Fix SKINNY-AEAD inverse tweakey LFSR rows

[AeonDave]

Summary

• ensure the inverse tweakey schedule in skinnyAddKeyInv rewinds the same rows as the forward schedule

Testing

• go test ./aead

---

https://chatgpt.com/codex/tasks/task_e_68fb74494d9083259fdb8084ed56fc50

[chatgpt-codex-connector]

💡 Codex Review

cryptonite-go/aead/skinnyaead.go

Lines 518 to 522 in 88977fc

	for i := 0; i < 2; i++ {
	for j := 0; j < 4; j++ {
	tmp[1][i][j] = ((tmp[1][i][j] >> 1) & 0x7f) ^ ((tmp[1][i][j] << 7) & 0x80) ^ ((tmp[1][i][j] << 1) & 0x80)
	tmp[2][i][j] = ((tmp[2][i][j] << 1) & 0xfe) ^ ((tmp[2][i][j] >> 7) & 0x01) ^ ((tmp[2][i][j] >> 5) & 0x01)
	}

Rewind LFSR on wrong rows after inverse permutation

In skinnyAddKeyInv the tweakey state is first rearranged with skinnyTweakeyPermInv. After this permutation the bytes that were advanced by the forward LFSRs reside in rows 2–3, not 0–1. The new loop for i := 0; i < 2 therefore applies the inverse LFSRs to rows that were never shifted and leaves the shifted rows untouched, so the key schedule is not correctly rewound before XORing the state. This breaks SKINNY-AEAD decryption for all inputs. The inverse step should still target rows 2 and 3 (or apply the LFSR before undoing the permutation).

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".