Tag in Ascon-80pq test vector is incorrect
Gusted opened this issue · comments
Hi,
I wanted to use the Wycheproof to test against my implementation of the Ascon cipher. I was already using the KAT test vectors by pyascon (one of the reference implementations) so I was caught by surprise that the computed tag for Ascon-80pq didn't match with what Wycheproof was expecting. All of the Pseudorandom flagged test vectors were failing due to the mismatch of the tag, the ciphertext on the other hand was correct. I thought this was a fault in my implementation, but testing these vectors against the reference implementations of Ascon, didn't yield the result that Wycheproof expects (for example, test vector 84):
C implementation
Using https://github.com/ascon/ascon-c
#include <stdio.h>
#include <string.h>
#include "api.h"
#include "crypto_aead.h"
void print(unsigned char c, unsigned char *x, unsigned long long xlen) {
unsigned long long i;
printf("%c[%d]=", c, (int)xlen);
for (i = 0; i < xlen; ++i) printf("%02x", x[i]);
printf("\n");
}
int main() {
unsigned char n[CRYPTO_NPUBBYTES] = {36, 100, 126, 227, 13, 38, 50, 237,
203, 225, 95, 60, 28, 26, 32, 71};
unsigned char k[CRYPTO_KEYBYTES] = {84, 1, 235, 204, 159, 186, 226,
210, 50, 126, 126, 98, 129, 53,
182, 179, 243, 6, 161, 132};
unsigned char a[65] = {21, 151, 43, 4, 224, 64, 173, 141, 125, 219, 147,
237, 43, 214, 130, 92, 54, 50, 187, 53, 203, 50,
219, 178, 103, 203, 92, 174, 169, 206, 64, 98, 155,
214, 229, 59, 191, 247, 171, 93, 36, 173, 107, 213,
175, 63, 182, 193, 134, 98, 65, 255, 17, 255, 32,
140, 59, 185, 202, 175, 52, 249, 189, 78, 235};
unsigned char m[65] = {21, 87, 96, 159, 102, 213, 162, 235, 120, 59, 131,
246, 22, 124, 223, 62, 186, 233, 46, 122, 133, 3,
89, 60, 203, 239, 128, 33, 72, 110, 207, 186, 75,
255, 20, 89, 15, 226, 205, 184, 57, 217, 48, 38,
130, 106, 111, 189, 130, 250, 181, 166, 175, 28, 108,
181, 75, 194, 14, 33, 131, 136, 238, 213, 129};
unsigned char c[65 + 32], t[32];
unsigned long long alen = 65;
unsigned long long mlen = 65;
unsigned long long clen = CRYPTO_ABYTES;
int result = 0;
print('k', k, CRYPTO_KEYBYTES);
printf(" ");
print('n', n, CRYPTO_NPUBBYTES);
printf("\n");
print('a', a, alen);
printf(" ");
print('m', m, mlen);
printf(" -> ");
result = crypto_aead_encrypt(c, &clen, m, mlen, a, alen, (void *)0, n, k);
print('c', c, clen - CRYPTO_ABYTES);
printf(" ");
print('t', c + clen - CRYPTO_ABYTES, CRYPTO_ABYTES);
return result;Python implementation
Using https://github.com/meichlseder/pyascon
import ascon
key = bytes.fromhex('5401ebcc9fbae2d2327e7e628135b6b3f306a184')
nonce = bytes.fromhex('24647ee30d2632edcbe15f3c1c1a2047')
associateddata = bytes.fromhex('15972b04e040ad8d7ddb93ed2bd6825c3632bb35cb32dbb267cb5caea9ce40629bd6e53bbff7ab5d24ad6bd5af3fb6c1866241ff11ff208c3bb9caaf34f9bd4eeb')
plaintext = bytes.fromhex('1557609f66d5a2eb783b83f6167cdf3ebae92e7a8503593ccbef8021486ecfba4bff14590fe2cdb839d93026826a6fbd82fab5a6af1c6cb54bc20e218388eed581')
ciphertext = ascon.encrypt(key, nonce, associateddata, plaintext, "Ascon-80pq")
print(f"key: {key.hex()}")
print(f"plaintext: {plaintext.hex()}")
print(f"ass.data: {associateddata.hex()}")
print(f"ciphertext: {ciphertext[:-16].hex()}")
print(f"tag: {ciphertext[-16:].hex()}")Both implementations (and my implementation) say that ccd345de03169a3e5c2cc27c58c43a62 is the correct tag instead of what Wycheproof claims, e32cd6424cab0c59c528db6f70b81a86. Are the reference implementations wrong here, or is the Wycheproof wrong here?
Most likely the test vectors in Wycheproof are wrong. I suspect that there is some problem with the finalization. However, I don't have access to the generation code anymore, hence I can't check what is wrong. Ascon-80pq needs a slight modification from the other versions. Possibly, I've overlooked this.
The reference code that you mentioned above does implement the finalization correctly, as far as I could check.