Skip to content

Grain-128AEAD decryption leaves unexpected trailing bytes #2023

New issue
New issue
Closed
Closed
Grain-128AEAD decryption leaves unexpected trailing bytes#2023
Assignees
ligefeiBouncycastle
Labels
bugSomething isn't working
@cs-bic

Description

@cs-bic
cs-bic
opened on Mar 12, 2025

In version 1.80:

https://downloads.bouncycastle.org/java/docs/bcprov-jdk18on-javadoc/org/bouncycastle/crypto/engines/Grain128AEADEngine.html fails to decrypt when using a wrapping function that works with Ascon and Elephant AEAD ciphers (padded plaintext is successfully reversed, 16 bytes of what I assume to be a MAC are appended).
In the following sample, the first line is the plaintext, the second line is the padded plaintext, the third line is the ciphertext, and the fourth line is the plaintext post-decryption (notice the trailing bytes). All lines are encoded in hexadecimal.

plaintext:        41747461636b207468652073686970206174206d69646e6967687421
padded plaintext: 41747461636b207468652073686970206174206d69646e6967687421010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
ciphertext:       3e81b587a975b2cf531ee1d8376215ace3806fbc2b6853ba3007810c7a4b6eefd3d61ec372618f43bb7488d80c19943cf7ab2dc64d3910e7afd75e1479b25c8f69c87039f232f1770e31b709e4f1ed4f0e2b0c89a43c7ff0453a708634d625aeb5d9951bf246b79e6a3b91d4cf508f7a9869f9ed522a12cf
post-decryption:  41747461636b207468652073686970206174206d69646e6967687421010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ea3e23ebbd8d19c800677ab89f67fa51

Looking at https://github.com/bcgit/bc-java/blob/main/core/src/test/java/org/bouncycastle/crypto/test/Grain128AEADTest.java, I do not see tests of decryption (no .init(false...) calls).
Looking at https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/crypto/engines/Grain128AEADEngine.java#L379, it seems .doFinal() is not checking whether or not it is supposed to be encrypting or decrypting, and always emits a MAC.
Looking at https://grain-128aead.github.io/, it seems this cipher is in the process of standardization, and I am not aware of this fact's effects on the workings of the cipher in Bouncy Castle.

It is of course possible that my implementation is not correctly decrypting, and there is no issue with Grain-128AEAD's implementation.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions