xaes: initial implementation #612

SergioBenitez · 2024-06-29T05:36:12Z

This is an initial implementation of XAES-256-GCM (re: #1) which passes the test vectors.

Would love a review, especially as it pertains to constant-time and zeroing (why isn't zeroize used to zero IVs?). I don't see an obvious constant-time byte-slice XOR in use elsewhere in Rust-Crypto, but please point to a canonical reference if possible. I also have not placed this behind any feature flags, yet. Finally, the primary structure XaesGcm256 is not parameterized in any way. If it's desirable to parameterize it in a similar fashion to AesGcm, please let me know.

aes-gcm/src/xaes.rs

aes-gcm/src/lib.rs

pinkforest · 2024-06-29T11:01:25Z

aes-gcm/tests/xaes256gcm.rs

+use common::TestVector;
+use hex_literal::hex;
+
+/// C2SP XAES-256-GCM test vectors


sidebar - would love if C2SP test vectors would be embedded in crate a-like of wycheproof-rs so test vectors can be updated independently to all associated impl's and no messing updating multiple places

aes-gcm/src/xaes.rs

pinkforest · 2024-06-29T11:34:18Z

gave you few nits - take em if you like ☺️

if you feel like it and if worried about non-ct anywhere:

https://github.com/Ledger-Donjon/cargo-checkct | https://www.ledger.com/blog-cargo-checkct-our-home-made-tool-guarding-against-timing-attacks-is-now-open-source
https://crates.io/crates/dudect-bencher - needs a crafted dataset though crypto-bigint | basic example

aes-gcm/src/xaes.rs

aes-gcm/tests/common/mod.rs

aes-gcm/src/xaes.rs

SergioBenitez · 2024-07-02T23:36:26Z

@newpavlov @tarcieri Any chance for a review here?

tarcieri · 2024-07-08T15:14:12Z

@SergioBenitez sorry, I've been on vacation. I'll look at this soon.

SergioBenitez · 2024-07-21T02:28:37Z

Checking in. Any chance to push this forward?

tarcieri · 2024-07-22T21:38:46Z

@SergioBenitez haven't had a whole lot of free time lately for code review but I still hope to review it soon

tarcieri · 2024-08-01T01:41:21Z

Sorry for the belated review.

On #1 we had discussed an xaes-gcm crate, but I now see there is already an xaes-gcm crate which implements the Derive-Key-AES-GCM construction, and I have not carefully looked at the differences between that and this construction.

I am a bit wary including the construction in the aes-gcm crate itself, which otherwise implements NIST standard constructions.

However, I'd also note the construction in the spec is called XAES-256-GCM, so how about an xaes-256-gcm crate instead, which is currently available?

SergioBenitez · 2024-08-09T11:21:53Z

Sure! Went ahead and published a -pre version to reserve the name. I also added you as an owner; feel free to use that as you wish. Looking forward to a review of the crate.

tarcieri

Sorry for the long delay in review! This looks good now.

tarcieri · 2024-10-15T17:01:28Z

@SergioBenitez attempted to do a Cargo.lock merge but it seems it didn't work. Can you take a look?

SergioBenitez force-pushed the xaes branch 3 times, most recently from 90897dd to 8c08e80 Compare June 29, 2024 05:41