phantom/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-01-10 03:47:29 -03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

crypto: add FSChaCha20Poly1305, rekeying wrapper around ChaCha20Poly1305

Browse source 
This adds the FSChaCha20Poly1305 AEAD as specified in BIP324, a wrapper
around the ChaCha20Poly1305 AEAD (as specified in RFC8439 section 2.8) which
automatically rekeys every N messages, and automatically increments the nonce
every message.
This commit is contained in:
Pieter Wuille 2023-06-29 14:55:16 -04:00
parent 0fee267792
commit aa8cee9334
3 changed files with 159 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
src/crypto/chacha20poly1305.cpp
View file

@ -8,6 +8,7 @@
#include <crypto/chacha20.h>
#include <crypto/poly1305.h>
#include <span.h>
#include <support/cleanse.h>
#include <assert.h>
#include <cstdint>
@ -99,3 +100,41 @@ bool AEADChaCha20Poly1305::Decrypt(Span<const std::byte> cipher, Span<const std:
m_chacha20.Crypt(UCharCast(cipher.data()), UCharCast(plain.data()), plain.size());
return true;
}
void AEADChaCha20Poly1305::Keystream(Nonce96 nonce, Span<std::byte> keystream) noexcept
{
// Skip the first output block, as it's used for generating the poly1305 key.
m_chacha20.Seek64(nonce, 1);
m_chacha20.Keystream(UCharCast(keystream.data()), keystream.size());
}
void FSChaCha20Poly1305::NextPacket() noexcept
{
if (++m_packet_counter == m_rekey_interval) {
// Generate a full block of keystream, to avoid needing the ChaCha20 buffer, even though
// we only need KEYLEN (32) bytes.
std::byte one_block[64];
m_aead.Keystream({0xFFFFFFFF, m_rekey_counter}, one_block);
// Switch keys.
m_aead.SetKey(Span{one_block}.first(KEYLEN));
// Wipe the generated keystream (a copy remains inside m_aead, which will be cleaned up
// once it cycles again, or is destroyed).
memory_cleanse(one_block, sizeof(one_block));
// Update counters.
m_packet_counter = 0;
++m_rekey_counter;
}
}
void FSChaCha20Poly1305::Encrypt(Span<const std::byte> plain, Span<const std::byte> aad, Span<std::byte> cipher) noexcept
{
m_aead.Encrypt(plain, aad, {m_packet_counter, m_rekey_counter}, cipher);
NextPacket();
}
bool FSChaCha20Poly1305::Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Span<std::byte> plain) noexcept
{
bool ret = m_aead.Decrypt(cipher, aad, {m_packet_counter, m_rekey_counter}, plain);
NextPacket();
return ret;
}

62
src/crypto/chacha20poly1305.h
View file

@ -46,6 +46,68 @@ public:
* Requires cipher.size() = plain.size() + EXPANSION.
*/
bool Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> plain) noexcept;
/** Get a number of keystream bytes from the underlying stream cipher.
*
* This is equivalent to Encrypt() with plain set to that many zero bytes, and dropping the
* last EXPANSION bytes off the result.
*/
void Keystream(Nonce96 nonce, Span<std::byte> keystream) noexcept;
};
/** Forward-secure wrapper around AEADChaCha20Poly1305.
*
* This implements an AEAD which automatically increments the nonce on every encryption or
* decryption, and cycles keys after a predetermined number of encryptions or decryptions.
*
* See BIP324 for details.
*/
class FSChaCha20Poly1305
{
private:
/** Internal AEAD. */
AEADChaCha20Poly1305 m_aead;
/** Every how many iterations this cipher rekeys. */
const uint32_t m_rekey_interval;
/** The number of encryptions/decryptions since the last rekey. */
uint32_t m_packet_counter{0};
/** The number of rekeys performed so far. */
uint64_t m_rekey_counter{0};
/** Update counters (and if necessary, key) to transition to the next message. */
void NextPacket() noexcept;
public:
/** Length of keys expected by the constructor. */
static constexpr auto KEYLEN = AEADChaCha20Poly1305::KEYLEN;
/** Expansion when encrypting. */
static constexpr auto EXPANSION = AEADChaCha20Poly1305::EXPANSION;
// No copy or move to protect the secret.
FSChaCha20Poly1305(const FSChaCha20Poly1305&) = delete;
FSChaCha20Poly1305(FSChaCha20Poly1305&&) = delete;
FSChaCha20Poly1305& operator=(const FSChaCha20Poly1305&) = delete;
FSChaCha20Poly1305& operator=(FSChaCha20Poly1305&&) = delete;
/** Construct an FSChaCha20Poly1305 cipher that rekeys every rekey_interval operations. */
FSChaCha20Poly1305(Span<const std::byte> key, uint32_t rekey_interval) noexcept :
m_aead(key), m_rekey_interval(rekey_interval) {}
/** Encrypt a message with a specified aad.
*
* Requires cipher.size() = plain.size() + EXPANSION.
*/
void Encrypt(Span<const std::byte> plain, Span<const std::byte> aad, Span<std::byte> cipher) noexcept;
/** Decrypt a message with a specified aad. Returns true if valid.
*
* Requires cipher.size() = plain.size() + EXPANSION.
*/
bool Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Span<std::byte> plain) noexcept;
};
#endif // BITCOIN_CRYPTO_CHACHA20POLY1305_H

