RFC8439Encrypt can take multiple plaintexts

Author: dhruv

src/bench/rfc8439.cpp

@@ -24,11 +24,12 @@ std::array<std::byte, 12> nonce = {std::byte{0x00}, std::byte{0x01}, std::byte{0
 
 static void RFC8439_AEAD(benchmark::Bench& bench, size_t plaintext_size, bool include_decryption)
 {
-    std::vector<std::byte> plaintext_in(plaintext_size, std::byte{0x00});
+    const std::vector<std::byte> plaintext_in(plaintext_size, std::byte{0x00});
+    std::vector<Span<const std::byte>> ins{plaintext_in};
     std::vector<std::byte> output(plaintext_size + POLY1305_TAGLEN, std::byte{0x00});
 
     bench.batch(plaintext_size).unit("byte").run([&] {
-        RFC8439Encrypt(aad, zero_key, nonce, plaintext_in, output);
+        RFC8439Encrypt(aad, zero_key, nonce, ins, output);
 
         if (include_decryption) {
             std::vector<std::byte> decrypted_plaintext(plaintext_size);

src/crypto/bip324_suite.cpp

@@ -72,25 +72,13 @@ bool BIP324CipherSuite::Crypt(const Span<const std::byte> input, Span<std::byte>
         uint32_t ciphertext_len = BIP324_HEADER_LEN + input.size();
         WriteLE32(reinterpret_cast<unsigned char*>(&ciphertext_len), ciphertext_len);
 
-        std::vector<std::byte> input_vec;
-        input_vec.resize(BIP324_HEADER_LEN + input.size());
-
-
-        // TODO: this can be optimized by changing the RFC8439Encrypt interface to accept a list of inputs.
-        // But, at the moment, there's a potential bug in out ChaCha20 implementation for plaintexts that
-        // are not a multiple of 64 bytes -- the rest of the "block" is discarded. An update is in progress
-        // which will help here.
-        memcpy(input_vec.data(), &flags, BIP324_HEADER_LEN);
-        if (!input.empty()) {
-            memcpy(input_vec.data() + BIP324_HEADER_LEN, input.data(), input.size());
-        }
-
-
         auto write_pos = output.data();
         fsc20.Crypt({reinterpret_cast<std::byte*>(&ciphertext_len), BIP324_LENGTH_FIELD_LEN},
                     {write_pos, BIP324_LENGTH_FIELD_LEN});
         write_pos += BIP324_LENGTH_FIELD_LEN;
-        RFC8439Encrypt({}, payload_key, nonce, input_vec, {write_pos, BIP324_HEADER_LEN + input.size() + RFC8439_TAGLEN});
+
+        std::vector<Span<const std::byte>> ins{Span{reinterpret_cast<std::byte*>(&flags), BIP324_HEADER_LEN}, input};
+        RFC8439Encrypt({}, payload_key, nonce, ins, {write_pos, BIP324_HEADER_LEN + input.size() + RFC8439_TAGLEN});
     } else {
         // we must use BIP324CipherSuite::DecryptLength before calling BIP324CipherSuite::Crypt
         // input is encrypted (header + payload) and the mac tag

src/crypto/rfc8439.cpp

@@ -57,27 +57,41 @@ std::array<std::byte, POLY1305_KEYLEN> GetPoly1305Key(ChaCha20& c20)
     return polykey;
 }
 
-void RFC8439Crypt(ChaCha20& c20, const Span<const std::byte> in_bytes, Span<std::byte> out_bytes)
+void RFC8439Crypt(ChaCha20& c20, const std::vector<Span<const std::byte>>& in_bytes, Span<std::byte> out_bytes)
 {
-    assert(in_bytes.size() <= out_bytes.size());
+    size_t total_bytes = 0;
+    for (auto in: in_bytes) {
+        total_bytes += in.size();
+    }
+    assert(total_bytes <= out_bytes.size());
     c20.SeekRFC8439(1);
-    c20.Crypt(reinterpret_cast<const unsigned char*>(in_bytes.data()), reinterpret_cast<unsigned char*>(out_bytes.data()), in_bytes.size());
+
+    auto write_pos = out_bytes.data();
+    for (auto in: in_bytes) {
+        c20.Crypt(reinterpret_cast<const unsigned char*>(in.data()), reinterpret_cast<unsigned char*>(write_pos), in.size());
+        write_pos += in.size();
+    }
 }
 
-void RFC8439Encrypt(const Span<const std::byte> aad, const Span<const std::byte> key, const std::array<std::byte, 12>& nonce, const Span<const std::byte> plaintext, Span<std::byte> output)
+void RFC8439Encrypt(const Span<const std::byte> aad, const Span<const std::byte> key, const std::array<std::byte, 12>& nonce, const std::vector<Span<const std::byte>>& plaintexts, Span<std::byte> output)
 {
     assert(key.size() == RFC8439_KEYLEN);
-    assert(output.size() >= plaintext.size() + POLY1305_TAGLEN);
 
     ChaCha20 c20{reinterpret_cast<const unsigned char*>(key.data()), key.size()};
     c20.SetRFC8439Nonce(nonce);
 
     std::array<std::byte, POLY1305_KEYLEN> polykey{GetPoly1305Key(c20)};
 
-    RFC8439Crypt(c20, plaintext, output);
+    size_t total_bytes = 0;
+    for (auto plaintext: plaintexts) {
+        total_bytes += plaintext.size();
+    }
+
+    assert(output.size() >= total_bytes + POLY1305_TAGLEN);
+    RFC8439Crypt(c20, plaintexts, output);
     ComputeRFC8439Tag(polykey, aad,
-                      {output.data(), plaintext.size()},
-                      {output.data() + plaintext.size(), POLY1305_TAGLEN});
+                      {output.data(), total_bytes},
+                      {output.data() + total_bytes, POLY1305_TAGLEN});
 }
 
 bool RFC8439Decrypt(const Span<const std::byte> aad, const Span<const std::byte> key, const std::array<std::byte, 12>& nonce, const Span<const std::byte> input, Span<std::byte> plaintext)
@@ -98,6 +112,7 @@ bool RFC8439Decrypt(const Span<const std::byte> aad, const Span<const std::byte>
         return false;
     }
 
-    RFC8439Crypt(c20, {input.data(), input.size() - POLY1305_TAGLEN}, plaintext);
+    std::vector<Span<const std::byte>> ins{{input.data(), input.size() - POLY1305_TAGLEN}};
+    RFC8439Crypt(c20, ins, plaintext);
     return true;
 }

src/crypto/rfc8439.h

@@ -15,7 +15,7 @@
 constexpr static size_t RFC8439_KEYLEN = 32;
 constexpr static size_t RFC8439_TAGLEN = POLY1305_TAGLEN;
 
-void RFC8439Encrypt(const Span<const std::byte> aad, const Span<const std::byte> key, const std::array<std::byte, 12>& nonce, const Span<const std::byte> plaintext, Span<std::byte> output);
+void RFC8439Encrypt(const Span<const std::byte> aad, const Span<const std::byte> key, const std::array<std::byte, 12>& nonce, const std::vector<Span<const std::byte>>& plaintexts, Span<std::byte> output);
 
 // returns false if authentication fails
 bool RFC8439Decrypt(const Span<const std::byte> aad, const Span<const std::byte> key, const std::array<std::byte, 12>& nonce, const Span<const std::byte> input, Span<std::byte> plaintext);

src/test/crypto_tests.cpp

@@ -808,8 +808,6 @@ static void TestBIP324CipherSuite(const std::string& hex_input, const std::strin
 
 BOOST_AUTO_TEST_CASE(bip324_cipher_suite_testvectors)
 {
-    /* test bip324 cipher suite */
-
     // encrypting an empty message should result in 20 bytes:
     // 3 bytes of encrypted length, 1 byte header and 16 bytes MAC
     TestBIP324CipherSuite(/* plaintext */ "",
@@ -1081,8 +1079,9 @@ static void TestRFC8439AEAD(const std::string& hex_aad, const std::string& hex_k
     std::array<std::byte, 12> nonce_arr;
     memcpy(nonce_arr.data(), nonce.data(), 12);
     auto plaintext = ParseHex(hex_plaintext);
+    std::vector<Span<const std::byte>> ins{MakeByteSpan(plaintext)};
     std::vector<std::byte> output(plaintext.size() + POLY1305_TAGLEN, std::byte{0x00});
-    RFC8439Encrypt(MakeByteSpan(aad), MakeByteSpan(key), nonce_arr, MakeByteSpan(plaintext), output);
+    RFC8439Encrypt(MakeByteSpan(aad), MakeByteSpan(key), nonce_arr, ins, output);
 
     BOOST_CHECK_EQUAL(HexStr({output.data(), output.size() - POLY1305_TAGLEN}), hex_expected_ciphertext);
     BOOST_CHECK_EQUAL(HexStr({output.data() + output.size() - POLY1305_TAGLEN, POLY1305_TAGLEN}), hex_expected_auth_tag);

src/test/fuzz/crypto_rfc8439.cpp

@@ -30,8 +30,9 @@ FUZZ_TARGET(crypto_rfc8439)
     auto plaintext = fdp.ConsumeBytes<std::byte>(plaintext_len);
     plaintext.resize(plaintext_len);
 
+    std::vector<Span<const std::byte>> ins{plaintext};
     std::vector<std::byte> output(plaintext.size() + POLY1305_TAGLEN, std::byte{0x00});
-    RFC8439Encrypt(aad, key, nonce, plaintext, output);
+    RFC8439Encrypt(aad, key, nonce, ins, output);
 
     auto bit_flip_attack = !plaintext.empty() && fdp.ConsumeBool();
     if (bit_flip_attack) {