We had 6 functions. Now we only have 3.
While the basic variants are a bit more convenient to use, I don't
expect users will be using them frequently enough for it to matter. But
having 6 functions to chose from instead of 3 is in my opinion a
non-negligible cost.
Then there's HChacha20, the odd one out. While we're here breaking the
API left and right, I figured I needed a stable naming scheme for
everything. And I think each function should be named
crypto_<cluster>_<function_name>(), with relatively few clusters. And
HChacha20 quite clearly belong to the "chacha20" cluster, even though
it's sometimes used as kind of a hash (for the extended nonce DJB only
relies on its properties as a bastardised stream cipher).
And while we're speaking clusters, I'm considering having one man page
per cluster, with no regards towards whether a function is "advanced" or
not. In practice this would mean:
- Bundling HChacha20 and Chacha20 functions in the same man page. This
would help highlight how they're related.
- Bundling low-level EdDSA building blocks with the high-level
construction. We can always push the advanced stuff down the man
page, but the main point here is to make it easier to find. Oh and
we'd perhaps add the conversion to X25519 as well.
- Bundling dirty X25519 function together with the clean one. And
perhaps the conversion to EdDSA too.
- The Elligator functions are already documented together, but I think
they deserve their dedicated prefix. Like, "crypto_elligator_".
However we go about it, I'd like to strive towards a more systematic way
of documenting things, to the point of enabling some automatic checks as
hinted in #250.
.\"
.\" ----------------------------------------------------------------------------
.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
+.\" Copyright (c) 2017-2019, 2023 Loup Vaillant
.\" Copyright (c) 2018 Michael Savage
.\" Copyright (c) 2017, 2019-2021 Fabio Scotoni
.\" All rights reserved.
.\"
.\" ----------------------------------------------------------------------------
.\"
-.\" Written in 2017-2021 by Loup Vaillant, Michael Savage and Fabio Scotoni
+.\" Written in 2017-2023 by Loup Vaillant, Michael Savage and Fabio Scotoni
.\"
.\" To the extent possible under law, the author(s) have dedicated all copyright
.\" and related neighboring rights to this software to the public domain
.\" with this software. If not, see
.\" <https://creativecommons.org/publicdomain/zero/1.0/>
.\"
-.Dd June 11, 2021
+.Dd January 8, 2023
.Dt CRYPTO_CHACHA20 3MONOCYPHER
.Os
.Sh NAME
.Nm crypto_chacha20 ,
-.Nm crypto_chacha20_ctr ,
.Nm crypto_xchacha20 ,
-.Nm crypto_xchacha20_ctr
+.Nm crypto_ietf_chacha20
.Nd ChaCha20 and XChaCha20 encryption functions
.Sh SYNOPSIS
.In monocypher.h
-.Ft void
+.Ft uint64_t
.Fo crypto_chacha20
.Fa "uint8_t *cipher_text"
.Fa "const uint8_t *plain_text"
.Fa "size_t text_size"
.Fa "const uint8_t key[32]"
.Fa "const uint8_t nonce[8]"
+.Fa "uint64_t ctr"
.Fc
-.Ft void
-.Fo crypto_xchacha20
-.Fa "uint8_t *cipher_text"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[24]"
-.Fc
-.Ft uint64_t
-.Fo crypto_chacha20_ctr
+.Ft uint32_t
+.Fo crypto_ietf_chacha20
.Fa "uint8_t *cipher_text"
.Fa "const uint8_t *plain_text"
.Fa "size_t text_size"
.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[8]"
-.Fa "uint64_t ctr"
+.Fa "const uint8_t nonce[12]"
+.Fa "uint32_t ctr"
.Fc
.Ft uint64_t
-.Fo crypto_xchacha20_ctr
+.Fo crypto_xchacha20
.Fa "uint8_t *cipher_text"
.Fa "const uint8_t *plain_text"
.Fa "size_t text_size"
.It Fa key
A 32-byte secret key.
.It Fa nonce
-An 8-byte or 24-byte number, used only once with any given key.
+An 8-byte, 12-byte, or 24-byte number used only once with any given key.
It does not need to be secret or random, but it does have to be unique.
Repeating a nonce with the same key reveals the XOR of two different
messages, which allows decryption.
24-byte nonces can be selected at random.
-8-byte nonces
+8-byte and 12-byte nonces
.Em cannot
because they are too small and the same nonce may be selected twice by
accident.
.Fa cipher_text ,
in bytes.
.It Fa ctr
-The number of 64-byte blocks since the beginning of the stream.
+The number of 64-byte blocks we skip from the beginning of the stream.
+This can be used to encrypt (or decrypt) part of a long message or to
+implement some AEAD constructions such as the one described in RFC
+8439.
+Should be zero by default.
+When using this, be careful not to accidentally reuse parts of the
+random stream as that would destroy confidentiality.
+The return value can help here.
.El
.Pp
The
must either be the same buffer (for in-place encryption) or
non-overlapping.
.Pp
-.Fn crypto_chacha20
-performs a ChaCha20 operation.
-It uses an 8-byte nonce, which is too small to be selected at random.
-Use a message counter as a nonce instead.
-.Pp
+.Fn crypto_chacha20 ,
+.Fn crypto_ietf_chacha20 ,
+and
.Fn crypto_xchacha20
-performs an XChaCha20 operation.
-It uses a 24-byte nonce, which is large enough to be selected at random.
+perform a ChaCha20 operation.
+Their main difference is the size of their nonce and counter.
+.Fn crypto_ietf_chacha20
+in particular implements RFC 8439,
+and is provided strictly for compatibility with existing systems or
+standards compliance.
.Pp
.Fn crypto_xchacha20
-is recommended over
-.Fn crypto_chacha20 .
-The ability to use random nonces makes it easier to use securely, and
-the performance hit is often negligible in practice.
+Is the only function that uses a nonce long enough to be random.
+This makes it easier to use securely,
+and the performance hit of the extended nonce is often negligible in
+practice.
+Use it instead of
+.Fn crypto_chacha20
+and
+.Fn crypto_ietf_chacha20
+if possible.
.Pp
The
-.Fn crypto_chacha20
+.Fn crypto_chacha20 ,
+.Fn crypto_ietf_chacha20 ,
and
.Fn crypto_xchacha20
encrypt
be used to generate large amounts of random-looking data quickly
\(en for example to generate padding.
.Pp
-The
-.Fn crypto_chacha20_ctr
-and
-.Fn crypto_xchacha20_ctr
-perform ChaCha20 or XChaCha20 encryption,
-starting the stream at the block
-.Fa ctr
-(which is the byte
-.Ql ctr \(mu 64 ) .
-This can be used to encrypt (or decrypt) part of a long message or to
-implement some AEAD constructions such as the one described in RFC
-8439.
-When using this, be careful not to accidentally reuse parts of the
-random stream as that would destroy confidentiality.
.Sh RETURN VALUES
-.Fn crypto_chacha20
+.Fn crypto_chacha20 ,
+.Fn crypto_ietf_chacha20 ,
and
.Fn crypto_xchacha20
-return nothing.
-.Fn crypto_chacha20_ctr
-and
-.Fn crypto_xchacha20_ctr
-functions return the next
+return the next
.Fa ctr
to use with the same key and nonce values;
-this is always
+this is the previous
+.Fa ctr ,
+plus
.Fa text_size
-divided by 64,
-plus one if there was a remainder.
+divided by 64 (rounded up).
