вс, 15 сент. 2019 г. в 10:28, Niels Möller nisse@lysator.liu.se:
Dmitry Eremin-Solenikov dbaryshkov@gmail.com writes:
There will be a nonce for GMAC.
Ok. If we keep set_nonce, we have to clarify what it means. There are a couple of cases, where the first two are relatively easy.
nonce_size == 0, set_nonce == NULL: Never call set_nonce. This is the HMAC case.
Fine with me
nonce_size == 0, set_nonce != NULL: This could mean that nonce is optional. Does that make any sense?
I don't think we should allow such constructions. Neither UMAC nor GMAC make optional use of nonce. And if we think further, 3GPP MAC algorithms, which make use of nonce, also have non-optional fixed size nonce.
nonce_size > 0, set_nonce != NULL: Would then be used for UMAC and GMAC.
Fine with me
For the last case, I have a couple of questions.
Comment says "suggested nonce_size", but I take it only that one size is possible, since set_nonce is nettle_set_key_func, with no length argument. Or do you intend to allow other sizes?
I think I'd prefer fix size, to keep things simple. And treat variants with different nonce size as separate mac algorithms, for this abstraction. Just like with the key size.
Fix size. If one needs variable nonce size, he can use full interface.
What should be the behavior for usage like
->set_key ->set_nonce ->update ->digest ->update ->digest
with second set_nonce missing?
Should it just keep the nonce from the first digest? (Sounds a bit dangerous). Or autoincrement? (That's what umac does, because it's defined in a way to make that more efficient). Or be specified as invalid, triggering asserts whenever it is easy to detect?
I think it has to be specified; it will be too confusing if UMAC behaves in one way and GMAC behaves differently.
I'd say that this is an undefined behaviour. So, if one needs fully predictable result, he should set nonce each time. For GMAC nonce MUST be set each time to a new value. For UMAC one can skip this call. We might want to refine this UB later.
Consider other MACs (like Kasumi F8/Snow3G UIA2/ZUC EIA3) which require nonce, can have nonce autoincrement, but with complex rules.
BTW: I have written a library with 3GPP encryption/integrity alogorithms. The library follow closely Nettle interface. I can publish it and/or submit into nettle for inclusion. However I am completely unsure about patent status and enforcement for those algorithms. Do you know if somebody can advice me on this topic?
-- With best wishes Dmitry