[noise] formatting of AES-GCM ciphertext

Rhys Weatherley rhys.weatherley at gmail.com
Sat May 7 18:17:07 PDT 2016

On Sun, May 8, 2016 at 10:35 AM, Naveen Nathan <naveen at lastninja.net> wrote:

> In DECRYPT() the tag is not passed in, however the NIST SP 800-38D KAT
> (known answer tests)
> separate the tag and the ciphertext. Is it tacitly implied that the
> ciphertext is prefixed
> with the authentication tag, which is then split appropriately in the
> DECRYPT function?

Yes.  ENCRYPT() returns ciphertext + tag concatenated, and DECRYPT() splits
them before processing.  However, this is a specification convenience issue
- an actual implementation might find it more convenient to split the
values and/or encrypt the plaintext in-place to create the ciphertext.

I found that the NIST KAT's aren't terribly useful for testing the raw
noise primitives though since very few of the KAT nonce values are in the
special form required by noise (32 bits of zeroes followed by 64 bits of n).

I would suggest building a full-blown AES-GCM first, testing that against
the KAT values, and then special-casing it to what noise requires.  If you
are using a third-party Python AES-GCM library, then even better - you can
let them worry about the KAT values and use Alex's noise protocol test
vectors to catch issues with the special-form nonces:



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160508/8532621f/attachment.html>

More information about the Noise mailing list