Implement a secure ICS protocol targeting LoRa Node151 microcontroller for controlling irrigation.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1059 lines
59 KiB

  1. <!DOCTYPE html>
  2. <html lang="en">
  3. <head>
  4. <meta charset="utf-8" />
  5. <title>Strobe protocol framework</title>
  6. <link rel="stylesheet" type="text/css" href="/style.css"/>
  7. </head>
  8. <body>
  9. <h1><a href="/"><span class="sc">Strobe</span> protocol framework</a></h1>
  10. <div id="nav">
  11. <a href="/">overview</a>
  12. <a href="/specs/" class="here">specification</a>
  13. <a href="/examples/">example protocols</a>
  14. <a href="/code/">code</a>
  15. <a href="/papers/">papers</a>
  16. </div>
  17. <h2>Scope</h2>
  18. <p>This spec describes the operation of the <span class="sc">Strobe</span>
  19. framework. It only covers the symmetric portion. For applications
  20. including elliptic curve crypto, see the <a href="/examples/">examples</a>
  21. page.
  22. </p>
  23. <h2>Table of Contents</h2>
  24. <div class="toc">
  25. <h2><a href="#version">Version</a></h2>
  26. <h2><a href="#defns">Definitions and notation</a></h2>
  27. <h3><a href="#defns.fmt">Formatting</a></h3>
  28. <h2><a href="#instances"><span class="sc">Strobe</span> Instances</a></h2>
  29. <h2><a href="#params"><span class="sc">Strobe</span> parameters</a></h2>
  30. <h2><a href="#object">State of a <span class="sc">Strobe</span> object</a></h2>
  31. <h3><a href="#object.initial">Initial state</a></h3>
  32. <h2><a href="#ops"><span class="sc">Strobe</span> operations</a></h2>
  33. <h3><a href="#ops.bare">Low-level operations</a></h3>
  34. <h4><a href="#ops.bare.ad"><code>AD</code>: Provide associated data</a></h4>
  35. <h4><a href="#ops.bare.key"><code>KEY</code>: Provide cipher key</a></h4>
  36. <h4><a href="#ops.bare.clr"><code>CLR</code>: Send or receive cleartext data</a></h4>
  37. <h4><a href="#ops.bare.enc"><code>ENC</code>: Send or receive encrypted data</a></h4>
  38. <h4><a href="#ops.bare.mac"><code>MAC</code>: Send or receive message authentication code</a></h4>
  39. <h4><a href="#ops.bare.prf"><code>PRF</code>: Extract hash / pseudorandom data</a></h4>
  40. <h4><a href="#ops.bare.ratchet"><code>RATCHET</code>: Prevent rollback</a></h4>
  41. <h3><a href="#ops.flags">Operations and flags</a></h3>
  42. <h4><a href="#ops.flags.table">Flags for the defined operations</a></h4>
  43. <h3><a href="#ops.comp">Composite operations</a></h3>
  44. <h2><a href="#ops.impl">Implementation of operations</a></h2>
  45. <h3><a href="#ops.impl.runf">Duplexing and running <var>F</var></a></h3>
  46. <h3><a href="#ops.impl.init">Initialization</a></h3>
  47. <h3><a href="#ops.impl.begin">Beginning an operation</a></h3>
  48. <h3><a href="#ops.impl.byte">Main operation code</a></h3>
  49. </div>
  50. <h2 id="version">Version</h2>
  51. <p>This specification describes <span class="sc">Strobe</span> version 1.0.2.
  52. It has been revised for clarity since that version was released. Special thanks
  53. to David Wong for his feedback on the specification.
  54. </p>
  55. <h2 id="defns">Definitions and notation</h2>
  56. <p><span class="sc">Strobe</span> is useful for building both symmetric cryptosystems
  57. and protocols. For simplicity, these are both referred to as "protocols". For example,
  58. in an encryption protocol, Alice sends an encrypted and authenticated message to Bob, but Bob
  59. does not send any messages back.
  60. </p>
  61. <p><span class="sc">Strobe</span> protocols exchange data over some sort of
  62. <em>transport</em>. For most protocols
  63. </p>
  64. <p>To disambiguate the two parties of a network protocol, <span class="sc">Strobe</span>
  65. assigns them each a role as an <em>initiator</em> or <em>responder</em>.
  66. </p>
  67. <ul><li>
  68. A party to a protocol is the <em>initiator</em> if it sent
  69. a message to the transport before receiving any messages from the transport.
  70. </li><li>
  71. A party is the <em>responder</em> if it received a message from the transport before
  72. sending any messages to the transport.
  73. </li><li>A party which has neither sent nor received any messages is <em>undecided</em>.
  74. </li></ul>
  75. <p>Parties start out as undecided, and become an initiator or responder if and when
  76. they send or receive a message via the transport.</p>
  77. <p><span class="sc">Strobe</span> operates exclusively on bytes, which are elements
  78. of the set [0,...,255]. However, sometimes a length field is required which is
  79. larger than one byte. Furthermore, in extensions of <span class="sc">Strobe</span>,
  80. such as the key tree, we will need elements smaller than one byte. In either case,
  81. <span class="sc">Strobe</span> follows a little-endian convention.
  82. </p>
  83. <h3 id="defns.fmt">Formatting</h3>
  84. <p>Variables are formatted like <var>this</var>.</p>
  85. <p><code>Inline code is formatted like this.</code></p>
  86. <pre>Blocks of code are formatted like this.</pre>
  87. <p class="comment">Non-normative comments are formatted like this.</p>
  88. <p class="warning">Non-normative warnings are formatted like this.</p>
  89. <h2 id="instances"><span class="sc">Strobe</span> Instances</h2>
  90. <p>There are several paremeters in the <span class="sc">Strobe</span> framework.
  91. It can use many different rates, permutations and padding modes. These
  92. are detailed in the <a href="/papers">paper</a>. This specification
  93. only describes the following recommended instances:
  94. </p>
  95. <ul><li>
  96. <span class="sc">Strobe</span>-128/1600 and <span class="sc">Strobe</span>-256/1600
  97. for standards compliance.
  98. </li>
  99. <li>
  100. <span class="sc">Strobe</span>-128/800 and <span class="sc">Strobe</span>-256/800
  101. for 32-bit microcontrollers.
  102. </li>
  103. <li>
  104. <span class="sc">Strobe</span>-128/400 for 16-bit microcontrollers and small hardware.
  105. </li></ul>
  106. <p class="comment">
  107. <span class="sc">Strobe</span>-128/1600 and <span class="sc">Strobe</span>-256/1600
  108. are based on the <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf">
  109. cSHAKE specification</a> from NIST.
  110. </p>
  111. <h2 id="params"><span class="sc">Strobe</span> parameters</h2>
  112. <p>Let <var>b</var> be either 400, 800 or 1600. Let <var>F</var> be the function
  113. <span class="sc">Keccak</span>-<i>f</i>[<var>b</var>]. Let <var>N</var> =
  114. <var>b</var>/8. <span class="sc">Strobe</span> treats
  115. <var>F</var> as a function which takes as input an array of <var>N</var> bytes
  116. and returns another array of <var>N</var> bytes.
  117. </p>
  118. <p>
  119. Let <var>sec</var> be a target security level, either 128 or 256 bits.
  120. <span class="comment">
  121. <span class="sc">Strobe</span> has 2*<var>sec</var> bits of
  122. secret state. As a result, it is somewhat stronger than a block cipher with
  123. <var>sec</var>-bit key. Depending on the exact protocol,
  124. it may achieve security comparable to a 2*<var>sec</var>-bit
  125. block cipher (as in <a href="https://eprint.iacr.org/2014/">this paper</a>).
  126. In other scenarios &mdash; particularly when used as an unkeyed hash &mdash;
  127. it only has <var>sec</var> bits of security.
  128. A future version might add a way to change the rate after a key has been
  129. entered.
  130. </span>
  131. </p>
  132. <p>Let <var>R</var> = <var>N</var> - (2*<var>sec</var>)/8 - 2. This will be the number
  133. of bytes in a <span class="sc">Strobe</span> block. It is required that
  134. 1 &leq; <var>R</var> &lt; 254. This means that <var>b</var> = 400 is incompatible
  135. with <var>sec</var> = 256.
  136. <span class="comment">
  137. Obviously <var>R</var> &geq; 1 is required so that <span class="sc">Strobe</span>
  138. can get any work done at all. The requirement that <var>R</var> &le; 254 is
  139. so that offsets can be represented in one byte. In the existing protocol, this
  140. can result in offsets up to <var>R</var>, which would imply that <var>R</var> &le; 255.
  141. The requirement <var>R</var> &le; 254 is a hedge to allow future modifications.
  142. In any case, it is automatically true for any <span class="sc">Keccak</span>-based
  143. protocol, because <var>R</var> &lt; 1600/8 = 200.
  144. </span>
  145. </p>
  146. <p>Let <var>X</var>, <var>Y</var> and <var>Z</var> be single digits, representing a
  147. major, minor and patch version of <span class="sc">Strobe</span>.
  148. </p>
  149. <p>
  150. The parameters below define the protocol framework called
  151. "<span class="sc">Strobe</span>-<span class="sc">Keccak</span>-<var>sec</var>/<var>b</var>-v1.0.2",
  152. which is abbreviated to "<span class="sc">Strobe</span>-<var>sec</var>/<var>b</var>".
  153. In general, the name would be
  154. "<span class="sc">Strobe</span>-<var>F</var>-<var>sec</var>/<var>b</var>-v<var>X</var>.<var>Y</var>.<var>Z</var>".
  155. </p>
  156. <h2 id="object">State of a <span class="sc">Strobe</span> object</h2>
  157. <p>A <span class="sc">Strobe</span> object has the following state variables:
  158. </p>
  159. <ul class="wide">
  160. <li>A duplex state <var>st</var>, which is an array of <var>N</var> bytes.</li>
  161. <li>A position <var>pos</var>, where 0 &le;
  162. <var>pos</var> &le; <var>R</var>.
  163. This is the position in the duplex state where the next byte will be processed.
  164. </li>
  165. <li>A position <var>pos<sub>begin</sub></var>, where 0 &le;
  166. <var>pos<sub>begin</sub></var> &le; <var>R</var>.
  167. This is the position in the duplex state which is 1 after the beginning of
  168. the current operation, or 0 if no operation began in this block.
  169. </li>
  170. <li>A variable <var>I<sub>0</sub></var> which is 0, 1 or <code>None</code>.
  171. This variable describes the role of this party in the protocol. The role
  172. begins as <em>undecided</em> (<var>I<sub>0</sub></var> = <code>None</code>),
  173. and stays that way until the party either sends or receives a message on
  174. the transport. At that point the party's role becomes <em>initiator</em>
  175. (with <var>I<sub>0</sub></var> = 0) if it sent the message, or <em>responder</em>
  176. (<var>I<sub>0</sub></var> = 1) if it received the message.
  177. <span class="comment">
  178. The purpose of <var>I<sub>0</sub></var> is to keep protocol transcripts
  179. consistent. <span class="sc">Strobe</span> hashes not only the messages
  180. that are sent, but also metadata about who sent them. It would be no good if
  181. Alice hashed "I sent a message" and Bob hashed "I received a message", because
  182. their hashes would be different. Instead, they hash metadata amounting to
  183. "The initiator sent this message" or "the responder sent this message.
  184. </span>
  185. </li>
  186. <h3 id="object.initial">Initial state</h3>
  187. <p>The initial state of the object is as follows:</p>
  188. <ul class="wide">
  189. <li><code><var>st</var> = <var>F</var>( [0x01, <var>R</var>+2, 0x01, 0x00, 0x01, 0x60] +
  190. ascii("STROBEv<var>X</var>.<var>Y</var>.<var>Z</var>"))
  191. </code>
  192. <span class="comment">
  193. Here <code>+</code> denotes concatenation, as in Python.
  194. The <var>X</var>,
  195. <var>Y</var>, and <var>Z</var> are the major, minor and patch
  196. version of the <span class="sc">Strobe</span> protocol.
  197. The trailing <code>...</code> is means enough zeros to fill out
  198. the domain of the function <var>F</var>
  199. </span>
  200. <span class="comment">
  201. This format is chosen for compatibility with
  202. <a href="https://csrc.nist.gov/publications/drafts/800-185/sp800_185_draft.pdf">cSHAKE</a>.
  203. The description of the initial state involves multiple calls to <var>F</var>
  204. if <var>R</var> is less than 15 bytes,
  205. but this isn't the case for any of the recommended instances. The
  206. <a href="#ops.impl.init">Python code below</a> covers the general case.
  207. </span>
  208. </li>
  209. <li><code><var>pos</var> = <var>pos<sub>begin</sub></var> = 0</code></li>
  210. <li><code><var>I<sub>0</sub></var> = None</code></li>
  211. </ul>
  212. <p>Following this initialization, the first operation must be a <code>meta-AD</code>
  213. operation whose data is a protocol-specific string. This separates
  214. <span class="sc">Strobe</span> instances from each other. This operation is also
  215. known as customization, personalization, domain separation or diversification.
  216. </p>
  217. <h2 id="ops"><span class="sc">Strobe</span> operations</h2>
  218. <p>A <span class="sc">Strobe</span> protocol execution is composed of a sequence of
  219. <em>operations</em>. There may be any number of operations in any order.
  220. Which operations are performed may be determined at runtime. Each operation can
  221. process an arbitrary amount of data, but always in multiples of one byte. The data is
  222. processed in a streaming fashion, one byte at a time. The protocol can determine
  223. the amount of data to process on the fly, even after an operation has begun.
  224. In python notation, the sequence
  225. <pre>
  226. <var>strobe</var>.send_ENC("A long");
  227. <var>strobe</var>.send_ENC(" message",more=True);
  228. </pre>
  229. will do exactly the same thing as
  230. <pre><var>strobe</var>.send_ENC("A long message");</pre>
  231. but <b>not</b> the same thing as
  232. <pre>
  233. <var>strobe</var>.send_ENC("A long");
  234. <var>strobe</var>.send_ENC(" message");
  235. </pre>
  236. This last piece of code performs two separate <code>ENC</code> operations, whereas
  237. the others each only do one operation.
  238. </p>
  239. <p>
  240. <span class="sc">Strobe</span>'s operations are low-level, and a protocol
  241. will be a combination of many of them.
  242. For example, an AEAD system might be comprised of a key (<code>KEY</code>),
  243. an associated datum (<code>AD</code>), an encrypted message
  244. (<code>ENC</code>) and a
  245. message authentication code (<code>MAC</code>). It might use further operations
  246. for framing, context and metadata. This specification first describes the operations, and then
  247. recommends how to combine them.
  248. </p>
  249. <p>
  250. <span class="sc">Strobe</span> is based on <span class="sc">Keccak</span>-<i>f</i>.
  251. <span class="sc">Keccak</span>-<i>f</i> is somewhat slow in software, and it can have
  252. a rather wide block size &emdash; up to 168 bytes of rate. <span class="sc">Strobe</span>
  253. operations may be rather small. In particular, they are used for framing data,
  254. which is generally only a few bytes. To reduce overhead, <span class="sc">Strobe</span>
  255. packs multiple operations into one block when possible. It is not always possible,
  256. though. In particular, operations such as <code>ENC</code> and <code>MAC</code>
  257. must produce output that depend on all previous inputs. For such operations,
  258. <span class="sc">Strobe</span> runs <var>F</var> and begins a new block.
  259. </p>
  260. <p class="comment">
  261. The paper specifies a variant, called &quot;<span class="sc">Strobe</span> lite&quot;,
  262. which always begins a new block for every new operation. This is designed for
  263. lightweight hardware, where <var>F</var> is probably much smaller and there is
  264. little gain from packing multiple operations into one block.
  265. </p>
  266. <h3 id="ops.bare">Low-level operations</h3>
  267. <p><span class="sc">Strobe</span> supports 7 low-level operations. Of these,
  268. the 3 which use the transport exist in <code>send</code> and <code>recv</code>
  269. directions.
  270. </p>
  271. <p class="comment">
  272. If Alice sends a message to Bob, Alice will use a <code>send</code> operation
  273. (such as <code>send_ENC</code>) and Bob will use the corresponding <code>recv</code>
  274. operation (<code>recv_ENC</code>). <span class="sc">Strobe</span> takes this into
  275. account when hashing the operations, so that Alice's duplex state will match Bob's
  276. when they execute corresponding operations.
  277. </p>
  278. <p>
  279. For any operation, there is a corresponding "<code>meta</code>" variant. The
  280. <code>meta</code> operation works exactly the same way as the ordinary operation.
  281. The two are distinguished only in an "<code>M</code>" bit that is hashed into
  282. the protocol transcript for the <code>meta</code> operations. This is used to
  283. prevent ambiguity in protocol transcripts. This specification describes uses
  284. for certain <code>meta</code> operations. The others are still legal,
  285. but their use is not recommended.
  286. The usage of the <code>meta</code> flag is described below in
  287. <a href="#ops.comp">Section 6.3</a>.
  288. </p>
  289. <p>The operations are:</p>
  290. <ul>
  291. <li><a href="#ops.bare.ad"><code>AD</code>: Provide associated data</a></li>
  292. <li><a href="#ops.bare.key"><code>KEY</code>: Provide cipher key</a></li>
  293. <li><a href="#ops.bare.clr"><code>CLR</code>: Send or receive cleartext data</a></li>
  294. <li><a href="#ops.bare.enc"><code>ENC</code>: Send or receive encrypted data</a></li>
  295. <li><a href="#ops.bare.mac"><code>MAC</code>: Send or receive message authentication code</a></li>
  296. <li><a href="#ops.bare.prf"><code>PRF</code>: Extract hash / pseudorandom data</a></li>
  297. <li><a href="#ops.bare.ratchet"><code>RATCHET</code>: Prevent rollback</a></li>
  298. </ul>
  299. <p>This section describes the rough behavior of these operations, not how they are
  300. implemented. The exact behavior and implementation are described
  301. in <a href="#ops.impl">Section 7</a>. Each operation also lists the flags
  302. which describe it. Their meaning is described in <a href="#ops.flags">Section 6.2</a>.
  303. </p>
  304. <h4 id="ops.bare.ad"><code>AD</code>: Provide associated data</h4>
  305. <div class="impl">
  306. <ul>
  307. <li>Flags: <code>A</code>.
  308. <li>Behavior: Xor bytes of the associated data into the state.</li>
  309. </ul>
  310. </div>
  311. <p>The <code>AD</code> operation adds associated data to the state.
  312. This data must be known to both parties, and will not be transmitted.
  313. Future outputs from the <span class="sc">Strobe</span> object will depend
  314. on the supplied data.
  315. </p>
  316. <ul><li>A <code>meta_AD</code> operation describes the protocol's interpretation
  317. of the following operation.</li></ul>
  318. <h4 id="ops.bare.key"><code>KEY</code>: Provide cipher key</h4>
  319. <div class="impl">
  320. <ul>
  321. <li>Flags: <code>AC</code>.
  322. <li>Behavior: Run <var>F</var> to begin a new block, then overwrite bytes of the state with bytes of the key.</li>
  323. </ul>
  324. </div>
  325. <p>The <code>KEY</code> operation sets a symmetric key.
  326. If there is already a key, the new key will be cryptographically combined with it.
  327. This key will be used to produce all future cryptographic outputs from
  328. the <span class="sc">Strobe</span> object.
  329. </p>
  330. <div class="comment">
  331. Every crypto operation in <span class="sc">Strobe</span> depends on a running
  332. hash of all data which has been entered into it. As a result, the
  333. <code>KEY</code> operation has very similar semantics to <code>AD</code>.
  334. Both of them absorb data without transmitting it, and affect all future operations.
  335. That said, <code>KEY</code> differs from <code>AD</code> in three ways:
  336. <ul><li><code>KEY</code> ratchets the state to preserve forward secrecy.
  337. It does this by overwriting
  338. state bytes with the new key instead of xoring. This mitigates attacks
  339. if an attacker somehow compromises the application later.
  340. <span class="sc">Strobe</span> doesn't do this with most other operations,
  341. such as <code>AD</code>, because it would slightly reduce the entropy of the state.
  342. </li>
  343. <li><code>KEY</code> starts a new block internally. This is needed for ratcheting,
  344. and might also help with a future
  345. security analysis in the standard model.</li>
  346. <li>Future authors might want to incorporate some of
  347. <span class="sc">Strobe</span>'s operations into their protocol frameworks.
  348. If those frameworks don't use sponges, they will need to handle
  349. <code>KEY</code> differently from <code>AD</code>.</li>
  350. </ul>
  351. </div>
  352. <h4 id="ops.bare.clr"><code>CLR</code>: Send or receive cleartext data</h4>
  353. <div class="impl">
  354. <ul>
  355. <li>Flags: <code>AT</code> or <code>IAT</code>.
  356. <li>Behavior: send or receive plaintext data, and xor it into the state.</li>
  357. </ul>
  358. </div>
  359. <p><code>send_CLR</code> sends a message in clear text.
  360. <code>recv_CLR</code> receives a message in clear text.
  361. </p>
  362. <ul>
  363. <li><code>send_meta_CLR</code> and <code>recv_meta_CLR</code>
  364. are used to send and receive framing data.
  365. </ul>
  366. <p class="warning">
  367. The <code>recv_CLR</code> and <code>recv_meta_CLR</code> operations don't verify
  368. the integrity of the
  369. incoming message. For this, follow <code>send_CLR</code> with <code>send_MAC</code>
  370. on the sending side,
  371. and follow <code>recv_CLR</code> with <code>recv_MAC</code> on the receiving side.
  372. <br/><br/>
  373. In some scenarios, one cannot check a MAC for protocol or performance
  374. reasons. For example, until the two parties share a secret key, a MAC defends only
  375. against accidental corruption and not against malicious modification.
  376. <br/><br/>
  377. <span class="sc">Strobe</span> explicitly supports MACs on framing data. However,
  378. to save bandwidth, most protocols do not MAC their framing data until they have
  379. sent/received the framed data as well. This means that extra care must be used
  380. with framing data, especially lengths.
  381. </p>
  382. <h4 id="ops.bare.enc"><code>ENC</code>: Send or receive encrypted data</h4>
  383. <div class="impl">
  384. <ul>
  385. <li>Flags: <code>ACT</code> or <code>IACT</code>.
  386. <li>Behavior of <code>send-ENC</code>: Run <var>F</var> to begin a new block.
  387. Xor the plaintext with the state, which produces
  388. both a new state and a ciphertext. Send the ciphertext to the other party.</li>
  389. <li>Behavior of <code>recv-ENC</code>: Run <var>F</var> to begin a new block.
  390. Receive a ciphertext, and xor it with the state
  391. to obtain a plaintext. Bytes of the state are overwritten by bytes of the ciphertext.</li>
  392. </ul>
  393. </div>
  394. <p><code>send_ENC</code> encrypts a message and sends it to the transport.
  395. <code>recv_ENC</code> receives a message from the transport and decrypts it.
  396. The encryption does not include authentication. The length of the encrypted
  397. message is the same as the length of the plaintext message.
  398. </p>
  399. <ul>
  400. <li><code>send_meta_ENC</code> and <code>recv_meta_ENC</code>
  401. are used for encrypted framing data.
  402. </ul>
  403. <p><span class="sc">Strobe</span>'s encryption mode keeps the message confidential
  404. (except for its length)
  405. so long as the session transcript up to this point is <em>secret</em> and,
  406. for the sender, <em>unique</em>.
  407. </p>
  408. <ul><li>
  409. <em>Secret</em> means that the adversary must not be able to
  410. guess the transcript's contents.
  411. <li><em>Unique</em> means that the adversary must not be able to make the transcript
  412. match up to a <code>send_ENC</code> operation. This requires nonces, unless the
  413. protocol has already exchanged one-time-use ephemeral keys.
  414. </li>
  415. <li><code>recv_ENC</code> doesn't require uniqueness for security, so long as a
  416. <code>recv_MAC</code> operation is run before the received data is used.
  417. </li>
  418. </ul>
  419. <p class="warning">
  420. The <code>recv_ENC</code> and <code>recv_meta_ENC</code> operations don't verify
  421. the integrity of the
  422. incoming message. For this, use <code>send_MAC</code> after <code>send_ENC</code>
  423. on the sending side,
  424. and <code>recv_MAC</code> after <code>recv_ENC</code> on the receiving side.
  425. The receiving side must run
  426. <code>recv_MAC</code> before using the decrypted message.
  427. </p>
  428. <p class="warning">
  429. Newcomers to cryptography often assume that an attacker can't modify encrypted
  430. messages without turning them into gibberish. This isn't true for most cipher
  431. modes, and it isn't true for <span class="sc">Strobe</span>. The
  432. <code>MAC</code> operation really is necessary.
  433. </p>
  434. <p class="warning">
  435. <span class="sc">Strobe</span>'s encryption mode requires unique nonces for
  436. security.
  437. In other words, the operations before the <code>ENC</code> operation
  438. must be unique. In a two-party protocol, make sure that a party has
  439. contributed a unique value (such as a random nonce or a Diffie-Hellman ephemeral)
  440. to the protocol before using <code>send_ENC</code>. It is not necessary to
  441. contribute a unique value before using <code>recv_ENC</code>, except to
  442. defend against physical side channels such as DPA.
  443. </p>
  444. <p class="comment">
  445. Protocols are allowed to use <code>ENC</code> before any <code>KEY</code> has
  446. been entered. This usually isn't secure as an encryption mode. For technical
  447. reasons, the recommended <a href="/examples/#todo">Schnorr signature mode</a>
  448. does this whether or not a key has been entered.
  449. </p>
  450. <h4 id="ops.bare.mac"><code>MAC</code>: Send or receive message authentication code</h4>
  451. <div class="impl">
  452. <ul>
  453. <li>Flags: <code>CT</code> or <code>ICT</code>.
  454. <li>Behavior of <code>send-MAC</code>: Run <var>F</var> to begin a new block.
  455. Send bytes the state to the other party.</li>
  456. <li>Behavior of <code>recv-ENC</code>: Run <var>F</var> to begin a new block.
  457. Receive bytes and check that they are the same as the bytes of your state.
  458. If not, then the session has been corrupted.</li>
  459. </ul>
  460. </div>
  461. <p><code>send_MAC</code> computes and sends a message authentication code (MAC).
  462. <code>recv_MAC</code> receives and checks a MAC. If the MAC doesn't match,
  463. the receiving party aborts the protocol.
  464. </p>
  465. <ul>
  466. <li><code>send_meta_MAC</code> and <code>recv_meta_MAC</code> do the same thing
  467. as <code>send_MAC</code> and <code>recv_MAC</code>. They are appropriate
  468. for checking the integrity of framing data.
  469. </ul>
  470. <p class="warning">
  471. A <code>MAC</code> operation is ineffective if it is too short. That is,
  472. an adversary can just guess a <var>B</var>-byte MAC value with probability
  473. 2<sup>-8B</sup>. A 16-byte or longer MACs is suitable for
  474. protocols on powerful devices, and 8-byte or longer MAC is suitable for
  475. constrained devices. Very constrained environments might use even shorter
  476. MACs, but be aware that a short MAC may be practical to guess.
  477. <br/><br/>
  478. When retrofitting security on top of legacy embedded protocols, designers
  479. might not have enough bits to send a secure <code>MAC</code>. It is possible
  480. to send a shorter <code>MAC</code> in each packet, with the hope that an
  481. attack will be detected within a few packets. The <span class="sc">Strobe</span>
  482. framework allows this, but of course it is very dangerous.
  483. Don't try it without an expert analysis.
  484. </p>
  485. <p class="warning" id="warn.sidechannel">
  486. Checking a MAC must be done in constant time to prevent side-channel attacks.
  487. This is particularly salient when checking a MAC that is streaming in one byte
  488. at a time. It is very important not to indicate an error until the
  489. MAC operation is actually complete. Otherwise an attacker will learn information
  490. about the correct MAC. If the attacker can make several attempts, this side channel
  491. will lead to an easy compromise.
  492. </p>
  493. <p class="warning">
  494. Data isn't automatically trustworthy just because it has been MAC'd or signed.
  495. At most, the MAC will indicate who sent the data. But that other party might
  496. still be evil, or might have been compromised.
  497. </p>
  498. <p class="comment">
  499. <span class="sc">Strobe</span>'s operations all support byte-by-bytes streaming,
  500. and do not
  501. require that the length be known in advance. The MAC operation is no exception.
  502. That means in particular that truncating a MAC produces a valid, shorter MAC.
  503. This problem can and should be avoided by using a composite operation which
  504. includes the MAC's length in the metadata, so that the MAC will depend on its
  505. length.
  506. <br/><br/>
  507. However, this note doesn't rise to the level of a warning. Most protocols will
  508. use fixed-length MACs, but some will not. Suppose the two parties somehow
  509. disagree on how long their MACs are. Suppose that Bob thinks the MACs are 8
  510. bytes, but Alice thinks they're 10 bytes. Then the first message that Alice sends to
  511. Bob will verify with a truncated MAC, but any message that either sends later
  512. in the protocol will fail, because of the different transcript before that point.
  513. This is unlikely to cause a huge security problem.
  514. <br/><br/>
  515. The reverse direction is also problematic: if Alice thinks the MACs are 8 bytes,
  516. but Bob thinks they're 10 bytes, then an attacker can extend Alice's MAC to
  517. one that Bob will accept with probability 2^-16. Again, any future MAC will
  518. fail with high probability.
  519. </p>
  520. <p class="comment"><span class="sc">Strobe</span>'s <code>MAC</code> operations
  521. don't require session uniqueness.
  522. Repeating a nonce will compromise <code>send_ENC</code>, but (unlike AES-GCM
  523. and Poly1305) it will not compromise <code>send_MAC</code> or <code>recv_MAC</code>.
  524. <br/><br/>
  525. This only applies to attackers trying to find <code>MAC</code>s on
  526. new data. If an attacker replays the same <code>MAC</code> after the same
  527. data in an identical session, then of course the <code>MAC</code> will verify.
  528. </p>
  529. <h4 id="ops.bare.prf"><code>PRF</code>: Extract hash / pseudorandom data</h4>
  530. <div class="impl">
  531. <ul>
  532. <li>Flags: <code>IAC</code>.
  533. <li>Behavior: Run <var>F</var> to begin a new block. Read bytes of the state
  534. out to the application.</li>
  535. </ul>
  536. </div>
  537. <p><code>PRF</code> extracts pseudorandom data which is a deterministic function of
  538. the state. This data can be treated as a hash of all preceeding operations,
  539. messages and keys. For example, the following code hashes a single block of data:
  540. <pre><var>strobe</var> = new strobe(proto="example hash")
  541. <var>strobe</var>.AD("message to be hashed")
  542. <var>the_hash</var> = <var>strobe</var>.PRF(output_length)</pre>
  543. </p>
  544. <p>One can also hash multiple blocks of data, for example:
  545. <pre><var>strobe</var> = new strobe(proto="example hash")
  546. <var>strobe</var>.AD("message to")
  547. <var>strobe</var>.AD(" be")
  548. <var>strobe</var>.AD(" hashed")
  549. <var>the_hash</var> = <var>strobe</var>.PRF(output_length)</pre>
  550. which produces a different result from the previous example, because
  551. <span class="sc">Strobe</span> hashes where the operations begin and end in
  552. addition to their data.
  553. </p>
  554. <p class="warning">
  555. Just as with a <code>MAC</code>, the <code>PRF</code> operation supports streaming,
  556. and a shorter <code>PRF</code> call will return a prefix of a longer one. Use
  557. a <a href="#ops.comp">composite operation</a> that inputs the length of the
  558. <code>PRF</code> first.
  559. </p>
  560. <h4 id="ops.bare.ratchet"><code>RATCHET</code>: Prevent rollback</h4>
  561. <div class="impl">
  562. <ul>
  563. <li>Flags: <code>C</code>.
  564. <li>Behavior: Run <var>F</var> to begin a new block. Then overwrite bytes of the
  565. state with zeros.</li>
  566. </ul>
  567. </div>
  568. <p><code>RATCHET</code> has no input other than a length <var>L</var>, and no output.
  569. Instead, it modifies the state in an irreversible way.
  570. </p>
  571. <p>
  572. <span class="sc">Strobe</span>'s <var>F</var> is <span class="sc">Keccak</span>-<i>f</i>,
  573. which is a permutation. If an attacker compromises the state at some point
  574. in the protocol (e.g. with a side channel attack or an application exploit), then the
  575. attacker can use <var>F<sup>-1</sup></var> to solve for states at earlier points
  576. in the protocol.
  577. </p>
  578. <p>The <code>RATCHET</code>
  579. operation prevents this by zeroizing <var>L</var> bytes of the state.
  580. Zeroizing the whole state would destroy the key, so <code>RATCHET</code> only
  581. zeroizes up to <var>R</var> bytes at a time, calling <var>F</var> in between.
  582. In order to reverse the
  583. <code>RATCHET</code> operation, the attacker
  584. would have to guess what the bytes were before zeroizing. Setting
  585. <var>L</var> = <var>sec</var>/8 bytes is sufficient when <var>R</var> &geq;
  586. <var>sec</var>/8. That is, set <var>L</var> to 16 bytes or 32 bytes for
  587. <span class="sc">Strobe</span>-128/<var>b</var> and
  588. <span class="sc">Strobe</span>-256/<var>b</var>, respectively.
  589. </p>
  590. <p class="comment">
  591. If <var>L</var> is set to a very large number, then this operation wastes time
  592. by calling <var>F</var> many times in a row. This makes it suitable for a
  593. password-based key derivation function (PBKDF), with security comparable
  594. to PBKDF2.
  595. <br/><br/>
  596. Modern PBKDFs such as scrypt and Argon2 are designed to be memory-hard, meaning
  597. that they require a large memory with high bandwidth to perform efficiently.
  598. Memory hardness makes it harder to guess passwords by brute force using GPUs or ASICs.
  599. Using <code>RATCHET</code> as a PBKDF isn't memory-hard. But of course, a tiny
  600. device with constrained memory can't efficiently compute a memory-hard function,
  601. so this may be the best you can do.
  602. </p>
  603. <p class="comment">
  604. For all the recommended <span class="sc">Strobe</span> variants, <var>R</var> &ge;
  605. <var>sec</var>/8. In non-recommended variants with <var>R</var> &lt; <var>sec</var>/8, this
  606. operation is ineffective at preventing rollback
  607. because it only erases <var>R</var> bytes at a time. Instead,
  608. extract <var>L</var> bytes using <code>PRF</code>, and then stir them back in
  609. with <code>KEY</code>. In this scenario, <code>RATCHET</code> is still suitable
  610. to waste time, but the <code>PRF/KEY</code> ratcheting operation must be used
  611. afterward to prevent rollback.
  612. </p>
  613. <h3 id="ops.flags">Operations and flags</h3>
  614. <p>
  615. The behavior of each of <span class="sc">Strobe</span>'s operations is defined
  616. completely by 6 features, called <em>flags</em>. The operation is encoded as
  617. one byte, where the least significant 6 bits are its flags. The flags and
  618. their encodings are as follows:
  619. </p>
  620. <ul class="wide">
  621. <li><code>I = 1&lt;&lt;0</code>, "inbound". If set, this flag means that the
  622. operation moves data from the transport, to the cipher, to the application.
  623. An operation without the <code>I</code> flag set is said to be "outbound".
  624. The <code>I</code> flag is clear on all <code>send</code> operations,
  625. and set on all <code>recv</code> operations.
  626. <span class="comment">
  627. If Alice sends a message to Bob, then it is outbound for Alice and inbound
  628. for Bob.
  629. </span>
  630. </li>
  631. <li><code>A = 1&lt;&lt;1</code>, "application". If set, this flag means that
  632. the operation has data coming to or from the application side.
  633. <ul><li>An operation with <code>I</code> and <code>A</code> both set outputs
  634. bytes to the application.</li><li>An operation with <code>A</code> set but <code>I</code>
  635. clear takes input from the application.</li></ul>
  636. </li>
  637. <li><code>C = 1&lt;&lt;2</code>, "cipher". If set, this flag means that the
  638. operation's output depends cryptographically on the <span class="sc">Strobe</span>
  639. cipher state. For operations which don't have <code>I</code> or <code>T</code> flags
  640. set, neither party produces output with this operation. In that case, the
  641. <code>C</code> flag instead means that the operation acts as a rekey or ratchet.
  642. </li>
  643. <li><code>T = 1&lt;&lt;3</code>, "transport". If set, this flag means that the
  644. operation sends or receives data using the transport. An operation has
  645. <code>T</code> set if and only if it has <code>send</code> or <code>recv</code>
  646. in its name.
  647. <ul><li>An operation with <code>I</code> and <code>T</code> both set
  648. receives data from the transport.</li>
  649. <li>An operation with <code>T</code> set but <code>I</code>
  650. clear sends data to the transport.</li></ul>
  651. </li>
  652. <li><code>M = 1&lt;&lt;4</code>, "meta". If set, this flag means that the
  653. operation is handling framing, transcript comments or some other sort
  654. of protocol metadata. It doesn't affect how the operation is performed.
  655. This is intended to be used as described below
  656. in <a href="#ops.comp">Section 6.3</a>.
  657. </li>
  658. <li><code>K = 1&lt;&lt;5</code>, "keytree". This flag is reserved for a certain
  659. protocol-level countermeasure against side-channel analysis. It does affect
  660. how an operation is performed. This specification does not describe its use.
  661. For all operations in this specification, the <code>K</code> flag must be clear.
  662. </li>
  663. <li>The flags <code>1&lt;&lt;6</code> and <code>1&lt;&lt;7</code> are reserved for
  664. future versions.</li>
  665. </ul>
  666. <h4 id="#ops.flags.table">Flags for the defined operations</h4>
  667. <p>Each operation type is uniquely described by a combination of the above flags:</p>
  668. <table>
  669. <thead><tr><th>Operation</th><th colspan="4">Flags</th></tr></thead>
  670. <tbody>
  671. <tr><td><code>AD</code></td>
  672. <td></td><td><code>A</code></td><td></td><td></td>
  673. </tr>
  674. <tr><td><code>KEY</code></td>
  675. <td></td><td><code>A</code></td><td><code>C</code></td><td></td>
  676. </tr>
  677. <tr><td><code>PRF</code></td>
  678. <td><code>I</code></td><td><code>A</code></td><td><code>C</code></td><td></td>
  679. </tr>
  680. <tr><td><code>send_CLR</code></td>
  681. <td></td><td><code>A</code></td><td></td><td><code>T</code></td>
  682. </tr>
  683. <tr><td><code>recv_CLR</code></td>
  684. <td><code>I</code></td><td><code>A</code></td><td></td><td><code>T</code></td>
  685. </tr>
  686. <tr><td><code>send_ENC</code></td>
  687. <td></td><td><code>A</code></td><td><code>C</code></td><td><code>T</code></td>
  688. </tr>
  689. <tr><td><code>recv_ENC</code></td>
  690. <td><code>I</code></td><td><code>A</code></td><td><code>C</code></td><td><code>T</code></td>
  691. </tr>
  692. <tr><td><code>send_MAC</code></td>
  693. <td></td><td></td><td><code>C</code></td><td><code>T</code></td>
  694. </tr>
  695. <tr><td><code>recv_MAC</code></td>
  696. <td><code>I</code></td><td></td><td><code>C</code></td><td><code>T</code></td>
  697. </tr>
  698. <tr><td><code>RATCHET</code></td>
  699. <td></td><td></td><td><code>C</code></td><td></td>
  700. </tr>
  701. </tbody>
  702. </table>
  703. <p> The <code>meta</code> variants of the operations are the same as the
  704. non-<code>meta</code> variants, but they additionally have the <code>M</code> flag set.
  705. </p>
  706. <p>
  707. The other 6 combinations of the <code>IACT</code> flags are legal and their behavior
  708. is well-defined, but they aren't as useful.
  709. </p>
  710. <h3 id="ops.comp">Composite operations</h3>
  711. <p class="comment">
  712. Composite operations enable protocols to comply with the
  713. <a href="https://en.wikipedia.org/wiki/Horton_Principle">Horton principle</a>:
  714. "authenticate what is being meant, not what is being said". They do this by
  715. adding metadata to the operation which describes its meaning. How
  716. to encode that meaning is up to the protocol, so the metadata may be in any
  717. number of <code>meta</code> operations of any lengths. The most straightforward
  718. encoding would be a single-byte <em>tag</em> describing the meaning of the
  719. data, and a fixed number of bytes describing the length of the data in some
  720. particular endianness.
  721. <br/><br/>
  722. The metadata is processed before the data. This means that <code>PRF</code> outputs,
  723. encrypted data and <code>MAC</code>s will depend on the metadata as
  724. well as on previous operations.
  725. <br/><br/>
  726. In a complex protocol, it might be possible to send more than
  727. one kind of message at a given point. It is safe for the recipient to read the
  728. framing data &mdash; either all at once or byte-by-byte &mdash; to determine
  729. which kind of message to receive. However, the recipient must only accept a
  730. message if it is appropriate at the current stage of the protocol.
  731. </p>
  732. <p>
  733. A <em>composite operation</em> is a sequence of two or more operations,
  734. exactly one of which is designated as the <em>payload</em>. The sequence consists of:
  735. </p>
  736. <ul>
  737. <li>One or more <code>meta_AD</code>, <code>meta_CLR</code> or <code>meta_ENC</code>
  738. operations containing information about what the payload operation means to
  739. the protocol. For protocols which use framing data on the transport, this
  740. is generally a single <code>meta_CLR</code> containing that framing data.
  741. <span class="comment">
  742. If the payload operation uses the cipher's output, then these <code>meta</code>
  743. operation(s) should uniquely encode the length of the payload as well as its
  744. meaning. This prevents mistakes that could lead to truncation attacks.
  745. </span>
  746. </li>
  747. <li>Optionally, a <code>meta_MAC</code> operation to protect the framing data.
  748. <span class="comment">
  749. Most protocols will omit this to save bandwidth. It may be a useful operation
  750. if the recipient of the message will have to do something expensive depending
  751. on the metadata, such as allocating large amounts of memory. Remember that
  752. a <code>meta_MAC</code> doesn't help if the sender is malicious.
  753. </span>
  754. </li>
  755. <li>
  756. The payload operation itself, which must not be a <code>meta</code> operation.
  757. </li>
  758. </ul>
  759. <div class="warning">
  760. Once a key has been provided, it is recommended for at least the last operation of
  761. every flow to be a <code>MAC</code> operation. In some circumstances, it is
  762. also important to provide a <code>MAC</code> before the end of the flow. Consult
  763. a cryptographer if you are unsure.
  764. <br/><br/>
  765. It is usually preferable to use fixed-length MACs, instead of putting their
  766. lengths in framing data. There are three principal exceptions:
  767. <ul>
  768. <li>If another party needs to parse the protocol transcript without
  769. fully understanding it, then it may help to send the length in
  770. framing data. However, that length should be fixed.</li>
  771. <li>To prevent mistakes that could lead to <code>MAC</code> truncation or
  772. extension attacks, it makes
  773. sense to supply the <code>MAC</code> length in a <code>meta_AD</code>
  774. transaction. It should still be fixed.</li>
  775. <li>If framing data is encrypted, then the MAC may be variable-length to
  776. disguise the length of the rest of the data in the packet. It must
  777. still be at least 8 bytes, preferably at least 16 bytes.</li>
  778. </li>
  779. </ul>
  780. <br/>
  781. In any case, protocols must not accept <code>MAC</code>s below a fixed minimum
  782. length, which should not be less than 8 bytes.
  783. </div>
  784. <p class="comment">
  785. A composite operation consists of one or more <code>meta</code> operations,
  786. followed by exactly one non-<code>meta</code> operation. It is recommended
  787. not to use <code>meta</code> operations except to implement these composite
  788. operations. That way, the protocol transcript can be parsed uniquely
  789. into a sequence of (composite and possibly non-composite) operations.
  790. </p>
  791. <p class="comment">
  792. In a complex protocol, it might be possible to send more than
  793. one kind of message at a given point. It is safe for the recipient to read the
  794. framing data &mdash; either all at once or byte-by-byte &mdash; to determine
  795. which kind of message to receive. However, the recipient must only accept a
  796. message if it is appropriate at the current stage of the protocol.
  797. </p>
  798. <h2 id="ops.impl">Implementation of operations</h2>
  799. <p>This section describes formally what each operation does and how it is
  800. implemented. The implementation is described by Python code.
  801. <b>[TODO: and math?]</b>
  802. </p>
  803. <h3 id="ops.impl.runf">Duplexing and running <var>F</var></h3>
  804. <p><span class="strobe">Strobe</span> is a
  805. <a href="https://keccak.team/files/SpongeDuplex.pdf">duplex construction</a>,
  806. so its core routine <code>_duplex()</code> is somewhat unsurprising. This
  807. routine takes input data and three binary arguments:
  808. <var>cbefore</var>, <var>cafter</var> and <var>forceF</var>.
  809. </p>
  810. <p>If <var>cafter</var> is set, then
  811. the data is modified by the duplex construction after absorbing it. This is
  812. used for encryption. If <var>cbefore</var> is set, the data is modified by
  813. the duplex construction before absorbing it. This is used for decryption.
  814. There is no case where both <var>cbefore</var> and <var>cafter</var> are set.
  815. </p>
  816. <p>
  817. Certain operations need to run <var>F</var> afterward, in order to begin a new block.
  818. For brevity, they do this by passing a <var>forceF</var> argument to <code>_duplex()</code>.
  819. </p>
  820. <pre>
  821. def _duplex(<var class="self">self</var>, <var>data</var>, <var>cbefore</var>=False, <var>cafter</var>=False, <var>forceF</var>=False):
  822. <span class="codecomment">
  823. <span class="codecomment"># This is an internal function. It's not part of STROBE's API.</span>
  824. assert not (<var>cbefore</var> and <var>cafter</var>)
  825. <span class="codecomment"># Copy <var>data</var>, and convert string or int to bytearray</span>
  826. <span class="codecomment"># This converts an integer <var>n</var> to an array of <var>n</var> zeros</span>
  827. <var>data</var> = bytearray(<var>data</var>)
  828. for <var>i</var> in range(len(<var>data</var>)):
  829. if <var>cbefore</var>: <var>data</var>[<var>i</var>] ^= <var class="self">self.</var><var>st</var>[<var class="self">self.</var><var>pos</var>]
  830. <var class="self">self.</var><var>st</var>[<var class="self">self.</var><var>pos</var>] ^= <var>data</var>[<var>i</var>]
  831. if <var>cafter</var>: <var>data</var>[<var>i</var>] = <var class="self">self.</var><var>st</var>[<var class="self">self.</var><var>pos</var>]
  832. <var class="self">self.</var><var>pos</var> += 1
  833. if <var class="self">self.</var><var>pos</var> == <var class="self">self.</var><var>R</var>: <var class="self">self.</var>_runF()
  834. if <var>forceF</var> and <var class="self">self.</var><var>pos</var> != 0: <var class="self">self.</var>_runF()
  835. return <var>data</var>
  836. </pre>
  837. <p>When the rate is exceeded, or when beginning an operation
  838. that uses the cipher state, <span class="sc">Strobe</span> runs the
  839. sponge function <var>F</var> on the state. This begins a new block.
  840. Because <var>pos<sub>begin</sub></var> records the beginning of an
  841. operation <em>within the block</em>, <span class="sc">Strobe</span>
  842. absorbs it and resets it when beginning a new block:
  843. </p>
  844. <pre>
  845. def _runF(<var class="self">self</var>):
  846. <span class="codecomment"># This is an internal function. It's not part of STROBE's API.</span>
  847. if <var class="self">self.</var><var>initialized</var>:
  848. <var class="self">self.</var><var>st</var>[<var class="self">self.</var><var>pos</var>] ^= <var class="self">self.</var><var>pos<sub>begin</sub></var>
  849. <var class="self">self.</var><var>st</var>[<var class="self">self.</var><var>pos</var>+1] ^= 0x04
  850. <var class="self">self.</var><var>st</var>[<var class="self">self.</var><var>R</var>+1] ^= 0x80
  851. <var class="self">self.</var><var>st</var> = <var class="self">self.</var><var>F</var>(<var class="self">self.</var><var>st</var>)
  852. <var class="self">self.</var><var>pos</var> = <var class="self">self.</var><var>pos<sub>begin</sub></var> = 0</pre>
  853. <p class="comment">
  854. The <code>0x04</code> and <code>0x80</code> pads are cSHAKE's output padding mode. For simplicity,
  855. this is applied on every block whether it has output or not.
  856. <code>[<var>pos<sub>begin</sub></var>]</code> is <span class="sc">Strobe</span>'s padding mode on top
  857. of cSHAKE's padding.
  858. <br/><br/>
  859. <span class="sc">Strobe</span> uses cSHAKE's domain separation to ensure that it is
  860. distinct from all other uses of <span class="sc">Keccak</span>. It then uses its
  861. own internal separation &mdash; a <code>meta_AD</code> operation &mdash; to
  862. ensure that every <span class="sc">Strobe</span>-based protocol is distinct. This
  863. first separation uses cSHAKE's specified padding mode instead of
  864. <span class="sc">Strobe</span>'s padding. This is
  865. why <code>_runF</code> checks <var class="self">self.</var><var>initialized</var>.
  866. </p>
  867. <h3 id="ops.impl.init">Initialization</h3>
  868. <p>
  869. <span class="sc">Strobe</span>'s initial state is set using cSHAKE's domain separation.
  870. The cSHAKE domain separation string is <var>S</var> = "STROBEv1.0.2".
  871. The NIST separation string is <var>N</var> = "", because <span class="sc">Strobe</span> wasn't designed by NIST.
  872. </p>
  873. <pre>
  874. def __init__(<var class="self">self, </var><var>proto</var>, <var>F</var> = KeccakF(1600), <var>sec</var> = 128):
  875. <var class="self">self.</var><var>pos</var> = <var class="self">self.</var><var>pos<sub>begin</sub></var> = 0
  876. <var class="self">self.</var><var>I<sub>0</sub></var> = None
  877. <var class="self">self.</var><var>F</var> = <var>F</var>
  878. <var class="self">self.</var><var>R</var> = <var>F</var>.<var>nbytes</var> - <var>sec</var>//4
  879. <var class="self">self.</var><var>cur_flags</var> = None
  880. <span class="codecomment"># Domain separation doesn't use <span class="sc">Strobe</span> padding</span>
  881. <var class="self">self.</var><var>initialized</var> = False
  882. <var class="self">self.</var><var>st</var> = bytearray(<var>F</var>.<var>nbytes</var>)
  883. <var>domain</var> = bytearray([1,<var class="self">self.</var><var>R</var>,1,0,1,12*8]) \
  884. + bytearray("STROBEv1.0.2")
  885. <var class="self">self.</var>_duplex(<var>domain</var>, forceF=True)
  886. <span class="codecomment"># cSHAKE separation is done.</span>
  887. <span class="codecomment"># Turn on <span class="sc">Strobe</span> padding and do per-proto separation</span>
  888. <var class="self">self.</var><var>R</var> -= 2
  889. <var class="self">self.</var><var>initialized</var> = True
  890. <var class="self">self.</var>operate(A|M, <var>proto</var>)
  891. </pre>
  892. <h3 id="ops.impl.begin">Beginning an operation</h3>
  893. <p>Beginning an operation absorbs the old <var>pos<sub>begin</sub></var> state variable,
  894. and then sets it to where this operation began. It then absorbs the operation,
  895. adjusted so that the sender and receiver will compute the same value.
  896. </p>
  897. <pre>
  898. def _beginOp(<var class="self">self, </var><var>flags</var>):
  899. <span class="codecomment"># This is an internal function. It's not part of STROBE's API.</span>
  900. <span class="codecomment"># Adjust direction information so that sender and receiver agree</span>
  901. if <var>flags</var> &amp; T:
  902. if <var class="self">self.</var><var>I<sub>0</sub></var> is None: <var class="self">self.</var><var>I<sub>0</sub></var> = <var>flags</var> &amp; I
  903. <var>flags</var> ^= <var class="self">self.</var><var>I<sub>0</sub></var>
  904. <span class="codecomment"># Update <var>pos<sub>begin</sub></var></span>
  905. <var>old<sub>begin</sub></var>, <var class="self">self.</var><var>pos<sub>begin</sub></var> = <var class="self">self.</var><var>pos<sub>begin</sub></var>, <var class="self">self.</var><var>pos</var>+1
  906. <var class="self">self.</var>_duplex([<var>old<sub>begin</sub></var>,<var>flags</var>], forceF = <var>flags</var>&amp;(C|K))</pre>
  907. <p class="comment">
  908. Forcing <var>F</var> when <code><var>flags</var> &amp; (C|K)</code> is nonzero ensures that
  909. any input &mdash; including the operation's <var>flags</var> &mdash;
  910. will affect the output of <code>C</code>-flagged operations
  911. like <code>ENC</code>, <code>MAC</code> and <code>PRF</code>. It also
  912. ensures that the rekeying operations
  913. <code>KEY</code> and <code>RATCHET</code> begin
  914. at the start of a block. This is important to prevent rollback attacks: if a
  915. <code>KEY</code> or <code>RATCHET</code> were split across blocks, then
  916. an adversary who recovered a later state could split the work of
  917. brute-forcing the earlier state into separate attacks on each block.
  918. </p>
  919. <h3 id="ops.impl.byte">Main operation code</h3>
  920. <p>To perform an operation, <span class="sc">Strobe</span> first runs the beginning-of-operation
  921. code. It then duplexes the data with <var>cbefore</var> and <var>cafter</var>
  922. set according to the operation's flags. Finally, it decides what to do with the
  923. output: return it, ignore it, or check it as a MAC value.
  924. </p>
  925. <p>The implementation below supports a <var>more</var> flag for streaming purposes.
  926. Setting <var>more</var> processes the given <var>data</var> as a continuation
  927. of the previous operation, instead of as a new operation.
  928. </p>
  929. <pre>
  930. def operate(<var class="self">self</var>, <var>flags</var>, <var>data</var>, <var>more</var>=False):
  931. assert not (<var>flags</var> &amp; (K|1&lt;&lt;6|1&lt;&lt;7)) <span class="codecomment"># Not implemented here</span>
  932. if <var>more</var>:
  933. assert <var>flags</var> == <var class="self">self.</var><var>cur_flags</var>
  934. else:
  935. <var class="self">self</var>._beginOp(<var>flags</var>)
  936. <var class="self">self.</var><var>cur_flags</var> = <var>flags</var>
  937. if (<var>flags</var> &amp; (I|T) != (I|T)) and (<var>flags</var> &amp; (I|A) != A):
  938. <span class="codecomment"># Operation takes no input, only a length</span>
  939. assert isinstance(<var>data</var>,int)
  940. <span class="codecomment"># This is because in Python, bytearray(<var>n</var>) returns an array</span>
  941. <span class="codecomment"># of <var>n</var> zeros.</span>
  942. <span class="codecomment">#</span>
  943. <span class="codecomment"># In other languages, you might make a function which</span>
  944. <span class="codecomment"># takes a length and a nullable pointer, or which is</span>
  945. <span class="codecomment"># overloaded to take either an integer or a byte array.</span>
  946. <span class="codecomment"># The actual processing code is just duplex</span>
  947. <var>cafter</var> = (<var>flags</var> &amp; (C|I|T)) == (C|T)
  948. <var>cbefore</var> = (<var>flags</var> &amp; C) and not <var>cafter</var>
  949. <var>processed</var> = <var class="self">self</var>._duplex(<var>data</var>, <var>cbefore</var>, <var>cafter</var>)
  950. <span class="codecomment"># Determine what to do with the output.</span>
  951. if (<var>flags</var> &amp; (I|A)) == (I|A):
  952. <span class="codecomment"># Return data for the application</span>
  953. return processed
  954. elif (<var>flags</var> &amp; (I|T)) == T:
  955. <span class="codecomment"># Return data for the transport.</span>
  956. <span class="codecomment"># A fancier implementation might send it directly.</span>
  957. return processed
  958. elif (<var>flags</var> &amp; (I|A|T)) == (I|T):
  959. <span class="codecomment"># Check MAC: all output bytes must be 0</span>
  960. assert not <var>more</var> <span class="codecomment"># See the <a href="#warn.sidechannel">side-channel warning</a></span>
  961. <var>failures</var> = 0
  962. for <var>byte</var> in <var>processed</var>: <var>failures</var> |= <var>byte</var>
  963. if <var>failures</var> != 0: raise AuthenticationFailed()
  964. return bytearray()
  965. else:
  966. <span class="codecomment"># Operation has no output</span>
  967. return bytearray()
  968. </pre>
  969. <p>Each of the defined operations from Section 6 is implemented as a call to <code>operate</code>.
  970. Note that some operations take an array of <var>data</var> whereas some just take a <var>length</var>.
  971. That these two types are handled the same way is an idiom of Python. Other languages would take
  972. <var>length</var> as an integer and <var>data</var> as an array of bytes.
  973. </p>
  974. <pre>def AD(<var class="self">self</var>, <var>data</var>, <var>more</var>=False):
  975. <var>self</var>.operate(A, <var>data</var>, <var>more</var>)
  976. def KEY(<var class="self">self</var>, <var>data</var>, <var>more</var>=False):
  977. <var>self</var>.operate(A|C, <var>data</var>, <var>more</var>)
  978. def send_CLR(<var class="self">self</var>, <var>data</var>, <var>more</var>=False):
  979. return <var>self</var>.operate(A|T, <var>data</var>, <var>more</var>)
  980. def recv_CLR(<var class="self">self</var>, <var>data</var>, <var>more</var>=False):
  981. return <var>self</var>.operate(I|A|T, <var>data</var>, <var>more</var>)
  982. def send_ENC(<var class="self">self</var>, <var>data</var>, <var>more</var>=False):
  983. return <var>self</var>.operate(A|C|T, <var>data</var>, <var>more</var>)
  984. def recv_ENC(<var class="self">self</var>, <var>data</var>, <var>more</var>=False):
  985. return <var>self</var>.operate(I|A|C|T, <var>data</var>, <var>more</var>)
  986. def send_MAC(<var class="self">self</var>, <var>length</var>, <var>more</var>=False):
  987. return <var>self</var>.operate(C|T, <var>length</var>, <var>more</var>)
  988. def recv_MAC(<var class="self">self</var>, <var>data</var>, <var>more</var>=False):
  989. <var>self</var>.operate(I|C|T, <var>data</var>, <var>more</var>)
  990. def PRF(<var class="self">self</var>, <var>length</var>, <var>more</var>=False):
  991. return <var>self</var>.operate(I|A|C, <var>length</var>, <var>more</var>)
  992. def RATCHET(<var class="self">self</var>, <var>length</var>, <var>more</var>=False):
  993. <var>self</var>.operate(C, <var>length</var>, <var>more</var>)
  994. </pre>
  995. </body>