58
src/test/crypto_tests.cpp
View file

@ -264,6 +264,41 @@ static void TestChaCha20Poly1305(const std::string& plain_hex, const std::string
bool ret = aead.Decrypt(cipher, aad, nonce, decipher);
BOOST_CHECK(ret);
BOOST_CHECK(decipher == plain);
std::vector<std::byte> keystream(plain.size());
aead.Keystream(nonce, keystream);
for (size_t i = 0; i < plain.size(); ++i) {
BOOST_CHECK_EQUAL(plain[i] ^ keystream[i], cipher[i]);
}
}
static void TestFSChaCha20Poly1305(const std::string& plain_hex, const std::string& aad_hex, const std::string& key_hex, uint64_t msg_idx, const std::string& cipher_hex)
{
auto plain = ParseHex<std::byte>(plain_hex);
auto aad = ParseHex<std::byte>(aad_hex);
auto key = ParseHex<std::byte>(key_hex);
auto expected_cipher = ParseHex<std::byte>(cipher_hex);
std::vector<std::byte> cipher(plain.size() + FSChaCha20Poly1305::EXPANSION);
FSChaCha20Poly1305 enc_aead{key, 224};
for (uint64_t i = 0; i < msg_idx; ++i) {
std::byte dummy_tag[FSChaCha20Poly1305::EXPANSION] = {{}};
enc_aead.Encrypt(Span{dummy_tag}.first(0), Span{dummy_tag}.first(0), dummy_tag);
}
enc_aead.Encrypt(plain, aad, cipher);
BOOST_CHECK(cipher == expected_cipher);
FSChaCha20Poly1305 dec_aead{key, 224};
for (uint64_t i = 0; i < msg_idx; ++i) {
std::byte dummy_tag[FSChaCha20Poly1305::EXPANSION] = {{}};
dec_aead.Decrypt(dummy_tag, Span{dummy_tag}.first(0), Span{dummy_tag}.first(0));
}
std::vector<std::byte> decipher(cipher.size() - AEADChaCha20Poly1305::EXPANSION);
bool ret = dec_aead.Decrypt(cipher, aad, decipher);
BOOST_CHECK(ret);
BOOST_CHECK(decipher == plain);
}
static void TestHKDF_SHA256_32(const std::string &ikm_hex, const std::string &salt_hex, const std::string &info_hex, const std::string &okm_check_hex) {
@ -947,6 +982,29 @@ BOOST_AUTO_TEST_CASE(chacha20poly1305_testvectors)
"77adda51d6730b9ad6c995658cbd49f581b2547e7c0c08fcc24ceec797461021",
{0x1f90da88, 0x75dafa3ef84471a4},
"aaae5bb81e8407c94b2ae86ae0c7efbe");
// FSChaCha20Poly1305 tests.
TestFSChaCha20Poly1305("d6a4cb04ef0f7c09c1866ed29dc24d820e75b0491032a51b4c3366f9ca35c19e"
"a3047ec6be9d45f9637b63e1cf9eb4c2523a5aab7b851ebeba87199db0e839cf"
"0d5c25e50168306377aedbe9089fd2463ded88b83211cf51b73b150608cc7a60"
"0d0f11b9a742948482e1b109d8faf15b450aa7322e892fa2208c6691e3fecf4c"
"711191b14d75a72147",
"786cb9b6ebf44288974cf0",
"5c9e1c3951a74fba66708bf9d2c217571684556b6a6a3573bff2847d38612654",
500,
"9dcebbd3281ea3dd8e9a1ef7d55a97abd6743e56ebc0c190cb2c4e14160b385e"
"0bf508dddf754bd02c7c208447c131ce23e47a4a14dfaf5dd8bc601323950f75"
"4e05d46e9232f83fc5120fbbef6f5347a826ec79a93820718d4ec7a2b7cfaaa4"
"4b21e16d726448b62f803811aff4f6d827ed78e738ce8a507b81a8ae13131192"
"8039213de18a5120dc9b7370baca878f50ff254418de3da50c");
TestFSChaCha20Poly1305("8349b7a2690b63d01204800c288ff1138a1d473c832c90ea8b3fc102d0bb3adc"
"44261b247c7c3d6760bfbe979d061c305f46d94c0582ac3099f0bf249f8cb234",
"",
"3bd2093fcbcb0d034d8c569583c5425c1a53171ea299f8cc3bbf9ae3530adfce",
60000,
"30a6757ff8439b975363f166a0fa0e36722ab35936abd704297948f45083f4d4"
"99433137ce931f7fca28a0acd3bc30f57b550acbc21cbd45bbef0739d9caf30c"
"14b94829deb27f0b1923a2af704ae5d6");
}
BOOST_AUTO_TEST_CASE(hkdf_hmac_sha256_l32_tests)