Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grain-128AEAD decryption leaves unexpected trailing bytes #2023

Closed
cs-bic opened this issue Mar 12, 2025 · 1 comment
Closed

Grain-128AEAD decryption leaves unexpected trailing bytes #2023

cs-bic opened this issue Mar 12, 2025 · 1 comment
Assignees
@ligefeiBouncycastle

Comments

@cs-bic
Copy link

cs-bic commented Mar 12, 2025
edited
Loading

In version 1.80:

https://downloads.bouncycastle.org/java/docs/bcprov-jdk18on-javadoc/org/bouncycastle/crypto/engines/Grain128AEADEngine.html fails to decrypt when using a wrapping function that works with Ascon and Elephant AEAD ciphers (padded plaintext is successfully reversed, 16 bytes of what I assume to be a MAC are appended).
In the following sample, the first line is the plaintext, the second line is the padded plaintext, the third line is the ciphertext, and the fourth line is the plaintext post-decryption (notice the trailing bytes). All lines are encoded in hexadecimal.

plaintext:        41747461636b207468652073686970206174206d69646e6967687421
padded plaintext: 41747461636b207468652073686970206174206d69646e6967687421010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
ciphertext:       3e81b587a975b2cf531ee1d8376215ace3806fbc2b6853ba3007810c7a4b6eefd3d61ec372618f43bb7488d80c19943cf7ab2dc64d3910e7afd75e1479b25c8f69c87039f232f1770e31b709e4f1ed4f0e2b0c89a43c7ff0453a708634d625aeb5d9951bf246b79e6a3b91d4cf508f7a9869f9ed522a12cf
post-decryption:  41747461636b207468652073686970206174206d69646e6967687421010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ea3e23ebbd8d19c800677ab89f67fa51

Looking at https://github.com/bcgit/bc-java/blob/main/core/src/test/java/org/bouncycastle/crypto/test/Grain128AEADTest.java, I do not see tests of decryption (no .init(false...) calls).
Looking at https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/crypto/engines/Grain128AEADEngine.java#L379, it seems .doFinal() is not checking whether or not it is supposed to be encrypting or decrypting, and always emits a MAC.
Looking at https://grain-128aead.github.io/, it seems this cipher is in the process of standardization, and I am not aware of this fact's effects on the workings of the cipher in Bouncy Castle.

It is of course possible that my implementation is not correctly decrypting, and there is no issue with Grain-128AEAD's implementation.
@ligefeiBouncycastle ligefeiBouncycastle self-assigned this Mar 12, 2025
@ligefeiBouncycastle
Copy link
Collaborator

Thank you for highlighting the decryption issue with the Grain128AEADEngine, which did not correctly handle MAC generation and verification during decryption. This issue has now been fixed. Please check the update in GitHub or the latest beta version.​

If you have further questions or need assistance, feel free to reach out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ligefeiBouncycastle ligefeiBouncycastle

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cs-bic @ligefeiBouncycastle