BOLT 8: Add test vectors. by rustyrussell · Pull Request #42 · lightning/bolts

rustyrussell · 2016-12-08T04:05:10Z

Needs @Roasbeef to check they work for him (at least, the success cases).

sstone · 2016-12-08T22:23:58Z

+    input: 0x00036360e856310ce5d294e8be33fc807077dc56ac80d95d9cd4ddbd21325eff73f70df6086551151f58b8afe6c195782c6a
+    # re=0x036360e856310ce5d294e8be33fc807077dc56ac80d95d9cd4ddbd21325eff73f7
+    # h=0x9e0e7de8bb75554f21db034633de04be41a2b8a18da7a319a03c803bf02b396c
+    # ss=0x1e2fb3c8fe8fb9f262f649f64d26ecf0f2c0a805a767cf02dc2d77a6ef1fdcc3


I believe that you've used secp256k1's ecdh function which returns sha256(serialized compressed point) instead of point.x ? With this change I can generate your results with our own implementation.

Indeed! Lets defer this pending results of #43

Roasbeef · 2016-12-09T21:10:51Z

+    e.pub: 0x036360e856310ce5d294e8be33fc807077dc56ac80d95d9cd4ddbd21325eff73f7
+    # Act One
+    # e.pub=0x036360e856310ce5d294e8be33fc807077dc56ac80d95d9cd4ddbd21325eff73f7 e.priv=0x1212121212121212121212121212121212121212121212121212121212121212
+    # h=0x9e0e7de8bb75554f21db034633de04be41a2b8a18da7a319a03c803bf02b396c


I think we should also specify what the starting h and ck values should be (for both sides before ActOne):

h = 0x8401b3fdcaaa710b5405400536a3d5fd7792fe8e7fe29cd8b687216fe323ecbd ck = 2640f52eebcd9e882958951c794250eedb28002c05d7dc2ea0f195406042caf1

This'll help implementers to ensure they initialized the state properly.

Good idea... and those numbers match mine.

Roasbeef · 2016-12-10T01:07:47Z

+    # t=0xe2699a63f350d1f255b883454a55112c
+    output: 0x00d0fedc211450dd9602b41081c9bd05328b8bf8c0238880f7b7cb8a34bb6d835408eba066c42574ce959ffbac6bd051c664e2699a63f350d1f255b883454a55112c
+    # HKDF(0x919219dbb2920afa8db80f9a51787a840bcf111ed8d588caf9ab4be716e42b01,zero)
+    output: sk,rk=0x969ab31b4d288cedf6218839b27a3e2140827047f2c0f01bf5c04435d43511a9,0xbb9020b8965f4df047e07f955f3c4b88418984aadc5cdb35096b9ea8fa5c3442


So everything lines up for me up until this point.

Instead I have:

sk=4438f22354d2620c3e7698c96bc880eee8101709baa6318e73ad799db173ca2d rk=4453668c85a468a61fdfe661864fc543eaeac9ce0634dd827a5e2c0205c8edfb

What are your full HKDF parameters for secret, salt, info?

OK, here it is in the debugger.

Inputs to HKDF:
salt = 0x91, 0x92,
0x19, 0xdb, 0xb2, 0x92, 0xa, 0xfa, 0x8d, 0xb8, 0xf, 0x9a, 0x51, 0x78,
0x7a, 0x84, 0xb, 0xcf, 0x11, 0x1e, 0xd8, 0xd5, 0x88, 0xca, 0xf9, 0xab,
0x4b, 0xe7, 0x16, 0xe4, 0x2b, 0x1
saltlen: 32
IKM-len: 0
info-len: 0

Gives PRK: {0x54, 0xde,
0x99, 0x40, 0xe0, 0xbe, 0x34, 0x8d, 0x2, 0x4d, 0x40, 0xf6, 0xfd, 0x38,
0x5d, 0x64, 0x92, 0xf6, 0x1f, 0xb, 0x1d, 0xb5, 0x7, 0x64, 0xb4, 0xcb,
0x34, 0x11, 0x70, 0xcf, 0x9b, 0xcb}

T(0) = ""
T(1) = HMAC_SHA256(PRK || 0x01) = {0x96, 0x9a,
0xb3, 0x1b, 0x4d, 0x28, 0x8c, 0xed, 0xf6, 0x21, 0x88, 0x39, 0xb2,
0x7a, 0x3e, 0x21, 0x40, 0x82, 0x70, 0x47, 0xf2, 0xc0, 0xf0, 0x1b,
0xf5, 0xc0, 0x44, 0x35, 0xd4, 0x35, 0x11, 0xa9}
T(2) = HMAC_SHA256(PRK || T(1) || 0x2)
= {0xbb, 0x90,
0x20, 0xb8, 0x96, 0x5f, 0x4d, 0xf0, 0x47, 0xe0, 0x7f, 0x95, 0x5f,
0x3c, 0x4b, 0x88, 0x41, 0x89, 0x84, 0xaa, 0xdc, 0x5c, 0xdb, 0x35, 0x9,
0x6b, 0x9e, 0xa8, 0xfa, 0x5c, 0x34, 0x42}

rustyrussell · 2016-12-13T06:07:00Z

OK, if I fix the nonce endian to le, I get:

output: rk,sk=0x969ab31b4d288cedf6218839b27a3e2140827047f2c0f01bf5c04435d43511a9,0xbb9020b8965f4df047e07f955f3c4b88418984aadc5cdb35096b9ea8fa5c3442

If you concur @sstone , I'll regen the test vectors.

sstone · 2016-12-13T11:09:54Z

I get the same results, with the following intermediate values for act 3:

Initiator:

# Act Three
# encryptWithAD(0x908b166535c01a935cf1e130a5fe895ab4e6f3ef8855d87e9b7581c4ab663ddc, 0x000000000100000000000000, 0x90578e247e98674e661013da3c5c1ca6a8c8f48c90b485c0dfa1494e23d56d72, 0x034f355bdcb7cc0af728ef3cceb9615d90684bb5b2ca5f859ab0f0b704075871aa)
# c=0xb9e3a702e93e3a9948c2ed6e5fd7590a6e1c3a0344cfc9d5b57357049aa22355361aa02e55a8fc28fef5bd6d71ad0c3822
# h=0x5dcb5ea9b4ccc755e0e3456af3990641276e1d5dc9afd82f974d90a47c918660
# ss=0xb36b6d195982c5be874d6d542dc268234379e1ae4ff1709402135b7de5cf0766
# HKDF(0xe89d31033a1b6bf68c07d22e08ea4d7884646c4b60a9528598ccb4ee2c8f56ba,0xb36b6d195982c5be874d6d542dc268234379e1ae4ff1709402135b7de5cf0766)
# ck,temp_k3=0x919219dbb2920afa8db80f9a51787a840bcf111ed8d588caf9ab4be716e42b01,0x981a46c820fb7a241bc8184ba4bb1f01bcdfafb00dde80098cb8c38db9141520
# encryptWithAD(0x981a46c820fb7a241bc8184ba4bb1f01bcdfafb00dde80098cb8c38db9141520, 0x000000000000000000000000, 0x5dcb5ea9b4ccc755e0e3456af3990641276e1d5dc9afd82f974d90a47c918660, <empty>)
# t=0x8dc68b1c466263b47fdf31e560e139ba
output: 0xb9e3a702e93e3a9948c2ed6e5fd7590a6e1c3a0344cfc9d5b57357049aa22355361aa02e55a8fc28fef5bd6d71ad0c38228dc68b1c466263b47fdf31e560e139ba
# HKDF(0x919219dbb2920afa8db80f9a51787a840bcf111ed8d588caf9ab4be716e42b01,zero)
output: sk,rk=0x969ab31b4d288cedf6218839b27a3e2140827047f2c0f01bf5c04435d43511a9,0xbb9020b8965f4df047e07f955f3c4b88418984aadc5cdb35096b9ea8fa5c3442

Responder:

input: 0x00b9e3a702e93e3a9948c2ed6e5fd7590a6e1c3a0344cfc9d5b57357049aa22355361aa02e55a8fc28fef5bd6d71ad0c38228dc68b1c466263b47fdf31e560e139ba
# decryptWithAD(0x908b166535c01a935cf1e130a5fe895ab4e6f3ef8855d87e9b7581c4ab663ddc, 0x000000000100000000000000, 0x90578e247e98674e661013da3c5c1ca6a8c8f48c90b485c0dfa1494e23d56d72, 0xb9e3a702e93e3a9948c2ed6e5fd7590a6e1c3a0344cfc9d5b57357049aa22355361aa02e55a8fc28fef5bd6d71ad0c3822)
# rs=0x034f355bdcb7cc0af728ef3cceb9615d90684bb5b2ca5f859ab0f0b704075871aa
# h=0x5dcb5ea9b4ccc755e0e3456af3990641276e1d5dc9afd82f974d90a47c918660
# ss=0xb36b6d195982c5be874d6d542dc268234379e1ae4ff1709402135b7de5cf0766
# HKDF(0xe89d31033a1b6bf68c07d22e08ea4d7884646c4b60a9528598ccb4ee2c8f56ba,0xb36b6d195982c5be874d6d542dc268234379e1ae4ff1709402135b7de5cf0766)
# ck,temp_k3=0x919219dbb2920afa8db80f9a51787a840bcf111ed8d588caf9ab4be716e42b01,0x981a46c820fb7a241bc8184ba4bb1f01bcdfafb00dde80098cb8c38db9141520
# decryptWithAD(0x981a46c820fb7a241bc8184ba4bb1f01bcdfafb00dde80098cb8c38db9141520, 0x000000000000000000000000, 0x5dcb5ea9b4ccc755e0e3456af3990641276e1d5dc9afd82f974d90a47c918660, 0x8dc68b1c466263b47fdf31e560e139ba)
# HKDF(0x919219dbb2920afa8db80f9a51787a840bcf111ed8d588caf9ab4be716e42b01,zero)
output: rk,sk=0x969ab31b4d288cedf6218839b27a3e2140827047f2c0f01bf5c04435d43511a9,0xbb9020b8965f4df047e07f955f3c4b88418984aadc5cdb35096b9ea8fa5c3442

