Jeffrey Walton <[email protected]> writes: > Or you can use the test vectors from Wei Dai's Crypto++. The project > already generated test vectors for 1x, 4x and 12x blocks. The test > vectors include Bernstein's ChaCha and the IETF version. Also see > https://github.com/weidai11/cryptopp/blob/master/TestVectors/chacha.txt
Thanks, I've copied one of the 1024 byte test vectors from there. > You might also consider changing the project's governance to require a > complete set of test vectors for each algorithm. If you are doing 4x > blocks, then you need test vectors covering them. You should also use > an independent program to generate them, like Bernstein's reference > implementation. (I don't believe the IETF provides a reference > implementation). In this case, the coverage problem wasn't mainly lack of authoritative test vectors, but missing coverage for sequences of calls to chacha_crypt/chacha_crypt32. The bug was in the counter update at the very end of the processing, for certain data sizes, and would not cause obviously incorrect results until the next call. For tests that vary things like alignment, message size, how to split a message into multiple calls, etc, I think it's usually good enough to check that the result always is identical to the simplest way to do it (say, using a single call for the complete message, friendly alignment, and without involving any assembly code). I think of that kind of tests as mostly orthogonal to tests using authoritative test vectors. I've pushed test updates to the branch fix-chacha-counter, and ci builds now fail on ppc64. The fix posted to the list appears to work, I'll push that to the branch in a moment. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
