bleichenbacher-daniel

Thanks a lot for doing this. I have a new implementation of Ascon, which confirms the tags above. It would of course still be useful to compare with the original...

> > finalize in Ascon80pq uses the last 16 bytes of the key, which is something that might get overlooked > > Just to clarify as I was kind of...

Most likely the test vectors in Wycheproof are wrong. I suspect that there is some problem with the finalization. However, I don't have access to the generation code anymore, hence...

The latest version of the test vectors in wycheproof/testvectors_v1/aes_kwp_test.json should be better.

testvectors_v1 generally contains the latest version. The main difference is that the format for the flags has changed, so that it is possible to add more comments. The main purpose...

I looked into SSH recently. Since the maximal amount of data that can be sent before rekeying is 1 or 4 GB a counter will never overflow a 32 bit...

I don't think any changes are necessary here. What the test is doing is to generate signatures, select a subset from those signatures based on timing information, and then checks...

The point I wanted to make is that there can not be a test failure because of noise. If the implementation is correct then expected result will be close to...

I looked that this issue just briefly. It seems that public key recovery has its own set of potential implementation issues, so that it would make sense to have its...

I had some time to look into public key recovery and have written some initial code to generate test vector. Since ECDSA verification through public key recovery use a different...