C29x AES-CMAC partial block support

kevinwhitfield · ‎10-12-2018

I'm attempting to use the C29x crypto accelerator to implement an AES-CMAC functionality. For validation, I'm using AES CMAC test vectors from NIST (https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/mac/c...).

What I'm finding is that incorrect signatures are being generated for messages which are not a multiple of 16-bytes in length. At the same time, the "C29x Crypto Coprocessor Family Reference Manual" implies that partial blocks are supported ("final MAC is computed using either K1 or K2, derived from L as needed").

For example given this NIST test case:

Count = 48
Klen = 16
Mlen = 33
Tlen = 4
Key = 499db5a3ecc83d34fd885fde06931097
Msg = f2783540c9e1706ee3e7a43e71833987bb72441c1e2eab58501c8bfaec07d6332a
Mac = 8e9649db

the computed (full-sized) Mac is 122ac7d890acdb691b88d0ac278e2df1, rather than something beginning with 8e9649db.

FWIW, the operation is being performed using OP_ALG_AS_INITFINAL, to effect a single INIT/UPDATE/FINAL operation.

I'd appreciate any suggestions and/or guidance that anyone has to offer on how to perform CMAC processing of messages which are not an even number of blocks..

Thanks!

Kevin##

bpe · ‎10-22-2018

Simply changing the operation command from GCM to CMAC in the GCM
shared descriptor (that's what I've noticed when disassembling the
hex dump they provided) won't work.

Below are some proof of concept examples:
GCM:
<jobdesc id="gcm_aes256_tc2d">
<key class="1" s="#gcm_aes256_tc2d_key" dest="key" />
<operation enc=0 type="class1" as="initfinal" aai="gcm" alg="aes" icv=1 />
<fifostore type=msg d="#gcm_aes256_tc2d_out" />
<fifoload type=iv,flush1 class=1 s="#gcm_aes256_tc2d_iv" />
<fifoload type=aad,flush1 class=1 s=[] />
<fifoload type=msg,flush1 class=1 s="#gcm_aes256_tc2d_msg" />
<fifoload type=icv,last1 class=1 s="#gcm_aes256_tc2d_icv" />
<store s="ctx1" d="#gcm_aes256_tc2d_icv" />
</jobdesc>

CMAC:
<jobdesc id="cmac_aes128_tc3">
<key class="1" s="#cmac_aes128_tc3_key" dest="key" />
<operation enc=1 type="class1" as="initfinal" aai="cmac" alg="aes" />
<fifoload type=msg,last1 class=1 s="#cmac_aes128_tc3_msg" />
<store s="ctx1" d="#cmac_aes128_tc3_hash" />
</jobdesc>

Note, CMAC only uses MESSAGE data, whereas GCM uses IV, AAD, and
Message data. That is why simple change of the descriptor does not work.

Have a great day,
Platon

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------