IETF Logo Mail Archive

Re: [Cfrg] [saag] draft-mcgrew-tss-01

David McGrew <mcgrew@cisco.com> Mon, 05 January 2009 16:16 UTC

Return-Path: <cfrg-bounces@irtf.org>
X-Original-To: cfrg-archive@megatron.ietf.org
Delivered-To: ietfarch-cfrg-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7F3AC28C0F7; Mon, 5 Jan 2009 08:16:09 -0800 (PST)
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 66C6F28C0E8; Mon, 5 Jan 2009 08:16:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.999
X-Spam-Level:
X-Spam-Status: No, score=-5.999 tagged_above=-999 required=5 tests=[AWL=-0.600, BAYES_00=-2.599, J_CHICKENPOX_18=0.6, J_CHICKENPOX_61=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AyQ5gTPZxtCd; Mon, 5 Jan 2009 08:16:06 -0800 (PST)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 2ABA43A67A5; Mon, 5 Jan 2009 08:16:06 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.36,332,1228089600"; d="p7s'?scan'208";a="27329950"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-4.cisco.com with ESMTP; 05 Jan 2009 16:15:53 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n05GFr4E001120; Mon, 5 Jan 2009 08:15:53 -0800
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n05GFrJe025401; Mon, 5 Jan 2009 16:15:53 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Jan 2009 08:15:51 -0800
Received: from stealth-10-32-254-212.cisco.com ([10.32.254.212]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Jan 2009 08:15:50 -0800
Message-Id: <DA750EAE-54D0-40CE-998C-840F6057A9C8@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: der Mouse <mouse@Rodents-Montreal.ORG>
In-Reply-To: <200812240156.UAA04704@Sparkle.Rodents-Montreal.ORG>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Mon, 05 Jan 2009 08:15:48 -0800
References: <20081219172158.9B50F3A6886@core3.amsl.com> <DE09FED0-96D8-41DD-93A8-06F1A16DA8BD@cisco.com> <200812191755.mBJHtWQm008375@toasties.srv.cs.cmu.edu> <AE8FA9B2B782C334AD0ADA96@atlantis.pc.cs.cmu.edu> <200812240156.UAA04704@Sparkle.Rodents-Montreal.ORG>
X-Mailer: Apple Mail (2.929.2)
X-OriginalArrivalTime: 05 Jan 2009 16:15:51.0110 (UTC) FILETIME=[E07C9E60:01C96F50]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=10557; t=1231172153; x=1232036153; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:=20David=20McGrew=20<mcgrew@cisco.com> |Subject:=20Re=3A=20[saag]=20[Cfrg]=20draft-mcgrew-tss-01 |Sender:=20; bh=n38mgod7BasSjjwfiWqxxyLxvkvfuxInqrL5nJsY4ss=; b=PiGopg82/ZnaSzi/R345Ps5ZNJfgKiRY8woZzsZBJ5YkSkXOha/lFmW/uL G6NuGBCd6IdQ52GmH3fLY2A2SQ0d3WQQ+YL9sqbMXACmmxhQyQKMNatRsGNn rc2k27uIms;
Authentication-Results: sj-dkim-3; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: cfrg@ietf.org, saag@ietf.org
Subject: Re: [Cfrg] [saag] draft-mcgrew-tss-01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://www.irtf.org/mailman/private/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1021153903=="
Sender: cfrg-bounces@irtf.org
Errors-To: cfrg-bounces@irtf.org

On Dec 23, 2008, at 4:47 PM, der Mouse wrote:

>> - The field multiplication operation is more than a little opaque.
>>  How were the EXP and LOG tables generated?  Is there any convenient
>>  way to demonstrate that that the tables are actually correct and
>>  result in an invertible operation?
>
> The simple thing to do is to build a small program that uses the
> tables, and definitions of multiplication and division, from the
> draft, and verifies that a*b/a=b and a*b/b=a whenever, respectively, a
> or b is nonzero, and that, for any nonzero a, the function x->a*x is a
> permutation on the nonzero values of x.  I've done this (test program
> source is below), and they pass.
>
> I'm hardly an expert group theorist, but I *think* that the underlying
> math will work for any tables that pass those two tests.  (Since the
> definition of multiplication is symmetric, there is no need to test
> separately that x->x*b is a permutation for any nonzero b.)
>
> As for how EXP and LOG were generated, I don't know, since I didn't
> generate them. :)  I suspect EXP was generated by computing successive
> powers of 3 in the field used by Rijndael (ie, GF(256) with reducing
> polynomial 0x11b); the values match values computed that way, so even
> if it wasn't it might as well have been.  (LOG is just the inverse of
> EXP.)  My program checks that EXP matches the powers of 3 in GF(256)
> with polynomial 0x11b, and that EXP and LOG are inverses.

that's right, it's the AES/Rijndael field representation.  The draft  
should state this, since it might be useful to other implementers.

> (I actually
> would prefer that the spec define multiplication and division in terms
> of GF(256) and a particular reducing polynomial rather than in terms  
> of
> tables, even if the operations defined are identical.)