.Sh EXAMPLES
The following examples assume the existence of
.Fn arc4random_buf ,
uint8_t cipher_text[500]; /* Encrypted message */
arc4random_buf(key, 32);
arc4random_buf(nonce, 24);
-crypto_xchacha20(cipher_text, plain_text, 500, key, nonce);
+crypto_xchacha20(cipher_text, plain_text, 500, key, nonce, 0);
/* Wipe secrets if they are no longer needed */
crypto_wipe(key, 32);
crypto_wipe(plain_text, 500);
const uint8_t nonce [ 24]; /* Same nonce as above */
uint8_t plain_text [500]; /* Message to decrypt */
uint8_t cipher_text[500]; /* Secret message */
-crypto_xchacha20(cipher_text, plain_text, 500, key, nonce);
+crypto_xchacha20(cipher_text, plain_text, 500, key, nonce, 0);
/* Wipe secrets if they are no longer needed */
crypto_wipe(key, 32);
/* The plaintext likely needs to be processed before you wipe it */
arc4random_buf(key, 32);
arc4random_buf(nonce, 24);
for(i = 0; i < 500; i += 64) {
- ctr = crypto_xchacha20_ctr(cipher_text+i, plain_text+i, 64,
- key, nonce, ctr);
+ ctr = crypto_xchacha20(cipher_text+i, plain_text+i, 64,
+ key, nonce, ctr);
}
/* Process data that didn't fit into 64-byte pieces */
-crypto_xchacha20_ctr(cipher_text+500-(i-64),
- plain_text+500-(i-64),
- 500-(i-64),
- key, nonce, ctr);
+crypto_xchacha20(cipher_text+500-(i-64),
+ plain_text+500-(i-64),
+ 500-(i-64),
+ key, nonce, ctr);
/* Wipe secrets if they are no longer needed */
crypto_wipe(key, 32);
crypto_wipe(plain_text, 500);
.Ed
.Pp
Encryption by jumping around (do not do this, this is only meant to show
-how
-.Fn crypto_xchacha20_ctr
-works):
+how the counter works):
.Bd -literal -offset indent
uint8_t key [ 32]; /* Secret random key */
uint8_t nonce [ 24]; /* Unique nonce (possibly random) */
arc4random_buf(key, 32);
arc4random_buf(nonce, 24);
/* Encrypt the second part of the message first... */
-crypto_xchacha20_ctr(cipher_text + (3 * 64),
- plain_text + (3 * 64),
- 500 - (3 * 64),
- key, nonce, 3);
+crypto_xchacha20(cipher_text + (3 * 64),
+ plain_text + (3 * 64),
+ 500 - (3 * 64),
+ key, nonce, 3);
/* ...then encrypt the first part */
-crypto_xchacha20_ctr(cipher_text, plain_text, 3 * 64, key, nonce, 0);
+crypto_xchacha20(cipher_text, plain_text, 3 * 64, key, nonce, 0);
/* Wipe secrets if they are no longer needed */
crypto_wipe(key, 32);
crypto_wipe(plain_text, 500);
.Sh HISTORY
.Fn crypto_chacha20 ,
.Fn crypto_chacha20_ctr ,
+.Fn crypto_ietf_chacha20 ,
+.Fn crypto_ietf_chacha20_ctr ,
.Fn crypto_xchacha20 ,
and
.Fn crypto_xchacha20_ctr
and
.Fn crypto_chacha20_set_ctr
that were deprecated in Monocypher 3.0.0.
+In Monocypher 4.0.0, only the ctr variants have been kept,
+and were renamed
+.Fn crypto_chacha20 ,
+.Fn crypto_ietf_chacha20 ,
+and
+.Fn crypto_xchacha20
+respectively.
.Sh SECURITY CONSIDERATIONS
-.Ss Encrypted does not mean secure
+.Ss Encrypted does not mean secure .
ChaCha20 only protects against eavesdropping, not forgeries.
Most applications need protection against forgeries to be properly
secure.
+++ /dev/null
-crypto_hchacha20.3monocypher
\ No newline at end of file
+++ /dev/null
-crypto_chacha20.3monocypher
\ No newline at end of file
.\"
.\" ----------------------------------------------------------------------------
.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
+.\" Copyright (c) 2017-2019, 2023 Loup Vaillant
.\" Copyright (c) 2017-2018 Michael Savage
.\" Copyright (c) 2019-2022 Fabio Scotoni
.\" All rights reserved.
