Crypto Forum Research Group T. Kohno Internet-Draft UC San Diego Expires: November 20, 2003 J. Viega Secure Software D. Whiting Hifn May 20, 2003 The CWC-AES Dual-Use Mode draft-irtf-cfrg-cwc-01.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on November 20, 2003. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract The CWC dual-use mode is a fast, parallelizable, provably secure and patent-free mode of operation for providing both encryption and message integrity. In this document we specify CWC for the AES block cipher, though its principles can easily be applied to other block ciphers. Kohno, Viega, Whiting [Page 1] Internet Draft May 2003 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1 Conventions Used in This Document . . . . . . . . . . . . . . 3 2. CWC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 The CWC-ENCRYPT operation . . . . . . . . . . . . . . . . . . 4 2.3 The CWC-DECRYPT operation . . . . . . . . . . . . . . . . . . 5 2.4 The CWC-CTR operation . . . . . . . . . . . . . . . . . . . . 5 2.5 The CWC-MAC operation . . . . . . . . . . . . . . . . . . . . 6 2.6 The CWC-HASH operation . . . . . . . . . . . . . . . . . . . . 6 2.7 The CWC-HPAD operation . . . . . . . . . . . . . . . . . . . . 7 3. Implementation Notes . . . . . . . . . . . . . . . . . . . . . 7 4. Hardware Performance . . . . . . . . . . . . . . . . . . . . . 8 5. Software Performance . . . . . . . . . . . . . . . . . . . . . 9 6. Intellectual Property Statements . . . . . . . . . . . . . . . 10 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 7.1 Rekeying recommendations . . . . . . . . . . . . . . . . . . . 10 7.2 Weak Hash Keys . . . . . . . . . . . . . . . . . . . . . . . . 11 8. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 11 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 Normative References . . . . . . . . . . . . . . . . . . . . . 17 Informative References . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 18 Appendix A: Reference Code . . . . . . . . . . . . . . . . . . 18 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 24 1. Introduction The Carter-Wegman + Counter dual-use mode (CWC mode) is a mode of operation for providing both encryption and message integrity. This mode is parallelizable, fast in both software and hardware (where it can achieve speeds of 10 Gigabits per second), unencumbered by patents and provably secure to a good bound under the assumption that the underlying block cipher is a pseudo-random permutation. To the best of our knowledge, CWC is currently the only such mode of operation that simultaneously has all of these properties. This construct has the following benefits: * CWC is fast in both software and hardware. In hardware it can process 10Gbits/second using conventional ASIC technology, making it an attractive choice for future 10Gbit/second links. * CWC is parallelizable to an arbitrary degree, while maintaining complete interoperability. * CWC is a simple combination of well-known techniques, under a Kohno, Viega, Whiting [Page 2] Internet Draft May 2003 well-understood model of combining those techniques. It is basically the "generic composition" approach, except with a single block cipher key. * CWC has provable security to very good bounds under standard assumptions. For provable security, we use the AEAD notions from [Rogaway]. * CWC only requires AES encryption. For example, hardware implementations only need to implement an encryption module. CWC does, however, require a multiplication unit. * CWC can reject bogus messages without decrypting the ciphertext. * CWC has minimal expansion (each ciphertext is as long as the plaintext, with the addition of a message authenticator). * CWC is unencumbered by patents to the best of our knowledge. * CWC can authenticate both encrypted messages and associated plaintext data such as headers. CWC still authenticates properly if a message contains no plaintext headers, and if it contains no ciphertext. * CWC can be implemented using only a modest amount of memory. * CWC is designed to promote interoperability. That is, there is a minimal set of parameters. 1.1. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. CWC CWC is a generic mode of operation for block ciphers, and is described in [CWC]. Here, we specify a binding of CWC mode for AES [AES]. In this section, we will take a top-down approach. First, we will specify the CWC encryption and decryption operations in terms of high-level functions, and then we will specify each of the functions we use in detail. In this document, we will use || to represent string concatenation, "" to denote the empty string and AES_K(M) to indicate applying AES Kohno, Viega, Whiting [Page 3] Internet Draft May 2003 to a 128-bit message M, using key K. The underscore (_) indicates subscripts. Array indices all begin at 0. The function LEN(x) returns the length of the input string in octets. Note that the generic CWC mode allows arbitrary bit-length messages in a way that is compatible with the specification in this document. Additionally, the notation X[Y:Z] indicates a substring of octet string X consisting of the consecutive octets of X from index Y to Z-1. For example, evaluating X[0:3] where X is the octet string "ABCDEFG" would yield "ABC". The function CEILING(X) returns the smallest integer greater than or equal to its argument. 2.1. Parameters CWC takes two parameters: Y, the AES key length to use in octets (16, 24 or 32). Z, the size of the message authentication tag. That is, Z determines how many octets are added at the end of the message for purposes of modification detection. Implementations MUST support a value of 16 for Z. Implementations MAY support other values, which MUST be between 4 and 16, inclusive. When parties are communicating with CWC mode, they SHOULD agree on parameters authentically. Instantiations of CWC for AES SHOULD be referred to as CWC-AES, with an indication of the key size in bits and the tag size in bits. The tag size MAY be omitted if it is 128 bits. In the case where both the key and the tag are 128 bits, both may be omitted. For example, CWC-AES-256 and CWC-AES-256-128 both refer to AES in CWC mode, with 256-bit AES keys and a 128-bit tag. 2.2. The CWC-ENCRYPT operation CWC-ENCRYPT takes the following inputs: K, a key that is Y octets in length. A, a string of arbitrary length consisting of data to be authenticated, but not encrypted. The length of A SHOULD NOT exceed 2^36-16 octets. M, a string of arbitrary length consisting of the plaintext message. This message will be both encrypted and authenticated. The length of M SHOULD NOT exceed 2^36-16 Kohno, Viega, Whiting [Page 4] Internet Draft May 2003 octets. N, a nonce, 11 octets in length. Each value of N SHOULD NOT be used more than once for any given key K, as reusing values of N can lead to critical security failures. The layout of the nonce is unspecified, but we recommend using part of the nonce for a salt of at least 4 octets that is randomly chosen at key setup time and using the rest for a message counter. Please see [CWC] for discussions on why the nonce is 11 octets long and why A and M are limited to 2^36-16 octets (or 2^32-1 blocks). CWC-ENCRYPT is computed as follows: 1) C = CWC-CTR(K, N, M) 2) T = CWC-MAC(K, A, N, C) 3) OUTPUT = C || T 2.3. The CWC-DECRYPT operation CWC-DECRYPT takes the following inputs: K, a key that is Y octets in length. A, a string of arbitrary length up to 2^36-16 octets, consisting of data to be authenticated. C, a string of arbitrary length up to 2^36-16+Z octets, consisting of ciphertext to be decrypted and authenticated. N, a nonce of 11 octets in length, corresponding to the nonce for encryption. If either A or C is longer than specified above, authentication will fail, as no messages may be that long. CWC-DECRYPT is computed as follows: 1) IF LEN(C) < Z THEN FAIL 2) C' = C[0 : LEN(C)-Z] 3) T' = C[LEN(C)-Z : LEN(C)] 4) T = CWC-MAC(K, A, N, C') 6) IF T <> T' THEN FAIL 7) OUTPUT = CWC-CTR(K, N, C') 2.4. The CWC-CTR operation This use of counter mode uses a layout for plaintexts that is Kohno, Viega, Whiting [Page 5] Internet Draft May 2003 compatible with the draft specification of Integer Counter Mode presented in [ICM]. The first two bits of the block being encrypted are used to distinguish the different types of AES encryption. In the context of the counter mode encryption, the first bit will always be 1, and the second will always be 0. The next 6 bits are reserved, and must always be zero. The next 11 octets consist of the nonce, and the final 4 octets encode a counter in big endian format that indicates which block of keystream is being produced by the current AES operation. Here's a visual representation of the octets in the counter plaintext blocks: 0 1 2 3 4 5 6 7 +-------+-------+-------+-------+-------+-------+-------+-------+ | 0x80 | Nonce +-------+-------+-------+-------+-------+-------+-------+-------+ Nonce (continued) | Counter | +-------+-------+-------+-------+-------+-------+-------+-------+ 8 9 10 11 12 13 14 15 CWC-CTR(K, N, M): 1) J = CEILING(LEN(M)/16) 2) S = "" 3) FOR I in 1 TO J: S = S || AES_K(0x80 || N || I) 4) OUTPUT = S[0:LEN(M)] XOR M Note that, in step 3, the number I is represented as a string in big endian format, and MUST be exactly 4 octets in length. 2.5. The CWC-MAC operation The CWC-MAC operation takes the results of CWC-HASH and then performs two post-processing AES operations. The first operation directly encrypts the hash result. Note that, in a correct implementation, the first bit of that plaintext will always be zero. The second AES operation is identical to the operation in 2.4., with the counter value set to 0. CWC-MAC(K, A, N, C): 1) R = AES_K(CWC-HASH(K, A, C)) 2) OUTPUT = (AES_K(0x80||N||0x00000000) XOR R)[0:Z] 2.6. The CWC-HASH operation Kohno, Viega, Whiting [Page 6] Internet Draft May 2003 This hash function is essentially a traditional Carter-Wegman polynomial hash, with a field of GF(2^127-1). At a high level, CWC- HASH breaks its input messages into 96-bit blocks, interprets those blocks as 96-bit integer coefficients to a polynomial, and then evaluates that polynomial, modulo 2^127-1, at a secret point Z. The output is encoded as a 16-octet string, the most significant bit of which is always 0. For simplicity, we describe the computation of this polynomial using Horner's rule, although other implementation strategies are possible (see Section 3). Using Horner's rule, for each 12 octets of the message (where those octets are treated like a number in big endian notation), we add the message block to the ongoing result, modulo 2^127-1. We then multiply by the hash key (itself treated as a number), again modulo 2^127-1. The output is the ongoing result, represented as a 16-octet big endian value. CWC-HASH(K, A, C): 1) Z = AES_K(0xC0000000000000000000000000000000) & 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 2) X = CWC-HPAD(A) || CWC-HPAD(C) 3) B = LEN(X) / 12 4) OUTPUT = 0 5) FOR I FROM 0 TO B-1: a) OUTPUT = OUTPUT + X[12*I : 12*I+12] MOD 2^127-1 b) OUTPUT = OUTPUT * Z MOD 2^127-1 6) OUTPUT = OUTPUT + (LEN(C) + 2^64*LEN(A)) MOD 2^127-1 Note that many implementations will want to compute Z at key setup time. Other implementations, where managing extra key material is expensive, will likely recompute Z upon every invocation. 2.7. The CWC-HPAD operation The input to the hash function needs to be a multiple of 96 bits. CWC-HPAD(STR): 1) OUTPUT = STR 2) WHILE LEN(OUTPUT) MOD 12: OUTPUT = OUTPUT + 0x00 3. Implementation Notes This mode consists of counter mode encryption, and a MAC computed over the ciphertext. Parallelization of the counter mode encryption Kohno, Viega, Whiting [Page 7] Internet Draft May 2003 is straightforward, and the keystream can be precomputed once the nonce is known. The hash key can be computed at key setup time. One of the two AES operations for the MAC can be precomputed once the nonce is known. There are a number of different ways an implementation could evaluate the CWC-HASH polynomial. For example, the current description of CWC-HASH shows how to evaluate the polynomial using Horner's rule. For example, an implementation following the current CWC-HASH description would evaluate the polynomial a*K^5 + b*K^4 + c*K^3 + +d*K^2 + e*K + LEN(A)*2^64 + LEN(C) as follows: (((((a)K + b)K + c)K + d)K + e)K + LEN(A)*2^64 + LEN(C) Doing so saves numerous multiplications compared to the naive approach for evaluating the original polynomial. On some architectures it may be more efficient (but more memory intensive) to precompute powers of the key, and then evaluate the polynomial directly. See [CWC] for details on this strategy. Additionally, the CWC-hash computation is arbitrarily parallelizable. For example, one might consider interleaving subsequent message blocks to different processing units. For example, given the above polynomial, we could instead use the following two (factored) polynomials in K^2: 1) ((a*K^2 + c)K^2 + e)K 2) ((b*K^2 + d)K^2 + LEN(A)*2^64+LEN(C) After we plug a message into each of the two polynomials and evaluate them, adding the two results together will give the same result as evaluating the original polynomial serially. Another thing to note is that many instruction sets have issues with multiply speed that may suggest alternate implementations. For example, the relative speed of a 32-bit integer multiply on Intel x86 hardware (in terms of the number of cycles that it takes to run) is worse on Pentium 4s than it is on Pentium IIIs, which are worse than Pentium II's. On Pentium 4s, it is more desirable to use either the floating-point or XMM multiply operation instead of the integer multiply, because it takes fewer cycles to run, can multiply two numbers at once, and does not always introduce pipeline stalls. 4. Hardware Performance A driving motivation for this work was to construct a patent-free dual-use mode capable of processing 10Gbits/second using conventional Kohno, Viega, Whiting [Page 8] Internet Draft May 2003 ASIC technology. Such a patent-free dual-use mode is need for the upcoming 10Gbit/second links. Because CWC is parallelizable (as discussed above), it can achieve 10Gbits/second in conventional hardware. 5. Software Performance Software performance of the counter mode encryption is directly related to the speed of AES encryption. The additional per-block overhead (counter maintenance, XOR and memory operations) should never add more overhead than a cycle per octet. Experience shows that on popular platforms, two tenths of a cycle per octet can be achieved. Furthermore, performance can be improved since part of the first and second AES rounds can be re-used between block cipher invocations (since a counter increment will typically effect the input to only one S-box in the first round and a few S-boxes in the second round). Performance of the hash function is highly dependent on the implementation strategy. The reference implementation provided in this document runs a bit faster per octet than the OpenSSL version of AES on a Pentium III. Using floating point operations, the CWC hash function can run about as fast as the fastest PIII-based AES implementation (which runs at better than half the cycles per byte of the OpenSSL version). Precomputing key material provides even more speed for CWC. See [CWC] for a more detailed discussion of performance. Note that the hash function is similar to Bernstein's hash127. The major difference is that CWC-HASH operates on unsigned 96-bit coefficients instead of signed 32-bit coefficients. The larger coefficients result in a couple of cycles lost per byte, but otherwise the CWC hash can have similar performance characteristics, if implemented in the same manner. On Pentium 4 hardware, hash127 can run below 5 cycles per octet, and we expect that CWC can run no worse than twice the speed. In contrast, the best AES implementation is a commercial one that is generally three to four times slower than hash127, when doing measurements per octet. The hash runs at approximately constant speed, in practice, unlike traditional cryptographic hash functions such as MD5, which tend to have high startup costs, making them far more expensive for short messages than long ones. On all recent Intel architectures, the integer unit and the floating point unit are largely independent. One should be able to speed up CWC by computing the hash in the floating point registers, and Kohno, Viega, Whiting [Page 9] Internet Draft May 2003 performing encryption in the integer registers. 6. Intellectual Property Statements The authors hereby explicitly release any intellectual property rights to CWC mode into the public domain. Further, the authors are not aware of any patent or patent application anywhere in the world that cover this encryption mode. This mode is a simple combination of two techniques that have been in the literature for over 20 years (a polynomial universal hash and counter mode). 7. Security Considerations The primary concern with CWC mode is that a K,N pair MUST NOT be reused, otherwise the security properties of the mode are lost. To help prevent such disasters, we recommend that software APIs implementing CWC-AES have a high-level API to prevent this kind of problem. In protocols where new symmetric keys are randomly chosen for each connection, such as TLS, this is not much of an issue, as long as the message number is involved in nonce selection. However, it can be a problem when using fixed shared secrets in an all-symmetric system. In such a case, you may have an abstract data type representing a key, which contains a data field that notes how many times the key has been used to key a cipher. Given such a base key, an API might derive the actual CWC key for CWC-AES-128 by encrypting the count with the given key. A high-level API has other advantages, as well. For example, such an API could perform automatic nonce management, particularly providing defense against capture-replay attacks. There is a proof showing that CWC is secure to very good bounds, assuming that the underlying block cipher acts as a pseudo-random permutation. Modern block ciphers, including AES, are believed to be pseudo-random. In our proofs, we use the authenticated encryption with associated data (AEAD) privacy and integrity notions defined in [Rogaway]. See [CWC] for details. 