wycheproof icon indicating copy to clipboard operation
wycheproof copied to clipboard

Published 20 hours ago verified publisher icon C2SP

Fix computed tag in Ascon-80pq

Open Gusted opened this issue 1 year ago • 3 comments

Resolves #101.

Gusted avatar Jan 06 '24 19:01 Gusted

Thanks a lot for doing this. I have a new implementation of Ascon, which confirms the tags above.

It would of course still be useful to compare with the original source code. It is somewhat likely that at least one other implementation makes similar mistakes. finalize in Ascon80pq uses the last 16 bytes of the key, which is something that might get overlooked. But of course, this has to be fixed in the test vector generation code.

bleichenbacher-daniel avatar Jan 08 '24 08:01 bleichenbacher-daniel

finalize in Ascon80pq uses the last 16 bytes of the key, which is something that might get overlooked

Just to clarify as I was kind of confused by this comment, you mean that the last 16 bytes of the key is xor'red against the last 16 bytes of the state to compute the tag. As the whole key is also xor'ed against the state before the permutation in the finalization step.

But of course, this has to be fixed in the test vector generation code.

Is this code public?

Gusted avatar Jan 08 '24 09:01 Gusted

finalize in Ascon80pq uses the last 16 bytes of the key, which is something that might get overlooked

Just to clarify as I was kind of confused by this comment, you mean that the last 16 bytes of the key is xor'red against the last 16 bytes of the state to compute the tag. As the whole key is also xorr'ed against the state before the permutation in the finalization step.

Yes, indeed. E.g., Ascon v.1.1 does not specify that the last 16 bytes are being used to compute the tag, because this version does not include Ascon80pq and hence does not have to specify which bytes to use. Hence taking an old implementation and carelessly extending it to Ascon80pq can lead to such problems.

But of course, this has to be fixed in the test vector generation code.

Is this code public?

No, it is not. Having access to it would solve this issue much faster, of course. For example it probably would document the version of the paper that was used for the implementation.

bleichenbacher-daniel avatar Jan 08 '24 10:01 bleichenbacher-daniel

Thanks a lot for doing this. I have a new implementation of Ascon, which confirms the tags above.

Given this confirmation, I'll go ahead and get this merged.

chuckx avatar Mar 15 '24 21:03 chuckx