 07 ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- Kohno, Viega, Whiting [Page 11] Internet Draft March 2003 HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5 HASH VALUE: 18 99 E1 A6 1E 6E 37 65 C6 3A 41 99 56 8C D1 BF AES(HVAL): 1C 56 65 0A 22 BC B5 94 AC F3 CA 24 46 03 B8 5E MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0 CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 8E 5C 5E 4C A0 99 A3 65 F6 50 D1 8A CB E8 CA FE Vector #4: CWC-AES-16 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F PLAINTEXT: 00 01 02 03 04 05 06 07 ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C HASH VALUE: 2E A9 2A A5 28 B1 1C 08 1C C8 2F 24 9B E4 19 8D AES(HVAL): EA 54 F8 3D 56 7F 53 05 88 B1 EA 96 36 79 CD AC MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2 CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 41 DD 25 D4 92 2A 92 FB 36 CF 0D CE B4 AD 47 7E Vector #5: CWC-AES-24 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 PLAINTEXT: 00 01 02 03 04 05 06 07 ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5 HASH VALUE: 60 3F FC 24 71 64 2E D9 57 E1 B1 EA F2 F8 B0 34 AES(HVAL): D8 39 86 2A 33 5A 54 68 C8 16 DA 47 69 A2 10 EB MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72 CIPHERTEXT: F0 DB A9 74 12 30 01 B0 1E 8F 72 19 CA 48 6D 27 A2 9A 63 94 9B D9 1C 99 Vector #6: CWC-AES-32 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00 PLAINTEXT: 00 01 02 03 04 05 06 07 ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5 Kohno, Viega, Whiting [Page 12] Internet Draft March 2003 HASH VALUE: 0A C6 B1 39 57 7F 26 DA 94 16 42 E1 6D 73 EC B5 AES(HVAL): 4B A5 AD 1E 74 A2 C5 BE AB D0 DA 4D F4 29 83 0C MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0 CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B D9 AF 96 58 F6 87 D3 4F F1 73 C1 E3 79 C2 F1 AC Vector #7: CWC-AES-16 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C HASH VALUE: 79 00 74 72 E1 C8 36 96 ED 7A B1 F9 03 6E 94 8B AES(HVAL): 2B 0F 24 69 B1 2B BE 39 C9 40 67 BA F1 25 E2 5B MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2 CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 80 86 F9 80 75 7E 7F C7 77 3E 80 E2 73 F1 68 89 Vector #8: CWC-AES-24 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5 HASH VALUE: 2C 5E 3A A4 37 1C 27 D6 E8 6B 76 DC 3D 93 BC 87 AES(HVAL): 48 6E 9C E5 C3 16 3E A6 9C D4 D7 E2 7C 9D 92 D2 MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72 CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 8E D8 68 D6 3A 04 07 E9 F6 58 6E 31 8E E6 9E A0 Vector #9: CWC-AES-32 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5 HASH VALUE: 4A 70 29 CC 58 25 52 CB 75 AD C9 60 FF B3 F7 55 AES(HVAL): 2B 64 0E 02 CE 51 DE 22 B2 0F 2A 8D C4 23 CD C0 MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0 Kohno, Viega, Whiting [Page 13] Internet Draft March 2003 CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 B9 6E 35 44 4C 74 C8 D3 E8 AC 31 23 49 C8 BF 60 Vector #10: CWC-AES-16 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C HASH VALUE: 51 AE 9D 7E 86 BD E0 B2 AA 18 2C 91 87 0A 9C A5 AES(HVAL): DF 48 30 BD 1D DC E0 59 B1 C2 0B 29 01 4F 80 10 MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2 CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 74 C1 ED 54 D9 89 21 A7 0F BC EC 71 83 9B 0A C2 Vector #11: CWC-AES-24 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5 HASH VALUE: 51 60 E7 81 DC 64 F9 CD 54 BA 02 40 A2 E8 EE 99 AES(HVAL): A0 30 58 13 22 B6 80 53 64 B0 3E 52 41 D2 2D 0A MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72 CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 66 86 AC 20 DB A4 B9 1C 0E 3C 87 81 B3 A9 21 78 Vector #12: CWC-AES-32 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5 HASH VALUE: 3F F5 0C 60 E6 01 7A 3C A1 BB B3 54 65 02 85 7C AES(HVAL): 3E EF A2 