IETF Logo Mail Archive

Re: [saag] [Cfrg] draft-mcgrew-tss-01

der Mouse <mouse@Rodents-Montreal.ORG> Mon, 29 December 2008 07:13 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0BB5828C213; Sun, 28 Dec 2008 23:13:55 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 163313A6814; Tue, 23 Dec 2008 17:56:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.541
X-Spam-Level:
X-Spam-Status: No, score=-8.541 tagged_above=-999 required=5 tests=[AWL=0.247, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, J_CHICKENPOX_18=0.6, J_CHICKENPOX_61=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Aorlpmdvb-c; Tue, 23 Dec 2008 17:56:49 -0800 (PST)
Received: from Sparkle.Rodents-Montreal.ORG (Sparkle.Rodents-Montreal.ORG [216.46.5.7]) by core3.amsl.com (Postfix) with ESMTP id 44D063A67DD; Tue, 23 Dec 2008 17:56:48 -0800 (PST)
Received: from localhost (localhost [[UNIX: localhost]]) by Sparkle.Rodents-Montreal.ORG (8.8.8/8.8.8) id UAA04704; Tue, 23 Dec 2008 20:56:22 -0500 (EST)
From: der Mouse <mouse@Rodents-Montreal.ORG>
Message-Id: <200812240156.UAA04704@Sparkle.Rodents-Montreal.ORG>
Mime-Version: 1.0
X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway.
X-Message-Flag: Microsoft: the company who gave us the botnet zombies.
Date: Tue, 23 Dec 2008 19:47:00 -0500
To: cfrg@ietf.org, saag@ietf.org
In-Reply-To: <AE8FA9B2B782C334AD0ADA96@atlantis.pc.cs.cmu.edu>
References: <20081219172158.9B50F3A6886@core3.amsl.com> <DE09FED0-96D8-41DD-93A8-06F1A16DA8BD@cisco.com> <200812191755.mBJHtWQm008375@toasties.srv.cs.cmu.edu> <AE8FA9B2B782C334AD0ADA96@atlantis.pc.cs.cmu.edu>
X-Mailman-Approved-At: Sun, 28 Dec 2008 23:13:53 -0800
Subject: Re: [saag] [Cfrg] draft-mcgrew-tss-01
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

> - The field multiplication operation is more than a little opaque.
>   How were the EXP and LOG tables generated?  Is there any convenient
>   way to demonstrate that that the tables are actually correct and
>   result in an invertible operation?

The simple thing to do is to build a small program that uses the
tables, and definitions of multiplication and division, from the
draft, and verifies that a*b/a=b and a*b/b=a whenever, respectively, a
or b is nonzero, and that, for any nonzero a, the function x->a*x is a
permutation on the nonzero values of x.  I've done this (test program
source is below), and they pass.

I'm hardly an expert group theorist, but I *think* that the underlying
math will work for any tables that pass those two tests.  (Since the
definition of multiplication is symmetric, there is no need to test
separately that x->x*b is a permutation for any nonzero b.)

As for how EXP and LOG were generated, I don't know, since I didn't
generate them. :)  I suspect EXP was generated by computing successive
powers of 3 in the field used by Rijndael (ie, GF(256) with reducing
polynomial 0x11b); the values match values computed that way, so even
if it wasn't it might as well have been.  (LOG is just the inverse of
EXP.)  My program checks that EXP matches the powers of 3 in GF(256)
with polynomial 0x11b, and that EXP and LOG are inverses.  (I actually
would prefer that the spec define multiplication and division in terms
of GF(256) and a particular reducing polynomial rather than in terms of
tables, even if the operations defined are identical.)

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse@rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Here's that test program.  It prints any errors it finds, so it should
produce no output.

