<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Sun, May 8, 2016 at 10:35 AM, Naveen Nathan <span dir="ltr"><<a href="mailto:naveen@lastninja.net" target="_blank">naveen@lastninja.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">In DECRYPT() the tag is not passed in, however the NIST SP 800-38D KAT (known answer tests)<br>
separate the tag and the ciphertext. Is it tacitly implied that the ciphertext is prefixed<br>
with the authentication tag, which is then split appropriately in the DECRYPT function?<br></blockquote><div><br></div><div>Yes. ENCRYPT() returns ciphertext + tag concatenated, and DECRYPT() splits them before processing. However, this is a specification convenience issue - an actual implementation might find it more convenient to split the values and/or encrypt the plaintext in-place to create the ciphertext.<br><br></div><div>I found that the NIST KAT's aren't terribly useful for testing the raw noise primitives though since very few of the KAT nonce values are in the special form required by noise (32 bits of zeroes followed by 64 bits of n).<br><br></div><div>I would suggest building a full-blown AES-GCM first, testing that against the KAT values, and then special-casing it to what noise requires. If you are using a third-party Python AES-GCM library, then even better - you can let them worry about the KAT values and use Alex's noise protocol test vectors to catch issues with the special-form nonces:<br><br><a href="https://github.com/centromere/cacophony/blob/master/vectors/cacophony.txt">https://github.com/centromere/cacophony/blob/master/vectors/cacophony.txt</a><br></div><div><br></div><div>Cheers,<br><br></div><div>Rhys.<br></div><div><br></div></div></div></div>