Re: ANNOUNCE: Nettle-3.9
Jussi Kivilinna writes: > On 15.5.2023 23.21, Niels Möller wrote: >> Jussi Kivilinna writes: >> >>> I ran into memory corruption issue when benchmarking new OCB code. >>> >>> I think "dst -= size;" in ocb_crypt_n() should be "dst += size;" ... >>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ocb.c#L240 >> Ooops. I think you're right. How large input sizes did you need to >> trigger problems? > > Input needs to be 272 bytes (16*17B) to trigger the problem. Here's > what I get with valgrind (nettle and benchmarking tool compiled with -Og): > > I tried to add test-vector (see at bottom) from libgcrypt for large input > testing but could not get it working. Ciphertext generation works after > fixing dst pointer increment and changing "ctx->message_count += n;" to > "ctx->message_count += blocks;" in ocb_crypt_n(), but tag still does not > match output from libgcrypt: I've applied your patch (including the test fix from your other mail). Thanks a lot! >>> Also it would be nice if ocb_aes128 could be added to nettle_aeads >>> array for easy access. >> Which combination(s) of nonce size and tag size would it be useful >> to >> advertise like that? > > Would same values as for gcm_aes128 make sense (nonce=12, tag=16)? > > My use-case is pretty simply to find "ocb_" from nettle_aeads > list for benchmark run and don't really care about which nonce/tag > length gets used. I'd like the choice to be guided by what actual applications need. Nonce 12, tag 16 sounds reasonable, but if I've understood it correctly, at least openpgp uses something different. For benchmarks, I hope it's not too cumbersome to define your own struct nettle_aead, similar to what's in nettle-internal.c. Regards, /Niels -- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance. ___ nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se To unsubscribe send an email to nettle-bugs-le...@lists.lysator.liu.se
Re: ANNOUNCE: Nettle-3.9
On 17.5.2023 20.07, Jussi Kivilinna wrote: Which combination(s) of nonce size and tag size would it be useful to advertise like that? Would same values as for gcm_aes128 make sense (nonce=12, tag=16)? My use-case is pretty simply to find "ocb_" from nettle_aeads list for benchmark run and don't really care about which nonce/tag length gets used. See: https://github.com/jkivilin/bench-slopes/blob/master/src/bench-slope-nettle.c#L380 I decided to rewrite AEAD benchmarking to use each mode directly through corresponding headers instead. So that link does not point correct place anymore. -Jussi ___ nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se To unsubscribe send an email to nettle-bugs-le...@lists.lysator.liu.se
Re: ANNOUNCE: Nettle-3.9
Jussi Kivilinna writes: > I ran into memory corruption issue when benchmarking new OCB code. > > I think "dst -= size;" in ocb_crypt_n() should be "dst += size;" ... > https://git.lysator.liu.se/nettle/nettle/-/blob/master/ocb.c#L240 Ooops. I think you're right. How large input sizes did you need to trigger problems? I just tried valgrind ./examples/nettle-benchmark ocb, which I would expect to call this function with about 10 KiB data at a time, but no crashes and no complaints from valgrind, which is puzzling. I'll need some more investigation to reproduce the problem. > Also it would be nice if ocb_aes128 could be added to nettle_aeads > array for easy access. Which combination(s) of nonce size and tag size would it be useful to advertise like that? Regards, /Niels -- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance. ___ nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se To unsubscribe send an email to nettle-bugs-le...@lists.lysator.liu.se
ANNOUNCE: Nettle-3.9
I'm happy to announce a new release of GNU Nettle, a low-level cryptographics library. The release features new SIV-GCM and OCB authenticated encryption modes, and improved performance for SHA256 and Poly1305, among other things. See NEWS entries below. The Nettle home page can be found at https://www.lysator.liu.se/~nisse/nettle/, and the manual at https://www.lysator.liu.se/~nisse/nettle/nettle.html. The release can be downloaded from https://ftp.gnu.org/gnu/nettle/nettle-3.9.tar.gz ftp://ftp.gnu.org/gnu/nettle/nettle-3.9.tar.gz https://www.lysator.liu.se/~nisse/archive/nettle-3.9.tar.gz Happy hacking, /Niels Möller NEWS for the Nettle 3.9 release This release includes bug fixes, several new features, a few performance improvements, and one performance regression affecting GCM on certain platforms. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.7 and libhogweed.so.6.7, with sonames libnettle.so.8 and libhogweed.so.6. This release includes a rewrite of the C implementation of GHASH (dating from 2011), as well as the plain x86_64 assembly version, to use precomputed tables in a different way, with tables always accessed in the same sequential manner. This should make Nettle's GHASH implementation side-channel silent on all platforms, but considerably slower on platforms without carry-less mul instructions. E.g., benchmarks of the C implementation on x86_64 showed a slowdown of 3 times. Bug fixes: * Fix bug in ecdsa and gostdsa signature verify operation, for the unlikely corner case that point addition really is point duplication. * Fix for chacha on Power7, nettle's assembly used an instruction only available on later processors. Fixed by Mamone Tarsha. * GHASH implementation should now be side-channel silent on all architectures. * A few portability fixes for *BSD. New features: * Support for the SM4 block cipher, contributed by Tianjia Zhang. * Support for the Balloon password hash, contributed by Zoltan Fridrich. * Support for SIV-GCM authenticated encryption mode, contributed by Daiki Ueno. * Support for OCB authenticated encryption mode. * New exported functions md5_compress, sha1_compress, sha256_compress, sha512_compress, based on patches from Corentin Labbe. Optimizations: * Improved sha256 performance, in particular for x86_64 and s390x. * Use GMP's mpn_sec_tabselect, which is implemented in assembly on many platforms, and delete the similar nettle function. Gives a modest speedup to all ecc operations. * Faster poly1305 for x86_64 and ppc64. New ppc code contributed by Mamone Tarsha. Miscellaneous: * New ASM_FLAGS variable recognized by configure. * Delete all arcfour assembly code. Affects 32-bit x86, 32-bit and 64-bit sparc. Known issues: * Version 6.2.1 of GNU GMP (the most recent GMP release as of this writing) has a known issue for MacOS on 64-bit ARM: GMP assembly files use the reserved x18 register. On this platform it is recommended to use a GMP snapshot where this bug is fixed, and upgrade to a later GMP release when one becomes available. * Also on MacOS, Nettle's testsuite may still break due to DYLD_LIBRARY_PATH being discarded under some circumstances. As a workaround, use make check EMULATOR='env DYLD_LIBRARY_PATH=$(TEST_SHLIB_DIR)' -- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance. signature.asc Description: PGP signature ___ nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se To unsubscribe send an email to nettle-bugs-le...@lists.lysator.liu.se