0

I'm implementing an OCB-AES cipher (which is described in RFC 7253), now I have to call the AES encipher function (I'll refer to that as AES-256, described in FIPS 197)

Pre-summary: I'm not sure which encipher function FIPS 197 refers to. Of course, it should be the cipher function; however, the function parameters are different.

Here's an excerpt from OCB's "associated data hash function":

   Function name:
     HASH
   Input:
     K, string of KEYLEN bits                      // Key
     A, string of any length                       // Associated data
   Output:
     Sum, string of 128 bits                       // Hash result
   Sum is defined as follows.
     //
     // Key-dependent variables
     //
     L_* = ENCIPHER(K, zeros(128))
     L_$ = double(L_*)
     ...

Another excerpt from OCB:

To be complete, the algorithms in this document require ... a blockcipher operating on 128-bit blocks...

...


ENCIPHER(K,P)  The blockcipher function mapping 128-bit plaintext block P to its corresponding ciphertext block using KEYLEN-bit [256-bit] key K.

So, I jumped to FIPS 197. Here's the cipher function:

Cipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])
begin
    byte state[4,Nb]
    state = in
    AddRoundKey(state, w[0, Nb-1]) 
    // See Sec. 5.1.4
    for round = 1 step 1 to Nr–1
        SubBytes(state) 
        // See Sec. 5.1.1
        ShiftRows(state) 
        // See Sec. 5.1.2
        MixColumns(state) 
        // See Sec. 5.1.3
        AddRoundKey(state, w[round*Nb, (round+1)*Nb-1])
    end for
    SubBytes(state)
    ShiftRows(state)
    AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])
    out = state
end

After looking at the table (where $1 \text{ words} = 4 \text{ bytes}$)

$$\begin{array}{|c|c|c|c|}& \text{Key length }(Nk \text{ words)} & \text{Block size } (Nb \text{ words)} & \text{Number of rounds }(Nr)\\\text{AES }128&4&4&10 \\\text{AES }192&6&4&12\\\text{AES }256&8&4&14\end{array}$$

Paraphrasing only the input parameters for $256$:

void cipher(char in[16], char w[240]);

Here's the main point: The first excerpt wants me to call AES-256 cipher with 1) the key 2) zeros of 16 bytes. How can I pass the 256-bit key and 128-bit zero? One parameter has $240$ bytes and the other has $16$? Is my "function prototype" for the cipher wrong, or do I need to use key expansion, etc..., somehow?

Patriot
  • 3,162
  • 3
  • 20
  • 66
MCCCS
  • 731
  • 1
  • 7
  • 15

1 Answers1

3

The 256-bit K of OCS-AES must first go thru FIPS 197's

KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)], Nk)

where it is key[4*Nk] to be transformed into w[Nb*(Nr+1)] (32×4×(14+1) = 1920-bit), which is the last input of

Cipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])

fgrieu
  • 149,326
  • 13
  • 324
  • 622