The way that the field is currently defined, there are no bit- 
operations.  That was a conscious choice, because the bit/byte  
conversion is often a point of confusion.

Others have also commented that more info on the field should be  
included, so I think the next version will have an appendix with more  
information in it.   I'd prefer to have minimum information in the  
normative section, and then have more background in an informative  
appendix.

David

>
>
> /~\ The ASCII				  Mouse
> \ / Ribbon Campaign
> X  Against HTML		mouse@rodents-montreal.org
> / \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
>
> Here's that test program.  It prints any errors it finds, so it should
> produce no output.
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <strings.h>
>
> static unsigned char EXP[] = {
>         0x01, 0x03, 0x05, 0x0f, 0x11, 0x33, 0x55, 0xff,
>         0x1a, 0x2e, 0x72, 0x96, 0xa1, 0xf8, 0x13, 0x35,
>         0x5f, 0xe1, 0x38, 0x48, 0xd8, 0x73, 0x95, 0xa4,
>         0xf7, 0x02, 0x06, 0x0a, 0x1e, 0x22, 0x66, 0xaa,
>         0xe5, 0x34, 0x5c, 0xe4, 0x37, 0x59, 0xeb, 0x26,
>         0x6a, 0xbe, 0xd9, 0x70, 0x90, 0xab, 0xe6, 0x31,
>         0x53, 0xf5, 0x04, 0x0c, 0x14, 0x3c, 0x44, 0xcc,
>         0x4f, 0xd1, 0x68, 0xb8, 0xd3, 0x6e, 0xb2, 0xcd,
>         0x4c, 0xd4, 0x67, 0xa9, 0xe0, 0x3b, 0x4d, 0xd7,
>         0x62, 0xa6, 0xf1, 0x08, 0x18, 0x28, 0x78, 0x88,
>         0x83, 0x9e, 0xb9, 0xd0, 0x6b, 0xbd, 0xdc, 0x7f,
>         0x81, 0x98, 0xb3, 0xce, 0x49, 0xdb, 0x76, 0x9a,
>         0xb5, 0xc4, 0x57, 0xf9, 0x10, 0x30, 0x50, 0xf0,
>         0x0b, 0x1d, 0x27, 0x69, 0xbb, 0xd6, 0x61, 0xa3,
>         0xfe, 0x19, 0x2b, 0x7d, 0x87, 0x92, 0xad, 0xec,
>         0x2f, 0x71, 0x93, 0xae, 0xe9, 0x20, 0x60, 0xa0,
>         0xfb, 0x16, 0x3a, 0x4e, 0xd2, 0x6d, 0xb7, 0xc2,
>         0x5d, 0xe7, 0x32, 0x56, 0xfa, 0x15, 0x3f, 0x41,
>         0xc3, 0x5e, 0xe2, 0x3d, 0x47, 0xc9, 0x40, 0xc0,
>         0x5b, 0xed, 0x2c, 0x74, 0x9c, 0xbf, 0xda, 0x75,
>         0x9f, 0xba, 0xd5, 0x64, 0xac, 0xef, 0x2a, 0x7e,
>         0x82, 0x9d, 0xbc, 0xdf, 0x7a, 0x8e, 0x89, 0x80,
>         0x9b, 0xb6, 0xc1, 0x58, 0xe8, 0x23, 0x65, 0xaf,
>         0xea, 0x25, 0x6f, 0xb1, 0xc8, 0x43, 0xc5, 0x54,
>         0xfc, 0x1f, 0x21, 0x63, 0xa5, 0xf4, 0x07, 0x09,
>         0x1b, 0x2d, 0x77, 0x99, 0xb0, 0xcb, 0x46, 0xca,
>         0x45, 0xcf, 0x4a, 0xde, 0x79, 0x8b, 0x86, 0x91,
>         0xa8, 0xe3, 0x3e, 0x42, 0xc6, 0x51, 0xf3, 0x0e,
>         0x12, 0x36, 0x5a, 0xee, 0x29, 0x7b, 0x8d, 0x8c,
>         0x8f, 0x8a, 0x85, 0x94, 0xa7, 0xf2, 0x0d, 0x17,
>         0x39, 0x4b, 0xdd, 0x7c, 0x84, 0x97, 0xa2, 0xfd,
>         0x1c, 0x24, 0x6c, 0xb4, 0xc7, 0x52, 0xf6, 0x00 };
>
> static unsigned char LOG[] = {
>         0x00, 0x00, 0x19, 0x01, 0x32, 0x02, 0x1a, 0xc6,
>         0x4b, 0xc7, 0x1b, 0x68, 0x33, 0xee, 0xdf, 0x03,
>         0x64, 0x04, 0xe0, 0x0e, 0x34, 0x8d, 0x81, 0xef,
