Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is second test vector valid? #11

Closed
philanc opened this issue Dec 11, 2018 · 5 comments
Closed

Is second test vector valid? #11

philanc opened this issue Dec 11, 2018 · 5 comments

Comments

@philanc
Copy link

philanc commented Dec 11, 2018

I ran the test vectors with Libsodium (1.0.16) and Monocypher (2.0.5)

For test in section A.3.1. AEAD_XCHACHA20_POLY1305, I got the expected result.

For test in section A.3.2. XChaCha20 (plaintext: "The dhole...", I got a different result (same result with Libsodium and Monocypher):

7d 0a 2e 6b 7f 7c 65 a2 36 54 26 30 29 4e 06 3b 
7a b9 b5 55 a5 d5 14 9a a2 1e 4a e1 e4 fb ce 87 
ec c8 e0 8a 8b 5e 35 0a be 62 2b 2f fa 61 7b 20 
2c fa d7 20 32 a3 03 7e 76 ff dc dc 43 76 ee 05 
3a 19 0d 7e 46 ca 1d e0 41 44 85 03 81 b9 cb 29 
f0 51 91 53 86 b8 a7 10 b8 ac 4d 02 7b 8b 05 0f 
7c ba 58 54 e0 28 d5 64 e4 53 b8 a9 68 82 41 73 
fc 16 48 8b 89 70 ca c8 28 f1 1a e5 3c ab d2 01 
12 f8 71 07 df 24 ee 61 83 d2 27 4f e4 c8 b1 48 
55 34 ef 2c 5f bc 1e c2 4b fc 36 63 ef aa 08 bc 
04 7d 29 d2 50 43 53 2d b8 39 1a 8a 3d 77 6b f4 
37 2a 69 55 82 7c cb 0c dd 4a f4 03 a7 ce 4c 63 
d5 95 c7 5a 43 e0 45 f0 cc e1 f2 9c 8b 93 bd 65 
af c5 97 49 22 f2 14 a4 0b 7c 40 2c db 91 ae 73 
c0 b6 36 15 cd ad 04 80 68 0f 16 51 5a 7a ce 9d 
39 23 64 64 32 8a 37 74 3f fc 28 f4 dd b3 24 f4 
d0 f5 bb dc 27 0c 65 b1 74 9a 6e ff f1 fb aa 09 
53 61 75 cc d2 9f b9 e6 05 7b 30 73 20 d3 16 83 
8a 9c 71 f7 0b 5b 59 07 a6 6f 7e a4 9a ad c4 09
@paragonie-scott
Copy link
Contributor

paragonie-scott commented Dec 12, 2018
edited

I see the problem. You're calling the AEAD interface in both places.

The second test vector is for XChaCha20 itself (crypto_stream_xchacha20_xor), not the AEAD construction (crypto_aead_xchacha20poly1305_ietf_encrypt). The AEAD construction uses the first block of the keystream to generate the one-time Poly1305 key and then encrypts from there.

@paragonie-scott
Copy link
Contributor

I wonder if including the raw keystream prior to encryption would make this easier to troubleshoot.

@jedisct1
Copy link

Sounds like a good idea to me.

@paragonie-scott
Copy link
Contributor

57a8ce2 should make it easier to prevent this in the future. Anyone who is about to retrace the same steps will have to notice that the keystream seems to be offset from what the test vectors provide, which should be a dead giveaway that they're using the AEAD interface for both test vectors.

@paragonie-scott
Copy link
Contributor

xchacha-rfc/draft-arciszewski-xchacha-rfc-03.txt

Lines 565 to 569 in 0e3b53d

A.2. Example and Test Vector for XChaCha20
Note: This is for the XChaCha20 stream cipher itself, not the AEAD
construction.
makes it explicit, too.

Thanks @philanc for reporting this issue. 👍

@philanc philanc mentioned this issue Dec 12, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jedisct1 @philanc @paragonie-scott