.\"
.\" ----------------------------------------------------------------------------
.\"
-.\" Written in 2017-2022 by Loup Vaillant, Michael Savage and Fabio Scotoni
+.\" Written in 2017-2023 by Loup Vaillant, Michael Savage and Fabio Scotoni
.\"
.\" To the extent possible under law, the author(s) have dedicated all copyright
.\" and related neighboring rights to this software to the public domain
.\" with this software. If not, see
.\" <https://creativecommons.org/publicdomain/zero/1.0/>
.\"
-.Dd February 13, 2022
-.Dt CRYPTO_HCHACHA20 3MONOCYPHER
+.Dd January 9, 2023
+.Dt CRYPTO_CHACHA20_H 3MONOCYPHER
.Os
.Sh NAME
-.Nm crypto_hchacha20
+.Nm crypto_chacha20_h
.Nd HChaCha20 special-purpose hashing
.Sh SYNOPSIS
.In monocypher.h
.Ft void
-.Fo crypto_hchacha20
+.Fo crypto_chacha20_h
.Fa "uint8_t out[32]"
.Fa "const uint8_t key[32]"
.Fa "const uint8_t in[16]"
.Fc
.Sh DESCRIPTION
-.Fn crypto_hchacha20
+.Fn crypto_chacha20_h
provides a not-so-cryptographic hash.
It may be used for some specific purposes such as X25519 key
derivation or XChaCha20 initialisation.
uint8_t in [16]; /* Does not have to be random */
uint8_t out[32]; /* Will be random iff the above holds */
arc4random_buf(key, 32);
-crypto_hchacha20(out, key, in);
+crypto_chacha20_h(out, key, in);
/* Wipe secrets if they are no longer needed */
crypto_wipe(key, 32);
crypto_wipe(in , 16);
Salsa20.
.Sh HISTORY
The
-.Fn crypto_hchacha20
+.Fn crypto_chacha20_h
function first appeared in Monocypher 0.1 as
.Fn crypto_chacha20_H .
It was renamed to
.Fn crypto_hchacha20
-in Monocypher 3.0.0.
+in Monocypher 3.0.0, then
+.Fn crypto_chacha20_h
+in Monocypher 4.0.0.
.Sh CAVEATS
.Sy This is not a general-purpose cryptographic hash function .
+++ /dev/null
-crypto_chacha20.3monocypher
\ No newline at end of file
static const u8 *chacha20_constant = (const u8*)"expand 32-byte k"; // 16 bytes
-void crypto_hchacha20(u8 out[32], const u8 key[32], const u8 in [16])
+void crypto_chacha20_h(u8 out[32], const u8 key[32], const u8 in [16])
{
u32 block[16];
load32_le_buf(block , chacha20_constant, 4);
WIPE_BUFFER(block);
}
-u64 crypto_chacha20_ctr(u8 *cipher_text, const u8 *plain_text,
+u64 crypto_chacha20_djb(u8 *cipher_text, const u8 *plain_text,
size_t text_size, const u8 key[32], const u8 nonce[8],
u64 ctr)
{
return ctr;
}
-u32 crypto_ietf_chacha20_ctr(u8 *cipher_text, const u8 *plain_text,
- size_t text_size,
- const u8 key[32], const u8 nonce[12], u32 ctr)
+u32 crypto_chacha20_ietf(u8 *cipher_text, const u8 *plain_text,
+ size_t text_size,
+ const u8 key[32], const u8 nonce[12], u32 ctr)
{
u64 big_ctr = ctr + ((u64)load32_le(nonce) << 32);
- return (u32)crypto_chacha20_ctr(cipher_text, plain_text, text_size,
+ return (u32)crypto_chacha20_djb(cipher_text, plain_text, text_size,
key, nonce + 4, big_ctr);
}
-u64 crypto_xchacha20_ctr(u8 *cipher_text, const u8 *plain_text,
- size_t text_size,
- const u8 key[32], const u8 nonce[24], u64 ctr)