>         0x4c, 0x71, 0x08, 0xc8, 0xf8, 0x69, 0x1c, 0xc1,
>         0x7d, 0xc2, 0x1d, 0xb5, 0xf9, 0xb9, 0x27, 0x6a,
>         0x4d, 0xe4, 0xa6, 0x72, 0x9a, 0xc9, 0x09, 0x78,
>         0x65, 0x2f, 0x8a, 0x05, 0x21, 0x0f, 0xe1, 0x24,
>         0x12, 0xf0, 0x82, 0x45, 0x35, 0x93, 0xda, 0x8e,
>         0x96, 0x8f, 0xdb, 0xbd, 0x36, 0xd0, 0xce, 0x94,
>         0x13, 0x5c, 0xd2, 0xf1, 0x40, 0x46, 0x83, 0x38,
>         0x66, 0xdd, 0xfd, 0x30, 0xbf, 0x06, 0x8b, 0x62,
>         0xb3, 0x25, 0xe2, 0x98, 0x22, 0x88, 0x91, 0x10,
>         0x7e, 0x6e, 0x48, 0xc3, 0xa3, 0xb6, 0x1e, 0x42,
>         0x3a, 0x6b, 0x28, 0x54, 0xfa, 0x85, 0x3d, 0xba,
>         0x2b, 0x79, 0x0a, 0x15, 0x9b, 0x9f, 0x5e, 0xca,
>         0x4e, 0xd4, 0xac, 0xe5, 0xf3, 0x73, 0xa7, 0x57,
>         0xaf, 0x58, 0xa8, 0x50, 0xf4, 0xea, 0xd6, 0x74,
>         0x4f, 0xae, 0xe9, 0xd5, 0xe7, 0xe6, 0xad, 0xe8,
>         0x2c, 0xd7, 0x75, 0x7a, 0xeb, 0x16, 0x0b, 0xf5,
>         0x59, 0xcb, 0x5f, 0xb0, 0x9c, 0xa9, 0x51, 0xa0,
>         0x7f, 0x0c, 0xf6, 0x6f, 0x17, 0xc4, 0x49, 0xec,
>         0xd8, 0x43, 0x1f, 0x2d, 0xa4, 0x76, 0x7b, 0xb7,
>         0xcc, 0xbb, 0x3e, 0x5a, 0xfb, 0x60, 0xb1, 0x86,
>         0x3b, 0x52, 0xa1, 0x6c, 0xaa, 0x55, 0x29, 0x9d,
>         0x97, 0xb2, 0x87, 0x90, 0x61, 0xbe, 0xdc, 0xfc,
>         0xbc, 0x95, 0xcf, 0xcd, 0x37, 0x3f, 0x5b, 0xd1,
>         0x53, 0x39, 0x84, 0x3c, 0x41, 0xa2, 0x6d, 0x47,
>         0x14, 0x2a, 0x9e, 0x5d, 0x56, 0xf2, 0xd3, 0xab,
>         0x44, 0x11, 0x92, 0xd9, 0x23, 0x20, 0x2e, 0x89,
>         0xb4, 0x7c, 0xb8, 0x26, 0x77, 0x99, 0xe3, 0xa5,
>         0x67, 0x4a, 0xed, 0xde, 0xc5, 0x31, 0xfe, 0x18,
>         0x0d, 0x63, 0x8c, 0x80, 0xc0, 0xf7, 0x70, 0x07 };
>
> static unsigned char m(unsigned char a, unsigned char b)
> {
> return((a&&b)?EXP[(LOG[a]+LOG[b])%255]:0);
> }
>
> static unsigned char d(unsigned char a, unsigned char b)
> {
> if (! b) abort();
> return(a?EXP[(255+LOG[a]-LOG[b])%255]:0);
> }
>
> int main(void);
> int main(void)
> {
> unsigned int a;
> unsigned int b;
> unsigned int p;
> unsigned int q;
> char v[256];
>
> p = 1;
> for (a=0;a<255;a++)
>  { if (EXP[a] != p)
>     { printf("EXP[%02x] = %02x, not %02x\n",a,EXP[a],p);
>     }
>    p = (p ^ ((p&0x7f)<<1)) ^ ((p&0x80) ? 0x1b : 0);
>  }
> for (a=1;a<256;a++)
>  { if (EXP[LOG[a]] != a)
>     { printf("EXP[LOG[%02x]] = %02x\n",a,EXP[LOG[a]]);
>     }
>    bzero(&v[0],256);
>    for (b=1;b<256;b++)
>     { p = m(a,b);
>       v[p] = 1;
>       q = d(p,a);
>       if (q != b)
> 	{ printf("%02x * %02x = %02x / %02x = %02x\n",a,b,p,a,q);
> 	}
>       q = d(p,b);
>       if (q != a)
> 	{ printf("%02x * %02x = %02x / %02x = %02x\n",a,b,p,b,q);
> 	}
>     }
>    for (b=1;b<256;b++)
>     { if (! v[b])
> 	{ printf("%02x * all misses %02x\n",a,b);
> 	}
>     }
>  }
> return(0);
> }
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag


_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email