E4 97 91 82 86 73 0C F6 E9 46 2C CA 15 MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0 CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 AC Kohno, Viega, Whiting [Page 14] Internet Draft March 2003 E5 99 A2 15 B4 94 77 29 AF ED 47 CB C7 B8 B5 Vector #13: CWC-AES-16 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C HASH VALUE: 58 D5 28 89 4F 1F 6A 52 A6 44 FA 69 65 C0 73 A6 AES(HVAL): A3 9E F3 6F 67 1F FA F8 71 0C 83 BB 49 A6 6E BC MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2 CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 0F 48 5B 82 64 6E CF B9 F9 A0 B0 75 4F D5 94 36 5A 08 17 2E 86 A3 4A 3B 06 CF 72 64 E3 CB 72 E4 6E Vector #14: CWC-AES-24 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5 HASH VALUE: 0D 0A D2 78 1E 8F E8 47 00 85 31 28 B1 E3 49 3A AES(HVAL): 5A 05 AA 45 88 06 A9 C1 DC 5A F6 AF 6F 8F EC F6 MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72 CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 A3 A4 C4 70 6D 40 41 F4 F9 58 E1 3F D0 D7 60 4D 1E 9C B3 5E 76 71 14 90 8E B6 D6 4F 7C 9D F4 E0 84 Vector #15: CWC-AES-32 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5 HASH VALUE: 02 F2 DA E9 83 72 0E BC DC 77 89 3B 67 CB 3D B7 AES(HVAL): B7 F6 AE DE A3 95 35 FE 03 93 08 DF E0 C7 F1 78 MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0 Kohno, Viega, Whiting [Page 15] Internet Draft March 2003 CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 B5 D2 41 06 CA 5D EB 80 A7 B5 71 0A 38 A4 39 8D BA 25 FC 95 98 21 B0 23 0F 59 30 13 71 6D 2C 83 D8 Vector #16: CWC-AES-16 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C HASH VALUE: 05 EE B6 CB DF A6 E5 B8 4C 65 DD F4 8C C8 25 23 AES(HVAL): 62 E5 23 FE 48 8F BC 14 E3 77 15 6C 4D 0F D0 8B MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2 CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 0F 48 5B 82 64 6E CF B9 F9 A0 B0 75 4F D5 94 36 5A C9 6C FE 17 8C DA 7D EA 5D 09 F2 34 CF DB 5A 59 Vector #17: CWC-AES-24 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5 HASH VALUE: 10 E1 48 E2 D0 68 39 EC C4 0A 6C A3 D6 8B 47 54 AES(HVAL): 23 0A 37 C3 48 7C 9F 76 05 B9 5D 1A 21 D5 D5 FD MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72 CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 A3 A4 C4 70 6D 40 41 F4 F9 58 E1 3F D0 D7 60 4D 1E E5 BC C3 F0 B1 6E A6 39 6F 35 E4 C9 D3 AE D9 8F Vector #18: CWC-AES-32 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- Kohno, Viega, Whiting [Page 16] Internet Draft March 2003 HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5 HASH VALUE: 09 4D C5 21 94 79 E0 58 4E E9 C1 2C 29 6A E3 A4 AES(HVAL): E9 69 49 47 09 07 62 3B A9 8D AD 51 9F D5 D1 F7 MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0 CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 B5 D2 41 06 CA 5D EB 80 A7 B5 71 0A 38 A4 39 8D BA 7B 63 72 01 8B 22 74 CA F3 2E B6 FF 12 3E A3 57 9. Acknowledgements We would like to thank Peter Gutmann, David McGrew, and David Wagner for their comments on this document. Additionally, we would like to thank Brian Gladman for helping to validate our test vectors and for providing us timing information for an optimized CWC implementation. Tadayoshi Kohno was supported by a National Defense Science and Engineering Fellowship. References [CWC] Kohno, T., Viega, J. and Whiting, D. "A Carter-Wegman and Counter-Based Dual-Use Mode (CWC)". Manuscript, February, 2003. [hash127] Bernstein, D.J. "Floating-point arithmetic and message authentication". http://cr.yp.to/hash127.html [ICM] McGrew, D. "Integer Counter Mode", Internet Draft, October, 2003. http://www.ietf.org/internet-drafts/ draft-irtf-cfrg-icm-00.txt [PolyR] Krovetz, T. and Rogaway, P., "Fast universal hashing with small keys and no preprocessing: the PolyR construction". Proceedings of Information Security and Cryptology - ICICS 2000, Lecture Notes in Computer Science, vol 2015, D.H. Won, ed., Springer-Verlag, 2000. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels," RFC 2119, March 1997. [Rogaway] Rogaway, P., "Authenticated encryption with associated data." Proceedings of the 9th ACM Conference on Computer and Communications Security, Nov. 2002. Kohno, Viega, Whiting [Page 17] Internet Draft March 2003 Authors' Addresses: Tadayoshi Kohno Department of Computer Science and Engineering University of California at San Diego 9500 Gilman Drive, MC 0114 La Jolla, CA 92093-0114 Phone: +1 858-822-2977 EMail: tkohno@cs.ucsd.edu John Viega Secure Software, Inc. 6066 Leesburg Pike, Suite 500 Falls Church, VA 22041 Phone: +1 703-998-1512 EMail: viega@securesoftware.com Doug Whiting Hifn EMail: dwhiting@hifn.com Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Kohno, Viega, Whiting [Page 18] Internet Draft March 2003 Appendix A: Reference Code This reference code is not meant to be fast. Instead, it is meant to be reasonably easy to understand, to help clarify the algorithm. See [hash127] and [PolyR] for suggestions on efficient implementations of the underlying hash function. If you wish to use a pre-existing implementation, there are likely to be suitable implementations faster than this one. See a list of known implementations at: http://www.zork.org/cwc This reference code needs a working AES implementation. It requires you to define three macros. We provide implementations of those macros using the AES implementation found in OpenSSL versions 0.9.7 and later. Note that, if using OpenSSL, one should also include the header file . #include /* For htonl() */ /* These typedefs must change when appropriate for the architecture. */ typedef unsigned int uint32; typedef unsigned long long uint64; /* The type alias AES_KS_T must be set to the type of the AES key * schedule you're using. */ typedef AES_KEY AES_KS_T; /* This macro must implement the basic AES key expansion operation for * ECB encryption. The parameters are a key, the bit length of the * key and a pointer to a key schedule to use for output. */ #define CWC_AES_SETUP(key, bitlen, ks) AES_set_encrypt_key(key, bitlen, ks) /* This macro must implement the basic AES block encryption operation. * It takes a pointer to a key schedule, a pointer to an input block * and a pointer to the output block. */ #define CWC_AES_ENCRYPT(ks, in, out) AES_encrypt(in, out, ks) typedef unsigned char uchar; typedef struct { uint32 hashkey[4]; AES_KS_T aeskey; } cwc_t; /* The public API. */ /* Warning: cwc_init zeros out the key before exiting! */ Kohno, Viega, Whiting [Page 19] Internet Draft March 2003 int cwc_init(cwc_t ctx[1], uchar key[], int keybits); void cwc_encrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar pt[], uint32 ptlen, uchar nonce[11], uchar output[]); int cwc_decrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar ct[], uint32 ctlen, uchar nonce[11], uchar output[]); void cwc_cleanup(cwc_t ctx[1]); /* Private prototypes. */ static void cwc_ctr(cwc_t ctx[1], uchar p[], uint32 plen, uchar nonce[11], uchar output[]); static void cwc_mac(cwc_t ctx[1], uchar a[], uint32 alen, uchar p[], uint32 plen, uchar nonce[11], uchar output[16]); static void cwc_hash(cwc_t ctx[1], uchar a[], uint32 alen, uchar p[], uint32 plen, uchar output[16]); static void cwc_memset(volatile void *dst, int c, uint32 len) { volatile char *buf = (volatile char *)dst; while(len--) buf[len] = c; } /* This always takes in a 96-bit input and produces a 128-bit * output. */ static void cwc_str2int(uchar buf[], uint32 res[4]) { res[0] = 0; res[1] = htonl(((uint32 *)buf)[0]); res[2] = htonl(((uint32 *)buf)[1]); res[3] = htonl(((uint32 *)buf)[2]); } static void cwc_mod_add(uint32 a[4], uint32 res[4]) { int i, carry[4] = {0,}; for (i=0;i<4;i++) { res[i] += a[i]; if (res[i] < a[i]) carry[i-1] = 1; } if (res[0] & 0x80000000) { carry[3] = 1; res[0] &= 0x7fffffff; } while (i--) { if (carry[i]) { res[i] += carry[i]; if (res[i] < carry[i]) Kohno, Viega, Whiting [Page 20] Internet Draft March 2003 carry[i-1]++; } } } static void cwc_multiply_128(uint32 a[4], uint32 b[4], uint32 res[8]) { int i, j; uint32 upper, lower, carry[8] = {0,}; uint64 tmp; cwc_memset(res, 0, sizeof(uint32)*8); for (i=0;i<4;i++) { for (j=0;j<4;j++) { tmp = (uint64)(a[i]) * (uint64)(b[j]); upper = tmp >> 32; lower = tmp & 0xffffffff; res[i+j] += upper; if (res[i+j] < upper) carry[i+j-1]++; res[i+j+1] += lower; if (res[i+j+1] < lower) carry[i+j]++; } } i = 8; while (i--) { res[i] += carry[i]; if (carry[i] > res[i]) carry[i-1]++; } } static void cwc_mod_256(uint32 v[8]) { int i; for (i=0;i<4;i++) { v[i] <<= 1; v[i] |= v[i+1] >> 31; } v[4] &= 0x7fffffff; cwc_mod_add(v,v+4); } static void cwc_mod_mul(uint32 a[4], uint32 res[4]) { uint32 b[8] = {0,}; cwc_multiply_128(a, res, b); cwc_mod_256(b); Kohno, Viega, Whiting [Page 21] Internet Draft March 2003 res[0] = b[4]; res[1] = b[5]; res[2] = b[6]; res[3] = b[7]; } /* Warning: This zeros out the key before exiting! */ int cwc_init(cwc_t ctx[1], uchar key[], int keybits) { uchar hashkey[16]; uchar hash_generator[16] = {0xC0, }; /* all zeros after byte 1... */ if (keybits != 128 && keybits != 192 && keybits != 256) return 0; CWC_AES_SETUP(key, keybits, &ctx->aeskey); CWC_AES_ENCRYPT(&ctx->aeskey, hash_generator, hashkey); hashkey[0] &= 0x7F; ctx->hashkey[0] = htonl(((uint32 *)hashkey)[0]); ctx->hashkey[1] = htonl(((uint32 *)hashkey)[1]); ctx->hashkey[2] = htonl(((uint32 *)hashkey)[2]); ctx->hashkey[3] = htonl(((uint32 *)hashkey)[3]); cwc_memset(key, 0, keybits/8); return 1; } void cwc_encrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar pt[], uint32 ptlen, uchar nonce[11], uchar output[]) { cwc_ctr(ctx, pt, ptlen, nonce, output); cwc_mac(ctx, a, alen, output, ptlen, nonce, output+ptlen); } int cwc_decrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar ct[], uint32 ctlen, uchar nonce[11], uchar output[]) { uchar checktag[16]; int i; if (ctlen < 16) return 0; cwc_mac(ctx, a, alen, ct, ctlen-16, nonce, checktag); for (i=1;i<=16;i++) if (ct[ctlen-i] != checktag[16-i]) return 0; cwc_ctr(ctx, ct, ctlen-16, nonce, output); return 1; } void cwc_cleanup(cwc_t *ctx) { cwc_memset((void *)ctx, 0, sizeof(cwc_t)); } static void cwc_ctr(cwc_t ctx[1], uchar p[], uint32 plen, uchar Kohno, Viega, Whiting [Page 22] Internet Draft March 2003 nonce[11], uchar output[]) { uchar last[16], ctrblk[16] = {0x80,}; uint32 i, l = plen/16; memcpy(ctrblk+1, nonce, 11); ctrblk[15] = 0x01; for (i=0;iaeskey, ctrblk, output); ((uint32 *)output)[0] ^= ((uint32 *)p)[0]; ((uint32 *)output)[1] ^= ((uint32 *)p)[1]; ((uint32 *)output)[2] ^= ((uint32 *)p)[2]; ((uint32 *)output)[3] ^= ((uint32 *)p)[3]; output += 16; p += 16; /* On a big endian box we could simply do one 32 bit increment. */ if (!++ctrblk[15]) if (!++ctrblk[14]) if (!++ctrblk[13]) ++ctrblk[12]; } l = plen%16; if (l) { CWC_AES_ENCRYPT(&ctx->aeskey, ctrblk, last); for (i=0;iaeskey, hashvalue, encrhash); memcpy(ctrblk+1, nonce, 11); CWC_AES_ENCRYPT(&ctx->aeskey, ctrblk, output); for (i=0;i<16;i++) output[i] ^= encrhash[i]; } static void cwc_hash(cwc_t ctx[1], uchar a[], uint32 alen, uchar p[], uint32 plen, uchar out[16]) { uint32 i, lo; uint32 t[4], res[4] = {0,}; uchar padblock[12]; Kohno, Viega, Whiting [Page 23] Internet Draft March 2003 for (i=0;ihashkey, res); } lo = alen%12; if (lo) { a = a+i*12; for (i=0;ihashkey, res); } for (i=0;ihashkey, res); } lo = plen%12; if (lo) { p = p+i*12; for (i=0;ihashkey, res); } t[0] = t[2] = 0; t[1] = alen; t[3] = plen; cwc_mod_add(t, res); for (i=0;i<4;i++) ((uint32 *)out)[i] = htonl(res[i]); } Kohno, Viega, Whiting [Page 24]