+u64 crypto_chacha20_x(u8 *cipher_text, const u8 *plain_text,
+ size_t text_size,
+ const u8 key[32], const u8 nonce[24], u64 ctr)
{
u8 sub_key[32];
- crypto_hchacha20(sub_key, key, nonce);
- ctr = crypto_chacha20_ctr(cipher_text, plain_text, text_size,
- sub_key, nonce+16, ctr);
+ crypto_chacha20_h(sub_key, key, nonce);
+ ctr = crypto_chacha20_djb(cipher_text, plain_text, text_size,
+ sub_key, nonce + 16, ctr);
WIPE_BUFFER(sub_key);
return ctr;
}
-void crypto_chacha20(u8 *cipher_text, const u8 *plain_text, size_t text_size,
- const u8 key[32], const u8 nonce[8])
-{
- crypto_chacha20_ctr(cipher_text, plain_text, text_size, key, nonce, 0);
-
-}
-void crypto_ietf_chacha20(u8 *cipher_text, const u8 *plain_text,
- size_t text_size,
- const u8 key[32], const u8 nonce[12])
-{
- crypto_ietf_chacha20_ctr(cipher_text, plain_text, text_size, key, nonce, 0);
-}
-
-void crypto_xchacha20(u8 *cipher_text, const u8 *plain_text, size_t text_size,
- const u8 key[32], const u8 nonce[24])
-{
- crypto_xchacha20_ctr(cipher_text, plain_text, text_size, key, nonce, 0);
-}
-
/////////////////
/// Poly 1305 ///
/////////////////
u8 buf[64]; // seed + representative
COPY(buf + 32, seed, 32);
do {
- crypto_chacha20(buf, 0, 64, buf+32, zero);
+ crypto_chacha20_djb(buf, 0, 64, buf+32, zero, 0);
crypto_x25519_dirty_fast(pk, buf); // or the "small" version
} while(crypto_curve_to_hidden(buf+32, pk, buf[32]));
// Note that the return value of crypto_curve_to_hidden() is
{
u8 sub_key[32];
u8 auth_key[64]; // "Wasting" the whole Chacha block is faster
- crypto_hchacha20(sub_key, key, nonce);
- crypto_chacha20(auth_key, 0, 64, sub_key, nonce + 16);
- crypto_chacha20_ctr(cipher_text, plain_text, text_size,
+ crypto_chacha20_h(sub_key, key, nonce);
+ crypto_chacha20_djb(auth_key, 0, 64, sub_key, nonce + 16, 0);
+ crypto_chacha20_djb(cipher_text, plain_text, text_size,
sub_key, nonce + 16, 1);
lock_auth(mac, auth_key, ad, ad_size, cipher_text, text_size);
WIPE_BUFFER(sub_key);
{
u8 sub_key[32];
u8 auth_key[64]; // "Wasting" the whole Chacha block is faster
- crypto_hchacha20(sub_key, key, nonce);
- crypto_chacha20(auth_key, 0, 64, sub_key, nonce + 16);
+ crypto_chacha20_h(sub_key, key, nonce);
+ crypto_chacha20_djb(auth_key, 0, 64, sub_key, nonce + 16, 0);
u8 real_mac[16];
lock_auth(real_mac, auth_key, ad, ad_size, cipher_text, text_size);
WIPE_BUFFER(auth_key);
int mismatch = crypto_verify16(mac, real_mac);
if (!mismatch) {
- crypto_chacha20_ctr(plain_text, cipher_text, text_size,
+ crypto_chacha20_djb(plain_text, cipher_text, text_size,
sub_key, nonce + 16, 1);
}
WIPE_BUFFER(sub_key);
// Specialised hash.
// Used to hash X25519 shared secrets.
-void crypto_hchacha20(uint8_t out[32],
- const uint8_t key[32],
- const uint8_t in [16]);
+void crypto_chacha20_h(uint8_t out[32],
+ const uint8_t key[32],
+ const uint8_t in [16]);
// Unauthenticated stream cipher.
// Don't forget to add authentication.