#include <stdio.h>
#include <stdlib.h>
#include <strings.h>

static unsigned char EXP[] = {
         0x01, 0x03, 0x05, 0x0f, 0x11, 0x33, 0x55, 0xff,
         0x1a, 0x2e, 0x72, 0x96, 0xa1, 0xf8, 0x13, 0x35,
         0x5f, 0xe1, 0x38, 0x48, 0xd8, 0x73, 0x95, 0xa4,
         0xf7, 0x02, 0x06, 0x0a, 0x1e, 0x22, 0x66, 0xaa,
         0xe5, 0x34, 0x5c, 0xe4, 0x37, 0x59, 0xeb, 0x26,
         0x6a, 0xbe, 0xd9, 0x70, 0x90, 0xab, 0xe6, 0x31,
         0x53, 0xf5, 0x04, 0x0c, 0x14, 0x3c, 0x44, 0xcc,
         0x4f, 0xd1, 0x68, 0xb8, 0xd3, 0x6e, 0xb2, 0xcd,
         0x4c, 0xd4, 0x67, 0xa9, 0xe0, 0x3b, 0x4d, 0xd7,
         0x62, 0xa6, 0xf1, 0x08, 0x18, 0x28, 0x78, 0x88,
         0x83, 0x9e, 0xb9, 0xd0, 0x6b, 0xbd, 0xdc, 0x7f,
         0x81, 0x98, 0xb3, 0xce, 0x49, 0xdb, 0x76, 0x9a,
         0xb5, 0xc4, 0x57, 0xf9, 0x10, 0x30, 0x50, 0xf0,
         0x0b, 0x1d, 0x27, 0x69, 0xbb, 0xd6, 0x61, 0xa3,
         0xfe, 0x19, 0x2b, 0x7d, 0x87, 0x92, 0xad, 0xec,
         0x2f, 0x71, 0x93, 0xae, 0xe9, 0x20, 0x60, 0xa0,
         0xfb, 0x16, 0x3a, 0x4e, 0xd2, 0x6d, 0xb7, 0xc2,
         0x5d, 0xe7, 0x32, 0x56, 0xfa, 0x15, 0x3f, 0x41,
         0xc3, 0x5e, 0xe2, 0x3d, 0x47, 0xc9, 0x40, 0xc0,
         0x5b, 0xed, 0x2c, 0x74, 0x9c, 0xbf, 0xda, 0x75,
         0x9f, 0xba, 0xd5, 0x64, 0xac, 0xef, 0x2a, 0x7e,
         0x82, 0x9d, 0xbc, 0xdf, 0x7a, 0x8e, 0x89, 0x80,
         0x9b, 0xb6, 0xc1, 0x58, 0xe8, 0x23, 0x65, 0xaf,
         0xea, 0x25, 0x6f, 0xb1, 0xc8, 0x43, 0xc5, 0x54,
         0xfc, 0x1f, 0x21, 0x63, 0xa5, 0xf4, 0x07, 0x09,
         0x1b, 0x2d, 0x77, 0x99, 0xb0, 0xcb, 0x46, 0xca,
         0x45, 0xcf, 0x4a, 0xde, 0x79, 0x8b, 0x86, 0x91,
         0xa8, 0xe3, 0x3e, 0x42, 0xc6, 0x51, 0xf3, 0x0e,
         0x12, 0x36, 0x5a, 0xee, 0x29, 0x7b, 0x8d, 0x8c,
         0x8f, 0x8a, 0x85, 0x94, 0xa7, 0xf2, 0x0d, 0x17,
         0x39, 0x4b, 0xdd, 0x7c, 0x84, 0x97, 0xa2, 0xfd,
         0x1c, 0x24, 0x6c, 0xb4, 0xc7, 0x52, 0xf6, 0x00 };

static unsigned char LOG[] = {
         0x00, 0x00, 0x19, 0x01, 0x32, 0x02, 0x1a, 0xc6,
         0x4b, 0xc7, 0x1b, 0x68, 0x33, 0xee, 0xdf, 0x03,
         0x64, 0x04, 0xe0, 0x0e, 0x34, 0x8d, 0x81, 0xef,
         0x4c, 0x71, 0x08, 0xc8, 0xf8, 0x69, 0x1c, 0xc1,
         0x7d, 0xc2, 0x1d, 0xb5, 0xf9, 0xb9, 0x27, 0x6a,
         0x4d, 0xe4, 0xa6, 0x72, 0x9a, 0xc9, 0x09, 0x78,
         0x65, 0x2f, 0x8a, 0x05, 0x21, 0x0f, 0xe1, 0x24,
         0x12, 0xf0, 0x82, 0x45, 0x35, 0x93, 0xda, 0x8e,
         0x96, 0x8f, 0xdb, 0xbd, 0x36, 0xd0, 0xce, 0x94,
         0x13, 0x5c, 0xd2, 0xf1, 0x40, 0x46, 0x83, 0x38,
         0x66, 0xdd, 0xfd, 0x30, 0xbf, 0x06, 0x8b, 0x62,
         0xb3, 0x25, 0xe2, 0x98, 0x22, 0x88, 0x91, 0x10,
         0x7e, 0x6e, 0x48, 0xc3, 0xa3, 0xb6, 0x1e, 0x42,
         0x3a, 0x6b, 0x28, 0x54, 0xfa, 0x85, 0x3d, 0xba,
         0x2b, 0x79, 0x0a, 0x15, 0x9b, 0x9f, 0x5e, 0xca,
         0x4e, 0xd4, 0xac, 0xe5, 0xf3, 0x73, 0xa7, 0x57,
         0xaf, 0x58, 0xa8, 0x50, 0xf4, 0xea, 0xd6, 0x74,
         0x4f, 0xae, 0xe9, 0xd5, 0xe7, 0xe6, 0xad, 0xe8,
         0x2c, 0xd7, 0x75, 0x7a, 0xeb, 0x16, 0x0b, 0xf5,
         0x59, 0xcb, 0x5f, 0xb0, 0x9c, 0xa9, 0x51, 0xa0,
         0x7f, 0x0c, 0xf6, 0x6f, 0x17, 0xc4, 0x49, 0xec,
         0xd8, 0x43, 0x1f, 0x2d, 0xa4, 0x76, 0x7b, 0xb7,
         0xcc, 0xbb, 0x3e, 0x5a, 0xfb, 0x60, 0xb1, 0x86,
         0x3b, 0x52, 0xa1, 0x6c, 0xaa, 0x55, 0x29, 0x9d,
         0x97, 0xb2, 0x87, 0x90, 0x61, 0xbe, 0xdc, 0xfc,
         0xbc, 0x95, 0xcf, 0xcd, 0x37, 0x3f, 0x5b, 0xd1,
         0x53, 0x39, 0x84, 0x3c, 0x41, 0xa2, 0x6d, 0x47,
         0x14, 0x2a, 0x9e, 0x5d, 0x56, 0xf2, 0xd3, 0xab,
         0x44, 0x11, 0x92, 0xd9, 0x23, 0x20, 0x2e, 0x89,
         0xb4, 0x7c, 0xb8, 0x26, 0x77, 0x99, 0xe3, 0xa5,
         0x67, 0x4a, 0xed, 0xde, 0xc5, 0x31, 0xfe, 0x18,
         0x0d, 0x63, 0x8c, 0x80, 0xc0, 0xf7, 0x70, 0x07 };

static unsigned char m(unsigned char a, unsigned char b)
{
 return((a&&b)?EXP[(LOG[a]+LOG[b])%255]:0);
}

static unsigned char d(unsigned char a, unsigned char b)
{
 if (! b) abort();
 return(a?EXP[(255+LOG[a]-LOG[b])%255]:0);
}

int main(void);
int main(void)
{
 unsigned int a;
 unsigned int b;
 unsigned int p;
 unsigned int q;
 char v[256];

 p = 1;
 for (a=0;a<255;a++)
  { if (EXP[a] != p)
     { printf("EXP[%02x] = %02x, not %02x\n",a,EXP[a],p);
     }
    p = (p ^ ((p&0x7f)<<1)) ^ ((p&0x80) ? 0x1b : 0);
  }
 for (a=1;a<256;a++)
  { if (EXP[LOG[a]] != a)
     { printf("EXP[LOG[%02x]] = %02x\n",a,EXP[LOG[a]]);
     }
    bzero(&v[0],256);
    for (b=1;b<256;b++)
     { p = m(a,b);
       v[p] = 1;
       q = d(p,a);
       if (q != b)
	{ printf("%02x * %02x = %02x / %02x = %02x\n",a,b,p,a,q);
	}
       q = d(p,b);
       if (q != a)
	{ printf("%02x * %02x = %02x / %02x = %02x\n",a,b,p,b,q);
	}
     }
    for (b=1;b<256;b++)
     { if (! v[b])
	{ printf("%02x * all misses %02x\n",a,b);
	}
     }
  }
 return(0);
}
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email