Roasbeef · 2016-12-13T18:49:41Z

After fixing the HKDF related bug Rusty pointed out on IRC, my results now match up with y'alls.

@sstone are you including the 0x00 version byte before each handshake message?

sstone · 2016-12-13T21:13:56Z

No you're right I left it out sorry...

rustyrussell · 2016-12-20T02:54:38Z

@sstone Hmm, your nonce value was "0x000000000100000000000000" and mine was "0x010000000000000000000000". I assumed 96 bit LE, should I assume 64 bit with 0 pre-pad? @Roasbeef ?

sstone · 2016-12-20T08:13:45Z

That's what I understood from the Noise specs: 32 bits of zeros followed by little-endian encoding of n (the first 32 bits of zeros make it compatible with the old ChaCha20 implementations that use a 64 bit nonce).

Roasbeef · 2016-12-20T08:24:36Z

Ahh, I must've skimmed over the nonce bit in the vectors!

I implemented it the way way that @sstone did, so my nonce is 0x000000000100000000000000. As he said, a 96-bit nonce is used here in order to match AES-GCM and other IETF related AEAD specifications. The chacha rfc we're using atm allows the protocol itself to specify the nonce size, in this instance Noise chooses a 64-bit nonce rather than a 96-bit nonce.

rustyrussell · 2016-12-21T04:48:53Z

Yay, now we seem to match! If no objections, I'll squash some commits together and merge.

This follows the Noise spec. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

rustyrussell assigned Roasbeef Dec 8, 2016

cdecker requested a review from Roasbeef December 8, 2016 07:34

sstone reviewed Dec 8, 2016

View reviewed changes

Roasbeef reviewed Dec 9, 2016

View reviewed changes

Roasbeef reviewed Dec 10, 2016

View reviewed changes

rustyrussell force-pushed the bolt8-test-vectors branch from 5459de7 to 75d950c Compare December 16, 2016 04:41

rustyrussell added 2 commits December 22, 2016 11:31

BOLT 8: Nonces should be little-endian, 64 bit.

8362c84

This follows the Noise spec. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

BOLT 8: Add test vectors.

4837c60

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

rustyrussell force-pushed the bolt8-test-vectors branch from f677f62 to 4837c60 Compare December 22, 2016 01:02

rustyrussell merged commit 6be5857 into lightning:master Dec 22, 2016

Conversation

rustyrussell commented Dec 8, 2016

Uh oh!

sstone Dec 8, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

rustyrussell Dec 9, 2016

Choose a reason for hiding this comment

Uh oh!

Roasbeef Dec 9, 2016

Choose a reason for hiding this comment

Uh oh!

rustyrussell Dec 13, 2016

Choose a reason for hiding this comment

Uh oh!

Roasbeef Dec 10, 2016

Choose a reason for hiding this comment

Uh oh!

Roasbeef Dec 10, 2016

Choose a reason for hiding this comment

Uh oh!

rustyrussell Dec 13, 2016

Choose a reason for hiding this comment

Uh oh!

rustyrussell commented Dec 13, 2016

Uh oh!

sstone commented Dec 13, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Roasbeef commented Dec 13, 2016

Uh oh!

sstone commented Dec 13, 2016

Uh oh!

rustyrussell commented Dec 20, 2016

Uh oh!

sstone commented Dec 20, 2016

Uh oh!

Roasbeef commented Dec 20, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rustyrussell commented Dec 21, 2016

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

sstone Dec 8, 2016 •

edited

Loading

sstone commented Dec 13, 2016 •

edited

Loading

Roasbeef commented Dec 20, 2016 •

edited

Loading