Software APIs
aes_gcm_testvectors.h
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_TESTS_CRYPTO_AES_GCM_TESTVECTORS_H_
6 #define OPENTITAN_SW_DEVICE_TESTS_CRYPTO_AES_GCM_TESTVECTORS_H_
7 
8 #include "sw/device/lib/base/macros.h"
9 #include "sw/device/lib/crypto/drivers/aes.h"
10 #include "sw/device/tests/crypto/aes_gcm_testutils.h"
11 
12 #ifdef __cplusplus
13 extern "C" {
14 #endif // __cplusplus
15 
16 /**
17  * Randomly-generated 128-bit key for testing.
18  */
19 static const uint32_t kKey128[4] = {
20  // Key = f80a6e67211c873793a99d899c31c2e7
21  0x676e0af8, 0x37871c21, 0x899da993, 0xe7c2319c};
22 
23 /**
24  * Randomly-generated 256-bit key for testing.
25  */
26 static const uint32_t kKey256[8] = {
27  // Key = 76592790eaf6630e670ce5784ff23a1806a1ea76b0977b1542374769247cc4ce
28  0x90275976, 0x0e63f6ea, 0x78e50c67, 0x183af24f,
29  0x76eaa106, 0x157b97b0, 0x69473742, 0xcec47c24};
30 
31 /**
32  * Authenticated data for testing.
33  */
34 static uint8_t kAad[18] = {
35  // aad = 'authenticated data'
36  // = 61757468656e746963617465642064617461
37  0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63,
38  0x61, 0x74, 0x65, 0x64, 0x20, 0x64, 0x61, 0x74, 0x61};
39 
40 /**
41  * Plaintext for testing.
42  */
43 static uint8_t kPlaintext[32] = {
44  // plaintext = 'authenticated and encrypted data'
45  // =
46  // 61757468656e7469636174656420616e6420656e637279707465642064617461
47  0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74,
48  0x65, 0x64, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x65, 0x6e, 0x63, 0x72,
49  0x79, 0x70, 0x74, 0x65, 0x64, 0x20, 0x64, 0x61, 0x74, 0x61};
50 
51 /**
52  * Expected ciphertext for the 256-bit key.
53  */
54 static uint8_t kCiphertext256[32] = {
55  // Ciphertext =
56  // 4e6d3a963b076ba0945d29aa836f29b0fa06cdd575aab8233f1df93e80163371
57  0x4e, 0x6d, 0x3a, 0x96, 0x3b, 0x07, 0x6b, 0xa0, 0x94, 0x5d, 0x29,
58  0xaa, 0x83, 0x6f, 0x29, 0xb0, 0xfa, 0x06, 0xcd, 0xd5, 0x75, 0xaa,
59  0xb8, 0x23, 0x3f, 0x1d, 0xf9, 0x3e, 0x80, 0x16, 0x33, 0x71};
60 
61 /**
62  * AES-GCM test case 3 from "The Galois/Counter Mode of Operation (GCM)" by
63  * McGrew and Viega (linked document also shows intermediate values, helpful
64  * for debugging):
65  * https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
66  *
67  * key = feffe9928665731c6d6a8f9467308308
68  * iv = cafebabefacedbaddecaf888
69  * plaintext =
70  * d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255
71  * aad = empty
72  * ciphertext =
73  * 42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985
74  * tag = 4d5c2af327cd64a62cf35abd2ba6fab4
75  */
76 static const uint32_t kMVTestCase3Key[] = {0x92e9fffe, 0x1c736586, 0x948f6a6d,
77  0x08833067};
78 static uint8_t kMVTestCase3Plaintext[] = {
79  0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, 0xa5, 0x59, 0x09,
80  0xc5, 0xaf, 0xf5, 0x26, 0x9a, 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34,
81  0xf7, 0xda, 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, 0x1c,
82  0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53, 0x2f, 0xcf, 0x0e, 0x24,
83  0x49, 0xa6, 0xb5, 0x25, 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6,
84  0x57, 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55};
85 static uint8_t kMVTestCase3Ciphertext[] = {
86  0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, 0x4b, 0x72, 0x21,
87  0xb7, 0x84, 0xd0, 0xd4, 0x9c, 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02,
88  0xa4, 0xe0, 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, 0x21,
89  0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c, 0x7d, 0x8f, 0x6a, 0x5a,
90  0xac, 0x84, 0xaa, 0x05, 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac,
91  0x97, 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85};
92 
93 /**
94  * AES-GCM test case 10 from "The Galois/Counter Mode of Operation (GCM)" by
95  * McGrew and Viega (linked document also shows intermediate values, helpful
96  * for debugging):
97  * https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
98  *
99  * key = feffe9928665731c6d6a8f9467308308feffe9928665731c
100  * iv = cafebabefacedbaddecaf888
101  * plaintext =
102  * d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
103  * aad = feedfacedeadbeeffeedfacedeadbeefabaddad2
104  * ciphertext =
105  * 3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710
106  * tag = 3a337dbf46a792c45e454913fe2ea8f2
107  */
108 static const uint32_t kMVTestCase10Key[] = {0x92e9fffe, 0x1c736586, 0x948f6a6d,
109  0x08833067, 0x92e9fffe, 0x1c736586};
110 static uint8_t kMVTestCase10Aad[] = {0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe,
111  0xef, 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad,
112  0xbe, 0xef, 0xab, 0xad, 0xda, 0xd2};
113 static uint8_t kMVTestCase10Plaintext[] = {
114  0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, 0xa5, 0x59, 0x09, 0xc5,
115  0xaf, 0xf5, 0x26, 0x9a, 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
116  0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, 0x1c, 0x3c, 0x0c, 0x95,
117  0x95, 0x68, 0x09, 0x53, 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
118  0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, 0xba, 0x63, 0x7b, 0x39};
119 static uint8_t kMVTestCase10Ciphertext[] = {
120  0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41, 0xeb, 0x06, 0xfa, 0xc4,
121  0x87, 0x2a, 0x27, 0x57, 0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
122  0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c, 0x7d, 0x77, 0x3d, 0x00,
123  0xc1, 0x44, 0xc5, 0x25, 0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
124  0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9, 0xcc, 0xda, 0x27, 0x10};
125 
126 aes_gcm_test_t kAesGcmTestvectors[] = {
127  // Empty input, empty aad, 96-bit IV, 128-bit key
128  {
129  .key_len = ARRAYSIZE(kKey128),
130  .key = kKey128,
131  .iv_len = 12,
132  .iv =
133  {// IV = 22294cae82d82e44427dfcc3
134  0x22, 0x29, 0x4c, 0xae, 0x82, 0xd8, 0x2e, 0x44, 0x42, 0x7d, 0xfc,
135  0xc3},
136  .plaintext_len = 0,
137  .plaintext = NULL,
138  .aad_len = 0,
139  .aad = NULL,
140  .ciphertext = NULL,
141  .tag_len = 16,
142  .tag =
143  {// Tag = b7aa223a6c75a0976633ce79d9fddf06
144  0xb7, 0xaa, 0x22, 0x3a, 0x6c, 0x75, 0xa0, 0x97, 0x66, 0x33, 0xce,
145  0x79, 0xd9, 0xfd, 0xdf, 0x06},
146  },
147 
148  // Empty input, empty aad, 128-bit IV, 128-bit key
149  {
150  .key_len = ARRAYSIZE(kKey128),
151  .key = kKey128,
152  .iv_len = 16,
153  .iv =
154  {// IV = 22294cae82d82e44427dfcc33bacdbec
155  0x22, 0x29, 0x4c, 0xae, 0x82, 0xd8, 0x2e, 0x44, 0x42, 0x7d, 0xfc,
156  0xc3, 0x3b, 0xac, 0xdb, 0xec},
157  .plaintext_len = 0,
158  .plaintext = NULL,
159  .aad_len = 0,
160  .aad = NULL,
161  .ciphertext = NULL,
162  .tag_len = 16,
163  .tag =
164  {// Tag = 4c59f0d420d9eb8669c40ad23b5419ba
165  0x4c, 0x59, 0xf0, 0xd4, 0x20, 0xd9, 0xeb, 0x86, 0x69, 0xc4, 0x0a,
166  0xd2, 0x3b, 0x54, 0x19, 0xba},
167  },
168 
169  // 128-bit IV, 256-bit key, real message and aad
170  {
171  .key_len = ARRAYSIZE(kKey256),
172  .key = kKey256,
173  .iv_len = 16,
174  .iv =
175  {// IV = c58aded2e1bbecba8b16a5757e5475bd
176  0xc5, 0x8a, 0xde, 0xd2, 0xe1, 0xbb, 0xec, 0xba, 0x8b, 0x16, 0xa5,
177  0x75, 0x7e, 0x54, 0x75, 0xbd},
178  .plaintext_len = sizeof(kPlaintext),
179  .plaintext = kPlaintext,
180  .aad_len = sizeof(kAad),
181  .aad = kAad,
182  .ciphertext = kCiphertext256,
183  .tag_len = 16,
184  .tag =
185  {// Tag = 324895b3d2f656e4fa2f8ce056137061
186  0x32, 0x48, 0x95, 0xb3, 0xd2, 0xf6, 0x56, 0xe4, 0xfa, 0x2f, 0x8c,
187  0xe0, 0x56, 0x13, 0x70, 0x61},
188  },
189 
190  // 128-bit IV, 256-bit key, real message and aad, short tag
191  {
192  .key_len = ARRAYSIZE(kKey256),
193  .key = kKey256,
194  .iv_len = 16,
195  .iv =
196  {// IV = c58aded2e1bbecba8b16a5757e5475bd
197  0xc5, 0x8a, 0xde, 0xd2, 0xe1, 0xbb, 0xec, 0xba, 0x8b, 0x16, 0xa5,
198  0x75, 0x7e, 0x54, 0x75, 0xbd},
199  .plaintext_len = sizeof(kPlaintext),
200  .plaintext = kPlaintext,
201  .aad_len = sizeof(kAad),
202  .aad = kAad,
203  .ciphertext = kCiphertext256,
204  .tag_len = 12,
205  .tag =
206  {// Tag = 324895b3d2f656e4fa2f8ce0
207  0x32, 0x48, 0x95, 0xb3, 0xd2, 0xf6, 0x56, 0xe4, 0xfa, 0x2f, 0x8c,
208  0xe0, 0, 0, 0, 0},
209  },
210 
211  // McGrew and Viega test case 3
212  {
213  .key_len = ARRAYSIZE(kMVTestCase3Key),
214  .key = kMVTestCase3Key,
215  .iv_len = 12,
216  .iv = {0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8,
217  0x88},
218  .plaintext_len = sizeof(kMVTestCase3Plaintext),
219  .plaintext = kMVTestCase3Plaintext,
220  .aad_len = 0,
221  .aad = NULL,
222  .ciphertext = kMVTestCase3Ciphertext,
223  .tag_len = 16,
224  .tag = {0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6, 0x2c, 0xf3,
225  0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4},
226  },
227 
228  // McGrew and Viega test case 10
229  {
230  .key_len = ARRAYSIZE(kMVTestCase10Key),
231  .key = kMVTestCase10Key,
232  .iv_len = 12,
233  .iv = {0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8,
234  0x88},
235  .plaintext_len = sizeof(kMVTestCase10Plaintext),
236  .plaintext = kMVTestCase10Plaintext,
237  .aad_len = sizeof(kMVTestCase10Aad),
238  .aad = kMVTestCase10Aad,
239  .ciphertext = kMVTestCase10Ciphertext,
240  .tag_len = 16,
241  .tag = {0x25, 0x19, 0x49, 0x8e, 0x80, 0xf1, 0x47, 0x8f, 0x37, 0xba,
242  0x55, 0xbd, 0x6d, 0x27, 0x61, 0x8c},
243  },
244 };
245 
246 #ifdef __cplusplus
247 } // extern "C"
248 #endif // __cplusplus
249 
250 #endif // OPENTITAN_SW_DEVICE_TESTS_CRYPTO_AES_GCM_TESTVECTORS_H_
Return to OpenTitan Documentation