Found 1 record.

Status: Verified (1)

RFC 9605, "Secure Frame (SFrame): Lightweight Authenticated Encryption for Real-Time Media", August 2024

Errata ID: 8321
Status: Verified
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Rich Logan
Date Reported: 2025-03-03
Verifier Name: Orie Steele
Date Verified: 2025-03-25

Section 4.4.3 says:

def encrypt(CTR, KID, metadata, plaintext):
sframe_key, sframe_salt = key_store[KID]
# encode_big_endian(x, n) produces an n-byte string encoding the
# integer x in big-endian byte order.
ctr = encode_big_endian(CTR, AEAD.Nn)
nonce = xor(sframe_salt, CTR)
# encode_sframe_header produces a byte string encoding the
# provided KID and CTR values into an SFrame header.
header = encode_sframe_header(CTR, KID)
aad = header + metadata
ciphertext = AEAD.Encrypt(sframe_key, nonce, aad, plaintext)
return header + ciphertext

It should say:

def encrypt(CTR, KID, metadata, plaintext):
sframe_key, sframe_salt = key_store[KID]
# encode_big_endian(x, n) produces an n-byte string encoding the
# integer x in big-endian byte order.
ctr = encode_big_endian(CTR, AEAD.Nn)
nonce = xor(sframe_salt, ctr)
# encode_sframe_header produces a byte string encoding the
# provided KID and CTR values into an SFrame header.
header = encode_sframe_header(CTR, KID)
aad = header + metadata
ciphertext = AEAD.Encrypt(sframe_key, nonce, aad, plaintext)
return header + ciphertext

Notes:

The formation of the nonce states to xor the sframe_salt with CTR, which is the original counter value, not the encoded big endian representation created on the line above, which I believe is the intention.

Report New Errata