7.1. Rekeying recommendations Developers should understand the provable security results in [CWC] and rekey appropriately. For example, assuming no attacks directly against AES, to limit the advantage of a privacy or authenticity adversary (under the definitions in [Rogaway] and [CWC]) to around 1/2^30, implementations should re-key after 2^47 packets or 2^51 encrypted octets, whichever comes first. Or, to limit the advantage Kohno, Viega, Whiting [Page 10] Internet Draft May 2003 of an adversary to approximately 1/2^60, implementations should re- key after encrypting 2^32 packets or 2^36 octets, whichever comes first. 7.2. Weak Hash Keys The all-bits-zero hash key and the all-bits-one hash key are both weak in the sense that the output of the hash function will depend only on the lengths, and not the contents, of the inputs A and M. The odds of selecting one of these two keys are so small that this is not a problem to worry about. In fact, the presence of these two keys is considered in the proof of security of the hash function. Therefore, to avoid unnecessary implementation complexities and potential (albeit incredibly unlikely) interoperability issues, implementations MUST NOT detect this condition. 8. Test Vectors Vector #1: CWC-AES-128 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F PLAINTEXT: 00 01 02 03 04 05 06 07 ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C HASH VALUE: 2B 9E AE BE 67 3F AE 03 6B 16 EA 31 DC A7 AE 6B AES(HVAL): FC DC 06 4C CD CA FE E3 DE 7A A3 CF 5C 5D B9 7B MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2 CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 57 55 DB A5 09 9F 3F 1D 60 04 44 97 DE 89 33 A9 Vector #2: CWC-AES-192 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 PLAINTEXT: 00 01 02 03 04 05 06 07 ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5 HASH VALUE: 40 E6 24 83 4B 27 9A 7B 15 42 C7 FE 29 EB 29 A3 AES(HVAL): 69 CC 0E 3D 96 98 EB 75 1F 06 A5 90 9B C2 4F 5A MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72 CIPHERTEXT: F0 DB A9 74 12 30 01 B0 AF 7A FA 0E 6F 8A D2 3A 75 8A 1C 43 69 B9 43 28 Vector #3: CWC-AES-256 Kohno, Viega, Whiting [Page 11] Internet Draft May 2003 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00 PLAINTEXT: 00 01 02 03 04 05 06 07 ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5 HASH VALUE: 18 99 E1 A6 1E 6E 37 65 C6 3A 41 99 56 8C D1 BF AES(HVAL): 1C 56 65 0A 22 BC B5 94 AC F3 CA 24 46 03 B8 5E MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0 CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 8E 5C 5E 4C A0 99 A3 65 F6 50 D1 8A CB E8 CA FE Vector #4: CWC-AES-128 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F PLAINTEXT: 00 01 02 03 04 05 06 07 ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C HASH VALUE: 2E A9 2A A5 28 B1 1C 08 1C C8 2F 24 9B E4 19 8D AES(HVAL): EA 54 F8 3D 56 7F 53 05 88 B1 EA 96 36 79 CD AC MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2 CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 41 DD 25 D4 92 2A 92 FB 36 CF 0D CE B4 AD 47 7E Vector #5: CWC-AES-192 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 PLAINTEXT: 00 01 02 03 04 05 06 07 ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5 HASH VALUE: 60 3F FC 24 71 64 2E D9 57 E1 B1 EA F2 F8 B0 34 AES(HVAL): D8 39 86 2A 33 5A 54 68 C8 16 DA 47 69 A2 10 EB MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72 CIPHERTEXT: F0 DB A9 74 12 30 01 B0 1E 8F 72 19 CA 48 6D 27 A2 9A 63 94 9B D9 1C 99 Vector #6: CWC-AES-256 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00 Kohno, Viega, Whiting [Page 12] Internet Draft May 2003 PLAINTEXT: 00 01 02 03 04 05 06 07 ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5 HASH VALUE: 0A C6 B1 39 57 7F 26 DA 94 16 42 E1 6D 73 EC B5 AES(HVAL): 4B A5 AD 1E 74 A2 C5 BE AB D0 DA 4D F4 29 83 0C MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0 CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B D9 AF 96 58 F6 87 D3 4F F1 73 C1 E3 79 C2 F1 AC Vector #7: CWC-AES-128 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C HASH VALUE: 79 00 74 72 E1 C8 36 96 ED 7A B1 F9 03 6E 94 8B AES(HVAL): 2B 0F 24 69 B1 2B BE 39 C9 40 67 BA F1 25 E2 5B MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2 CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 80 86 F9 80 75 7E 7F C7 77 3E 80 E2 73 F1 68 89 Vector #8: CWC-AES-192 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5 HASH VALUE: 2C 5E 3A A4 37 1C 27 D6 E8 6B 76 DC 3D 93 BC 87 AES(HVAL): 48 6E 9C E5 C3 16 3E A6 9C D4 D7 E2 7C 9D 92 D2 MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72 CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 8E D8 68 D6 3A 04 07 E9 F6 58 6E 31 8E E6 9E A0 Vector #9: CWC-AES-256 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 Kohno, Viega, Whiting [Page 13] Internet Draft May 2003 -------------------------------------------------------------- HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5 HASH VALUE: 4A 70 29 CC 58 25 52 CB 75 AD C9 60 FF B3 F7 55 AES(HVAL): 2B 64 0E 02 CE 51 DE 22 B2 0F 2A 8D C4 23 CD C0 MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0 CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 B9 6E 35 44 4C 74 C8 D3 E8 AC 31 23 49 C8 BF 60 Vector #10: CWC-AES-128 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C HASH VALUE: 51 AE 9D 7E 86 BD E0 B2 AA 18 2C 91 87 0A 9C A5 AES(HVAL): DF 48 30 BD 1D DC E0 59 B1 C2 0B 29 01 4F 80 10 MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2 CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 74 C1 ED 54 D9 89 21 A7 0F BC EC 71 83 9B 0A C2 Vector #11: CWC-AES-192 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5 HASH VALUE: 51 60 E7 81 DC 64 F9 CD 54 BA 02 40 A2 E8 EE 99 AES(HVAL): A0 30 58 13 22 B6 80 53 64 B0 3E 52 41 D2 2D 0A MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72 CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 66 86 AC 20 DB A4 B9 1C 0E 3C 87 81 B3 A9 21 78 Vector #12: CWC-AES-256 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- Kohno, Viega, Whiting [Page 14] Internet Draft May 2003 HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5 HASH VALUE: 3F F5 0C 60 E6 01 7A 3C A1 BB B3 54 65 02 85 7C AES(HVAL): 3E EF A2 E4 97 91 82 86 73 0C F6 E9 46 2C CA 15 MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0 CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 AC E5 99 A2 15 B4 94 77 29 AF ED 47 CB C7 B8 B5 Vector #13: CWC-AES-128 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C HASH VALUE: 58 D5 28 89 4F 1F 6A 52 A6 44 FA 69 65 C0 73 A6 AES(HVAL): A3 9E F3 6F 67 1F FA F8 71 0C 83 BB 49 A6 6E BC MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2 CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 0F 48 5B 82 64 6E CF B9 F9 A0 B0 75 4F D5 94 36 5A 08 17 2E 86 A3 4A 3B 06 CF 72 64 E3 CB 72 E4 6E Vector #14: CWC-AES-192 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5 HASH VALUE: 0D 0A D2 78 1E 8F E8 47 00 85 31 28 B1 E3 49 3A AES(HVAL): 5A 05 AA 45 88 06 A9 C1 DC 5A F6 AF 6F 8F EC F6 MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72 CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 A3 A4 C4 70 6D 40 41 F4 F9 58 E1 3F D0 D7 60 4D 1E 9C B3 5E 76 71 14 90 8E B6 D6 4F 7C 9D F4 E0 84 Vector #15: CWC-AES-256 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ASSOC DATA: NONCE: FF EE DD CC BB AA 99 88 77 66 55 Kohno, Viega, Whiting [Page 15] Internet Draft May 2003 -------------------------------------------------------------- HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5 HASH VALUE: 02 F2 DA E9 83 72 0E BC DC 77 89 3B 67 CB 3D B7 AES(HVAL): B7 F6 AE DE A3 95 35 FE 03 93 08 DF E0 C7 F1 78 MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0 CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 B5 D2 41 06 CA 5D EB 80 A7 B5 71 0A 38 A4 39 8D BA 25 FC 95 98 21 B0 23 0F 59 30 13 71 6D 2C 83 D8 Vector #16: CWC-AES-128 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 34 AE 6A 6F E9 51 78 94 AC CC BB 9E BA E7 20 8C HASH VALUE: 05 EE B6 CB DF A6 E5 B8 4C 65 DD F4 8C C8 25 23 AES(HVAL): 62 E5 23 FE 48 8F BC 14 E3 77 15 6C 4D 0F D0 8B MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): AB 89 DD E9 C4 55 C1 FE BE 7E E7 58 82 D4 8A D2 CIPHERTEXT: 88 B8 DF 06 28 FD 51 CC 31 E6 6E 57 0B 0F 77 0F 48 5B 82 64 6E CF B9 F9 A0 B0 75 4F D5 94 36 5A C9 6C FE 17 8C DA 7D EA 5D 09 F2 34 CF DB 5A 59 Vector #17: CWC-AES-192 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 4F A8 88 AF 06 83 60 0C AB 35 75 EF 0A E6 01 A5 HASH VALUE: 10 E1 48 E2 D0 68 39 EC C4 0A 6C A3 D6 8B 47 54 AES(HVAL): 23 0A 37 C3 48 7C 9F 76 05 B9 5D 1A 21 D5 D5 FD MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): C6 B6 F4 33 F9 12 39 4F 6A 8C B9 D3 F2 7B 0C 72 CIPHERTEXT: F0 DB A9 74 12 30 01 B0 E1 42 B7 58 87 C9 00 A3 A4 C4 70 6D 40 41 F4 F9 58 E1 3F D0 D7 60 4D 1E E5 BC C3 F0 B1 6E A6 39 6F 35 E4 C9 D3 AE D9 8F Vector #18: CWC-AES-256 AES KEY: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F F0 E0 D0 C0 B0 A0 90 80 70 60 50 40 30 20 10 00 Kohno, Viega, Whiting [Page 16] Internet Draft May 2003 PLAINTEXT: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ASSOC DATA: 54 68 69 73 20 69 73 20 61 20 70 6C 61 69 6E 74 65 78 74 20 68 65 61 64 65 72 2E 00 NONCE: FF EE DD CC BB AA 99 88 77 66 55 -------------------------------------------------------------- HASH KEY: 35 8F 2B 0C FF E9 84 BE F9 EE EE 55 85 36 BC E5 HASH VALUE: 09 4D C5 21 94 79 E0 58 4E E9 C1 2C 29 6A E3 A4 AES(HVAL): E9 69 49 47 09 07 62 3B A9 8D AD 51 9F D5 D1 F7 MAC CTR PT: 80 FF EE DD CC BB AA 99 88 77 66 55 00 00 00 00 AES(MCPT): 92 0A 3B 46 82 25 16 F1 5A A3 1B AE 8D EB 72 A0 CIPHERTEXT: 7B CF 73 BE 46 9C 46 0B 9B C6 2D DE 26 DD 47 B5 D2 41 06 CA 5D EB 80 A7 B5 71 0A 38 A4 39 8D BA 7B 63 72 01 8B 22 74 CA F3 2E B6 FF 12 3E A3 57 9. Acknowledgements We would like to thank Peter Gutmann, David McGrew, and David Wagner for their comments on this document. Additionally, we would like to thank Brian Gladman for helping to validate our test vectors and for providing us timing information for an optimized CWC implementation. Tadayoshi Kohno was supported by a National Defense Science and Engineering Fellowship. Normative References [AES] Federal Information Processing Standards Publication 197. "Specification for the Advanced Encryption Standard". November 2001. [CWC] Kohno, T., Viega, J. and Whiting, D. "The CWC authenticated encryption (associated data) mode". IACR ePrint Archive. May 2003. Informative References [hash127] Bernstein, D.J. "Floating-point arithmetic and message authentication". http://cr.yp.to/hash127.html [ICM] McGrew, D. "Integer Counter Mode", Internet Draft, October, 2003. Internet-Draft, work in progress. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels," RFC 2119, March 1997. [Rogaway] Rogaway, P., "Authenticated encryption with Kohno, Viega, Whiting [Page 17] Internet Draft May 2003 associated data." Proceedings of the 9th ACM Conference on Computer and Communications Security, November 2002. Authors' Addresses: Tadayoshi Kohno Department of Computer Science and Engineering University of California at San Diego 9500 Gilman Drive, MC 0114 La Jolla, CA 92093-0114 Phone: +1 858-822-2977 EMail: tkohno@cs.ucsd.edu John Viega Secure Software, Inc. 6066 Leesburg Pike, Suite 500 Falls Church, VA 22041 Phone: +1 703-998-1512 EMail: viega@securesoftware.com Doug Whiting Hifn 5973 Avenida Encinas, Suite 110 Carlsbad, CA 92009 EMail: dwhiting@hifn.com Appendix A: Reference Code This reference code is not meant to be fast. Instead, it is meant to be reasonably easy to understand, to help clarify the algorithm. See [CWC] and [hash127] for suggestions on efficient implementations of the underlying hash function. If you wish to use a pre-existing implementation, there are likely to be suitable implementations faster than this one. See a list of known implementations at: http://www.zork.org/cwc This reference code needs a working AES implementation. It requires you to define three macros. We provide implementations of those macros using the AES implementation found in OpenSSL versions 0.9.7 and later. Note that, if using OpenSSL, one should also include the header file . #include /* For htonl() */ /* Typedefs must change when appropriate for the architecture. */ typedef unsigned int uint32; Kohno, Viega, Whiting [Page 18] Internet Draft May 2003 typedef unsigned long long uint64; /* The type alias AES_KS_T must be set to the type of the AES key * schedule you're using. */ typedef AES_KEY AES_KS_T; /* This macro must implement the basic AES key expansion operation * for ECB encryption. The parameters are a key, the bit length of * the key and a pointer to a key schedule to use for output. */ #define CWC_AES_SETUP(key, bitlen, ks) \ AES_set_encrypt_key(key, bitlen, ks) /* This macro must implement the basic AES block encryption * operation. It takes a pointer to a key schedule, a pointer to an * input block and a pointer to the output block. */ #define CWC_AES_ENCRYPT(ks, in, out) AES_encrypt(in, out, ks) typedef unsigned char uchar; typedef struct { uint32 hashkey[4]; AES_KS_T aeskey; } cwc_t; /* The public API. */ /* Warning: cwc_init zeros out the key before exiting! */ int cwc_init(cwc_t ctx[1], uchar key[], int keybits); void cwc_encrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar pt[], uint32 ptlen, uchar nonce[11], uchar output[]); int cwc_decrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar ct[], uint32 ctlen, uchar nonce[11], uchar output[]); void cwc_cleanup(cwc_t ctx[1]); /* Private prototypes. */ static void cwc_ctr(cwc_t ctx[1], uchar p[], uint32 plen, uchar nonce[11], uchar output[]); static void cwc_mac(cwc_t ctx[1], uchar a[], uint32 alen, uchar p[], uint32 plen, uchar nonce[11], uchar output[16]); static void cwc_hash(cwc_t ctx[1], uchar a[], uint32 alen, uchar p[], uint32 plen, uchar output[16]); static void cwc_memset(volatile void *dst, int c, uint32 len) { volatile char *buf = (volatile char *)dst; while(len--) buf[len] = c; } Kohno, Viega, Whiting [Page 19] Internet Draft May 2003 /* This always takes in a 96-bit input and produces a 128-bit * output. */ static void cwc_str2int(uchar buf[], uint32 res[4]) { res[0] = 0; res[1] = htonl(((uint32 *)buf)[0]); res[2] = htonl(((uint32 *)buf)[1]); res[3] = htonl(((uint32 *)buf)[2]); } static void cwc_mod_add(uint32 a[4], uint32 res[4]) { int i, carry[4] = {0,}; for (i=0;i<4;i++) { res[i] += a[i]; if (res[i] < a[i]) carry[i-1] = 1; } if (res[0] & 0x80000000) { carry[3] = 1; res[0] &= 0x7fffffff; } while (i--) { if (carry[i]) { res[i] += carry[i]; if (res[i] < carry[i]) carry[i-1]++; } } } static void cwc_multiply_128(uint32 a[4], uint32 b[4], uint32 res[8]) { int i, j; uint32 upper, lower, carry[8] = {0,}; uint64 tmp; cwc_memset(res, 0, sizeof(uint32)*8); for (i=0;i<4;i++) { for (j=0;j<4;j++) { tmp = (uint64)(a[i]) * (uint64)(b[j]); upper = tmp >> 32; lower = tmp & 0xffffffff; res[i+j] += upper; if (res[i+j] < upper) carry[i+j-1]++; res[i+j+1] += lower; if (res[i+j+1] < lower) Kohno, Viega, Whiting [Page 20] Internet Draft May 2003 carry[i+j]++; } } i = 8; while (i--) { res[i] += carry[i]; if (carry[i] > res[i]) carry[i-1]++; } } static void cwc_mod_256(uint32 v[8]) { int i; for (i=0;i<4;i++) { v[i] <<= 1; v[i] |= v[i+1] >> 31; } v[4] &= 0x7fffffff; cwc_mod_add(v,v+4); } static void cwc_mod_mul(uint32 a[4], uint32 res[4]) { uint32 b[8] = {0,}; cwc_multiply_128(a, res, b); cwc_mod_256(b); res[0] = b[4]; res[1] = b[5]; res[2] = b[6]; res[3] = b[7]; } /* Warning: This zeros out the key before exiting! */ int cwc_init(cwc_t ctx[1], uchar key[], int keybits) { uchar hashkey[16]; uchar hash_generator[16] = {0xC0, }; /* all 0s after byte 1.. */ if (keybits != 128 && keybits != 192 && keybits != 256) return 0; CWC_AES_SETUP(key, keybits, &ctx->aeskey); CWC_AES_ENCRYPT(&ctx->aeskey, hash_generator, hashkey); hashkey[0] &= 0x7F; ctx->hashkey[0] = htonl(((uint32 *)hashkey)[0]); ctx->hashkey[1] = htonl(((uint32 *)hashkey)[1]); ctx->hashkey[2] = htonl(((uint32 *)hashkey)[2]); ctx->hashkey[3] = htonl(((uint32 *)hashkey)[3]); cwc_memset(key, 0, keybits/8); return 1; } Kohno, Viega, Whiting [Page 21] Internet Draft May 2003 void cwc_encrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar pt[], uint32 ptlen, uchar nonce[11], uchar output[]) { cwc_ctr(ctx, pt, ptlen, nonce, output); cwc_mac(ctx, a, alen, output, ptlen, nonce, output+ptlen); } int cwc_decrypt(cwc_t ctx[1], uchar a[], uint32 alen, uchar ct[], uint32 ctlen, uchar nonce[11], uchar output[]) { uchar checktag[16]; int i; if (ctlen < 16) return 0; cwc_mac(ctx, a, alen, ct, ctlen-16, nonce, checktag); for (i=1;i<=16;i++) if (ct[ctlen-i] != checktag[16-i]) return 0; cwc_ctr(ctx, ct, ctlen-16, nonce, output); return 1; } void cwc_cleanup(cwc_t *ctx) { cwc_memset((void *)ctx, 0, sizeof(cwc_t)); } static void cwc_ctr(cwc_t ctx[1], uchar p[], uint32 plen, uchar nonce[11], uchar output[]) { uchar last[16], ctrblk[16] = {0x80,}; uint32 i, l = plen/16; memcpy(ctrblk+1, nonce, 11); ctrblk[15] = 0x01; for (i=0;iaeskey, ctrblk, output); ((uint32 *)output)[0] ^= ((uint32 *)p)[0]; ((uint32 *)output)[1] ^= ((uint32 *)p)[1]; ((uint32 *)output)[2] ^= ((uint32 *)p)[2]; ((uint32 *)output)[3] ^= ((uint32 *)p)[3]; output += 16; p += 16; /* On a big endian box we could do one 32 bit increment. */ if (!++ctrblk[15]) if (!++ctrblk[14]) if (!++ctrblk[13]) ++ctrblk[12]; } l = plen%16; Kohno, Viega, Whiting [Page 22] Internet Draft May 2003 if (l) { CWC_AES_ENCRYPT(&ctx->aeskey, ctrblk, last); for (i=0;iaeskey, hashvalue, encrhash); memcpy(ctrblk+1, nonce, 11); CWC_AES_ENCRYPT(&ctx->aeskey, ctrblk, output); for (i=0;i<16;i++) output[i] ^= encrhash[i]; } static void cwc_hash(cwc_t ctx[1], uchar a[], uint32 alen, uchar p[], uint32 plen, uchar out[16]) { uint32 i, lo; uint32 t[4], res[4] = {0,}; uchar padblock[12]; for (i=0;ihashkey, res); } lo = alen%12; if (lo) { a = a+i*12; for (i=0;ihashkey, res); } for (i=0;ihashkey, res); } lo = plen%12; Kohno, Viega, Whiting [Page 23] Internet Draft May 2003 if (lo) { p = p+i*12; for (i=0;ihashkey, res); } t[0] = t[2] = 0; t[1] = alen; t[3] = plen; cwc_mod_add(t, res); for (i=0;i<4;i++) ((uint32 *)out)[i] = htonl(res[i]); } Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Kohno, Viega, Whiting [Page 24] Internet Draft May 2003 Kohno, Viega, Whiting [Page 25]