RFC8439 implementation and tests

Author: dhruv

src/Makefile.am

@@ -532,6 +532,8 @@ crypto_libbitcoin_crypto_base_la_SOURCES = \
   crypto/poly1305.cpp \
   crypto/muhash.h \
   crypto/muhash.cpp \
+  crypto/rfc8439.h \
+  crypto/rfc8439.cpp \
   crypto/ripemd160.cpp \
   crypto/ripemd160.h \
   crypto/sha1.cpp \

src/Makefile.bench.include

@@ -43,6 +43,7 @@ bench_bench_bitcoin_SOURCES = \
   bench/peer_eviction.cpp \
   bench/poly1305.cpp \
   bench/prevector.cpp \
+  bench/rfc8439.cpp \
   bench/rollingbloom.cpp \
   bench/rpc_blockchain.cpp \
   bench/rpc_mempool.cpp \

src/Makefile.test.include

@@ -259,6 +259,7 @@ test_fuzz_fuzz_SOURCES = \
  test/fuzz/crypto_diff_fuzz_chacha20.cpp \
  test/fuzz/crypto_hkdf_hmac_sha256_l32.cpp \
  test/fuzz/crypto_poly1305.cpp \
+ test/fuzz/crypto_rfc8439.cpp \
  test/fuzz/cuckoocache.cpp \
  test/fuzz/decode_tx.cpp \
  test/fuzz/descriptor_parse.cpp \

src/bench/rfc8439.cpp

@@ -0,0 +1,76 @@
+// Copyright (c) 2022 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <assert.h>
+#include <bench/bench.h>
+#include <crypto/rfc8439.h>
+
+#include <array>
+#include <cstddef>
+#include <vector>
+
+static constexpr uint64_t AAD_SIZE = 32;
+static constexpr uint64_t PLAINTEXT_SIZE_TINY = 64;
+static constexpr uint64_t PLAINTEXT_SIZE_SMALL = 256;
+static constexpr uint64_t PLAINTEXT_SIZE_LARGE = 1024 * 1024;
+
+static std::vector<std::byte> zero_key(32, std::byte{0x00});
+static std::vector<std::byte> aad(AAD_SIZE, std::byte{0x00});
+std::array<std::byte, 12> nonce = {std::byte{0x00}, std::byte{0x01}, std::byte{0x02}, std::byte{0x03},
+                                   std::byte{0x04}, std::byte{0x05}, std::byte{0x06}, std::byte{0x07},
+                                   std::byte{0x08}, std::byte{0x09}, std::byte{0x0a}, std::byte{0x0b}};
+
+static void RFC8439_AEAD(benchmark::Bench& bench, size_t plaintext_size, bool include_decryption)
+{
+    std::vector<std::byte> plaintext_in(plaintext_size, std::byte{0x00});
+    std::vector<std::byte> output(plaintext_size + POLY1305_TAGLEN, std::byte{0x00});
+
+    bench.batch(plaintext_size).unit("byte").run([&] {
+        RFC8439Encrypt(aad, zero_key, nonce, plaintext_in, output);
+
+        if (include_decryption) {
+            std::vector<std::byte> decrypted_plaintext(plaintext_size);
+            auto authenticated = RFC8439Decrypt(aad, zero_key, nonce, output, decrypted_plaintext);
+            assert(authenticated);
+            assert(memcmp(decrypted_plaintext.data(), plaintext_in.data(), plaintext_in.size()) == 0);
+        }
+    });
+}
+
+static void RFC8439_AEAD_64BYTES_ONLY_ENCRYPT(benchmark::Bench& bench)
+{
+    RFC8439_AEAD(bench, PLAINTEXT_SIZE_TINY, false);
+}
+
+static void RFC8439_AEAD_256BYTES_ONLY_ENCRYPT(benchmark::Bench& bench)
+{
+    RFC8439_AEAD(bench, PLAINTEXT_SIZE_SMALL, false);
+}
+
+static void RFC8439_AEAD_1MB_ONLY_ENCRYPT(benchmark::Bench& bench)
+{
+    RFC8439_AEAD(bench, PLAINTEXT_SIZE_LARGE, false);
+}
+
+static void RFC8439_AEAD_64BYTES_ENCRYPT_DECRYPT(benchmark::Bench& bench)
+{
+    RFC8439_AEAD(bench, PLAINTEXT_SIZE_TINY, true);
+}
+
+static void RFC8439_AEAD_256BYTES_ENCRYPT_DECRYPT(benchmark::Bench& bench)
+{
+    RFC8439_AEAD(bench, PLAINTEXT_SIZE_SMALL, true);
+}
+
+static void RFC8439_AEAD_1MB_ENCRYPT_DECRYPT(benchmark::Bench& bench)
+{
+    RFC8439_AEAD(bench, PLAINTEXT_SIZE_LARGE, true);
+}
+
+BENCHMARK(RFC8439_AEAD_64BYTES_ONLY_ENCRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(RFC8439_AEAD_256BYTES_ONLY_ENCRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(RFC8439_AEAD_1MB_ONLY_ENCRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(RFC8439_AEAD_64BYTES_ENCRYPT_DECRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(RFC8439_AEAD_256BYTES_ENCRYPT_DECRYPT, benchmark::PriorityLevel::HIGH);
+BENCHMARK(RFC8439_AEAD_1MB_ENCRYPT_DECRYPT, benchmark::PriorityLevel::HIGH);

src/crypto/rfc8439.cpp

@@ -0,0 +1,103 @@
+// Copyright (c) 2021 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <crypto/rfc8439.h>
+
+#include <crypto/chacha20.h>
+#include <crypto/common.h>
+
+#include <cstring>
+
+#ifndef RFC8439_TIMINGSAFE_BCMP
+#define RFC8439_TIMINGSAFE_BCMP
+
+int rfc8439_timingsafe_bcmp(const unsigned char* b1, const unsigned char* b2, size_t n)
+{
+    const unsigned char *p1 = b1, *p2 = b2;
+    int ret = 0;
+
+    for (; n > 0; n--)
+        ret |= *p1++ ^ *p2++;
+    return (ret != 0);
+}
+
+#endif // RFC8439_TIMINGSAFE_BCMP
+
+inline size_t padded16_size(size_t len)
+{
+    return (len % 16 == 0) ? len : (len / 16 + 1) * 16;
+}
+
+void ComputeRFC8439Tag(const std::array<std::byte, POLY1305_KEYLEN>& polykey,
+                       Span<const std::byte> aad, Span<const std::byte> ciphertext,
+                       Span<std::byte> tag_out)
+{
+    assert(tag_out.size() == POLY1305_TAGLEN);
+    std::vector<std::byte> bytes_to_authenticate;
+    auto padded_aad_size = padded16_size(aad.size());
+    auto padded_ciphertext_size = padded16_size(ciphertext.size());
+    bytes_to_authenticate.resize(padded_aad_size + padded_ciphertext_size + 16, std::byte{0x00});
+    std::copy(aad.begin(), aad.end(), bytes_to_authenticate.begin());
+    std::copy(ciphertext.begin(), ciphertext.end(), bytes_to_authenticate.begin() + padded_aad_size);
+    WriteLE64(reinterpret_cast<unsigned char*>(bytes_to_authenticate.data()) + padded_aad_size + padded_ciphertext_size, aad.size());
+    WriteLE64(reinterpret_cast<unsigned char*>(bytes_to_authenticate.data()) + padded_aad_size + padded_ciphertext_size + 8, ciphertext.size());
+
+    poly1305_auth(reinterpret_cast<unsigned char*>(tag_out.data()),
+                  reinterpret_cast<const unsigned char*>(bytes_to_authenticate.data()),
+                  bytes_to_authenticate.size(),
+                  reinterpret_cast<const unsigned char*>(polykey.data()));
+}
+
+std::array<std::byte, POLY1305_KEYLEN> GetPoly1305Key(ChaCha20& c20)
+{
+    c20.SeekRFC8439(0);
+    std::array<std::byte, POLY1305_KEYLEN> polykey;
+    c20.Keystream(reinterpret_cast<unsigned char*>(polykey.data()), POLY1305_KEYLEN);
+    return polykey;
+}
+
+void RFC8439Crypt(ChaCha20& c20, const Span<const std::byte> in_bytes, Span<std::byte> out_bytes)
+{
+    assert(in_bytes.size() <= out_bytes.size());
+    c20.SeekRFC8439(1);
+    c20.Crypt(reinterpret_cast<const unsigned char*>(in_bytes.data()), reinterpret_cast<unsigned char*>(out_bytes.data()), in_bytes.size());
+}
+
+void RFC8439Encrypt(const Span<const std::byte> aad, const Span<const std::byte> key, const std::array<std::byte, 12>& nonce, const Span<const std::byte> plaintext, Span<std::byte> output)
+{
+    assert(key.size() == RFC8439_KEYLEN);
+    assert(output.size() >= plaintext.size() + POLY1305_TAGLEN);
+
+    ChaCha20 c20{reinterpret_cast<const unsigned char*>(key.data())};
+    c20.SetRFC8439Nonce(nonce);
+
+    std::array<std::byte, POLY1305_KEYLEN> polykey{GetPoly1305Key(c20)};
+
+    RFC8439Crypt(c20, plaintext, output);
+    ComputeRFC8439Tag(polykey, aad,
+                      {output.data(), plaintext.size()},
+                      {output.data() + plaintext.size(), POLY1305_TAGLEN});
+}
+
+bool RFC8439Decrypt(const Span<const std::byte> aad, const Span<const std::byte> key, const std::array<std::byte, 12>& nonce, const Span<const std::byte> input, Span<std::byte> plaintext)
+{
+    assert(key.size() == RFC8439_KEYLEN);
+    assert(plaintext.size() >= input.size() - POLY1305_TAGLEN);
+
+    ChaCha20 c20{reinterpret_cast<const unsigned char*>(key.data())};
+    c20.SetRFC8439Nonce(nonce);
+
+    std::array<std::byte, POLY1305_KEYLEN> polykey{GetPoly1305Key(c20)};
+    std::array<std::byte, POLY1305_TAGLEN> tag;
+
+    ComputeRFC8439Tag(polykey, aad, {input.data(), input.size() - POLY1305_TAGLEN}, tag);
+
+    if (rfc8439_timingsafe_bcmp(reinterpret_cast<const unsigned char*>(input.data() + input.size() - POLY1305_TAGLEN),
+                                reinterpret_cast<const unsigned char*>(tag.data()), POLY1305_TAGLEN) != 0) {
+        return false;
+    }
+
+    RFC8439Crypt(c20, {input.data(), input.size() - POLY1305_TAGLEN}, plaintext);
+    return true;
+}

src/crypto/rfc8439.h

@@ -0,0 +1,21 @@
+// Copyright (c) 2021 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#ifndef BITCOIN_CRYPTO_RFC8439_H
+#define BITCOIN_CRYPTO_RFC8439_H
+
+#include <crypto/poly1305.h>
+#include <span.h>
+
+#include <array>
+#include <cstddef>
+#include <vector>
+
+constexpr static size_t RFC8439_KEYLEN = 32;
+
+void RFC8439Encrypt(const Span<const std::byte> aad, const Span<const std::byte> key, const std::array<std::byte, 12>& nonce, const Span<const std::byte> plaintext, Span<std::byte> output);
+
+// returns false if authentication fails
+bool RFC8439Decrypt(const Span<const std::byte> aad, const Span<const std::byte> key, const std::array<std::byte, 12>& nonce, const Span<const std::byte> input, Span<std::byte> plaintext);
+#endif // BITCOIN_CRYPTO_RFC8439_H

src/test/crypto_tests.cpp

@@ -8,14 +8,16 @@
 #include <crypto/hkdf_sha256_32.h>
 #include <crypto/hmac_sha256.h>
 #include <crypto/hmac_sha512.h>
+#include <crypto/muhash.h>
 #include <crypto/poly1305.h>
+#include <crypto/rfc8439.h>
 #include <crypto/ripemd160.h>
 #include <crypto/sha1.h>
 #include <crypto/sha256.h>
 #include <crypto/sha3.h>
 #include <crypto/sha512.h>
-#include <crypto/muhash.h>
 #include <random.h>
+#include <span.h>
 #include <streams.h>
 #include <test/util/setup_common.h>
 #include <util/strencodings.h>
@@ -1123,4 +1125,42 @@ BOOST_AUTO_TEST_CASE(muhash_tests)
     BOOST_CHECK_EQUAL(HexStr(out4), "3a31e6903aff0de9f62f9a9f7f8b861de76ce2cda09822b90014319ae5dc2271");
 }
 
+static void TestRFC8439AEAD(const std::string& hex_aad, const std::string& hex_key, const std::string& hex_nonce, const std::string& hex_plaintext, const std::string& hex_expected_ciphertext, const std::string& hex_expected_auth_tag)
+{
+    auto aad = ParseHex(hex_aad);
+    auto key = ParseHex(hex_key);
+    auto nonce = ParseHex(hex_nonce);
+    std::array<std::byte, 12> nonce_arr;
+    memcpy(nonce_arr.data(), nonce.data(), 12);
+    auto plaintext = ParseHex(hex_plaintext);
+    std::vector<std::byte> output(plaintext.size() + POLY1305_TAGLEN, std::byte{0x00});
+    RFC8439Encrypt(MakeByteSpan(aad), MakeByteSpan(key), nonce_arr, MakeByteSpan(plaintext), output);
+
+    BOOST_CHECK_EQUAL(HexStr({output.data(), output.size() - POLY1305_TAGLEN}), hex_expected_ciphertext);
+    BOOST_CHECK_EQUAL(HexStr({output.data() + output.size() - POLY1305_TAGLEN, POLY1305_TAGLEN}), hex_expected_auth_tag);
+
+    std::vector<std::byte> decrypted_plaintext(plaintext.size(), std::byte{0x00});
+    auto authenticated = RFC8439Decrypt(MakeByteSpan(aad), MakeByteSpan(key), nonce_arr, output, decrypted_plaintext);
+    BOOST_CHECK(authenticated);
+    BOOST_CHECK_EQUAL(0, memcmp(decrypted_plaintext.data(), plaintext.data(), plaintext.size()));
+}
+
+BOOST_AUTO_TEST_CASE(rfc8439_tests)
+{
+    // Test vector from https://datatracker.ietf.org/doc/html/rfc8439#section-2.8.2
+    TestRFC8439AEAD("50515253c0c1c2c3c4c5c6c7",
+                    "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+                    "070000004041424344454647",
+                    "4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e",
+                    "d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116",
+                    "1ae10b594f09e26a7e902ecbd0600691");
+
+    // Test vector from https://datatracker.ietf.org/doc/html/rfc8439#appendix-A.5
+    TestRFC8439AEAD("f33388860000000000004e91",
+                    "1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0",
+                    "000000000102030405060708",
+                    "496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d",
+                    "64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b",
+                    "eead9d67890cbb22392336fea1851f38");
+}
 BOOST_AUTO_TEST_SUITE_END()

src/test/fuzz/crypto_rfc8439.cpp

@@ -0,0 +1,51 @@
+// Copyright (c) 2022 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <crypto/rfc8439.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <cstddef>
+#include <vector>
+
+FUZZ_TARGET(crypto_rfc8439)
+{
+    FuzzedDataProvider fdp{buffer.data(), buffer.size()};
+    auto aad_len = fdp.ConsumeIntegralInRange(0, 1023);
+    auto aad = fdp.ConsumeBytes<std::byte>(aad_len);
+    aad.resize(aad_len);
+
+    auto key = fdp.ConsumeBytes<std::byte>(RFC8439_KEYLEN);
+    key.resize(RFC8439_KEYLEN);
+
+    auto nonce_vec = fdp.ConsumeBytes<std::byte>(12);
+    nonce_vec.resize(12);
+    std::array<std::byte, 12> nonce;
+    memcpy(nonce.data(), nonce_vec.data(), 12);
+
+    auto plaintext_len = fdp.ConsumeIntegralInRange(0, 4095);
+    auto plaintext = fdp.ConsumeBytes<std::byte>(plaintext_len);
+    plaintext.resize(plaintext_len);
+
+    std::vector<std::byte> output(plaintext.size() + POLY1305_TAGLEN, std::byte{0x00});
+    RFC8439Encrypt(aad, key, nonce, plaintext, output);
+
+    auto bit_flip_attack = !plaintext.empty() && fdp.ConsumeBool();
+    if (bit_flip_attack) {
+        auto byte_to_flip = fdp.ConsumeIntegralInRange(0, static_cast<int>(output.size() - POLY1305_TAGLEN - 1));
+        output[byte_to_flip] = output[byte_to_flip] ^ std::byte{0xFF};
+    }
+
+    std::vector<std::byte> decrypted_plaintext(plaintext.size(), std::byte{0x00});
+    auto authenticated = RFC8439Decrypt(aad, key, nonce, output, decrypted_plaintext);
+    if (bit_flip_attack) {
+        assert(!authenticated);
+    } else {
+        assert(authenticated);
+        if (!plaintext.empty()) {
+            assert(memcmp(decrypted_plaintext.data(), plaintext.data(), plaintext.size()) == 0);
+        }
+    }
+}