Hi Jouni, Thank you very much for your review of my I-D and for identification of the issues you describe below. I have updated the draft to incorporate your suggested modifications: - mention S2V before CTR in the description of SIV keying. - define "bitand" in section 2.1 as the logical AND of two equal length strings, then use "bitand" in sections 2.6 and 2.7 as you suggest. - fixed the test vector in section A.2 I also verified that my SIV implementation generates the correct test vectors and this matches the test vectors sent to NIST. The draft has been updated and a -03 should be in the repository right now. Once again, thanks for your review and for identifying these issues before the draft got published. regards, Dan. On Wed, May 14, 2008 6:38 am, Jouni Malinen wrote: >> - 'SIV Authenticated Encryption using AES ' >> <draft-dharkins-siv-aes-02.txt> as a Proposed Standard >> >> The IESG plans to make a decision in the next few weeks, and solicits >> final comments on this action. Please send substantive comments to the >> ietf@xxxxxxxx mailing lists by 2008-06-10. > > It looks like there are couple of small errors in the draft that can > result in incorrect interpretation of the design: > > 2.2. Overview > > SIV-AES uses AES in counter mode (CTR) and in CMAC mode (S2V). SIV- > AES takes either a 256, 384, or 512 bit key (which is broken up into > two equal-sized keys, one for CTR and the other for S2V), a variable > > While this is not strictly speaking incorrect statement, it would be > clearer to swap the order of CTR and S2V in the description of the keys > here since the first half of the key is actually used for S2V as > specified in more formal description later in the draft. > > > 2.5. CTR > Before beginning counter mode the 32nd and 64th bits (where the > rightmost bit is the 0th bit) of the counter are cleared. This > > 2.6. SIV Encrypt > SIV-ENCRYPT(K, P, AD1, ..., ADn) { > Q = V xor (1^64 || 0^1 || 1^31 || 0^1 || 1^31) > > 2.7. SIV Decrypt > SIV-DECRYPT(K, Z, AD1, ..., ADn) { > Q = V xor (1^64 || 0^1 || 1^31 || 0^1 || 1^31) > > The description of pre-processing for the counter is in conflict here. > Chapter 2.5 clears two bits while the SIV-ENCRYPT and SIV-DECRYPT > algorithms are actually swapping lots of bits and not changing the bits > that should have been cleared. It looks like the 'xor' in these > algorithms was supposed to be 'and' which would achieve the desired > clearing of the two bits as defined in 2.5. In addition to this change, > 'and' should be added into chapter 2.1 with similar description to 'xor' > since this is the first use of 'A and B' notation in the draft. > > > A.2. Nonce-based Authenticated Encryption Example > > Plaintext: > 74686973 20697320 74686520 706c6169 > 6e746578 7420746f 20656e63 72797074 > 20757369 6e672053 49562d41 4553 > > xorend: > 74686973 20697320 736f6d65 20706c61 > 696e7465 78742074 6f20656e 63727966 > 2d0c6201 f3341575 342a3745 f5c625 > > ciphertext: > cb900f2f ddbe4043 26601965 c889bf17 > dba77ceb 094fa663 b7a3f748 ba8af829 > ea64ad54 4a272e9c 485b62a3 fd5c0d > > There seems to be a typo here in the second test vector. The lengths of > the plaintext, xorend, and ciphertext should be the same. However, the > described plaintext is one octet shorter than xorend/ciphertext. Based > on the ASCII presentation of the plaintext and beginning of xorend > value, it looks like the plaintext value should start "this is some > plaintext", not "this is the plaintext" in order to end up with the > described output of the test case. In other words, the Plaintext for A.2 > should be changed to: > > Plaintext: > 74686973 20697320 736f6d65 20706c61 > 696e7465 78742074 6f20656e 63727970 > 74207573 696e6720 5349562d 414553 > > > With the changes described above, I can reproduce matching results for > the test vectors. > > -- > Jouni Malinen PGP id EFC895FA > _______________________________________________ > IETF mailing list > IETF@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf > _______________________________________________ IETF mailing list IETF@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf