Different values of "tag" in cifra and libsodium for the same function

Question

Different values of "tag" in cifra and libsodium for the same function

monicaphalswal opened this issue 7 years ago · comments

I am using void cf_chacha20poly1305_encrypt(const uint8_t key[32], const uint8_t nonce[12], const uint8_t *header, size_t nheader, const uint8_t *plaintext, size_t nbytes, uint8_t *ciphertext, uint8_t tag[16]) from cifra and
int crypto_aead_chacha20poly1305_ietf_encrypt_detached(unsigned char *c, unsigned char *mac, unsigned long long *maclen_p, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, const unsigned char *nsec, const unsigned char *npub, const unsigned char *k); from libsodium. Both of them are suppossed to produce the same ciphertext which they are doing but the tag is coming out to be different. I am not able to understand why this is happening. Please help.

Malte Janduda · Answer 1 · Fri Feb 24 2017 23:50:31 GMT+0800 (China Standard Time)

same problem here

Joe Birr-Pixton · Answer 2 · Sat Feb 25 2017 03:16:33 GMT+0800 (China Standard Time)

Could you post some code or test vectors?

I just tried:

key: 6b65792e6b65792e6b65792e6b65792e6b65792e6b65792e6b65792e6b65792e
nonce: 6e6f6e63652e6e6f6e63652e
aad: 616164
msg: 6d657373616765
cipher: 5d9c0a9fe7d5e5
tag: 2824af504fdce6e85fc9d80c7c2a9f38

And both libsodium/cifra agree. Cifra also passes the known answer tests in the RFC (though it's possible those are poorly designed and not exhaustive).

Joe Birr-Pixton · Answer 3 · Sat Feb 25 2017 03:32:52 GMT+0800 (China Standard Time)

Actually, the test vectors from the RFC don't cover |aad| == 0, and cifra gets this case wrong. Fix incoming.

Joe Birr-Pixton · Answer 4 · Sat Feb 25 2017 04:34:49 GMT+0800 (China Standard Time)

Fixed in b6cdf9f. Sorry for the inconvenience and thanks for the report.

Malte Janduda · Answer 5 · Mon Feb 27 2017 09:41:10 GMT+0800 (China Standard Time)

Great!
Thank you! :)