-void crypto_chacha20(uint8_t *cipher_text,
- const uint8_t *plain_text,
- size_t text_size,
- const uint8_t key[32],
- const uint8_t nonce[8]);
-void crypto_xchacha20(uint8_t *cipher_text,
- const uint8_t *plain_text,
- size_t text_size,
- const uint8_t key[32],
- const uint8_t nonce[24]);
-void crypto_ietf_chacha20(uint8_t *cipher_text,
- const uint8_t *plain_text,
- size_t text_size,
- const uint8_t key[32],
- const uint8_t nonce[12]);
-uint64_t crypto_chacha20_ctr(uint8_t *cipher_text,
+uint64_t crypto_chacha20_djb(uint8_t *cipher_text,
const uint8_t *plain_text,
size_t text_size,
const uint8_t key[32],
const uint8_t nonce[8],
uint64_t ctr);
-uint64_t crypto_xchacha20_ctr(uint8_t *cipher_text,
+uint32_t crypto_chacha20_ietf(uint8_t *cipher_text,
const uint8_t *plain_text,
size_t text_size,
const uint8_t key[32],
- const uint8_t nonce[24],
- uint64_t ctr);
-uint32_t crypto_ietf_chacha20_ctr(uint8_t *cipher_text,
- const uint8_t *plain_text,
- size_t text_size,
- const uint8_t key[32],
- const uint8_t nonce[12],
- uint32_t ctr);
+ const uint8_t nonce[12],
+ uint32_t ctr);
+uint64_t crypto_chacha20_x(uint8_t *cipher_text,
+ const uint8_t *plain_text,
+ size_t text_size,
+ const uint8_t key[32],
+ const uint8_t nonce[24],
+ uint64_t ctr);
// Poly 1305
RANDOM_INPUT(nonce, 8);
TIMING_START {
- crypto_chacha20(out, in, SIZE, key, nonce);
+ crypto_chacha20_djb(out, in, SIZE, key, nonce, 0);
}
TIMING_END;
}
u64 ctr = load64_le(next_input(reader).buf);
vector out = next_output(reader);
u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0);
- u64 new_ctr = crypto_chacha20_ctr(out.buf, plain.buf, plain.size,
+ u64 new_ctr = crypto_chacha20_djb(out.buf, plain.buf, plain.size,
key.buf, nonce.buf, ctr);
ASSERT(new_ctr - ctr == nb_blocks);
}
u32 ctr = load32_le(next_input(reader).buf);
vector out = next_output(reader);
u32 nb_blocks = (u32)(plain.size / 64 + (plain.size % 64 != 0));
- u32 new_ctr = crypto_ietf_chacha20_ctr(out.buf, plain.buf, plain.size,
- key.buf, nonce.buf, ctr);
+ u32 new_ctr = crypto_chacha20_ietf(out.buf, plain.buf, plain.size,
+ key.buf, nonce.buf, ctr);
ASSERT(new_ctr - ctr == nb_blocks);
}
u64 ctr = load64_le(next_input(reader).buf);
vector out = next_output(reader);
u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0);
- u64 new_ctr = crypto_xchacha20_ctr(out.buf, plain.buf, plain.size,
- key.buf, nonce.buf, ctr);
+ u64 new_ctr = crypto_chacha20_x(out.buf, plain.buf, plain.size,
+ key.buf, nonce.buf, ctr);
ASSERT(new_ctr - ctr == nb_blocks);
}
vector key = next_input(reader);
vector nonce = next_input(reader);
vector out = next_output(reader);
- crypto_hchacha20(out.buf, key.buf, nonce.buf);
+ crypto_chacha20_h(out.buf, key.buf, nonce.buf);
}
static void test_chacha20()
u8 out_full[128];
u8 out1 [64];
u8 out2 [64];
- crypto_chacha20 (out_full, plain , 128, key, nonce);
- crypto_chacha20_ctr(out1 , plain + 0, 64, key, nonce, 0);
- crypto_chacha20_ctr(out2 , plain + 64, 64, key, nonce, 1);
+ crypto_chacha20_djb(out_full, plain , 128, key, nonce, 0);
+ crypto_chacha20_djb(out1 , plain + 0, 64, key, nonce, 0);
+ crypto_chacha20_djb(out2 , plain + 64, 64, key, nonce, 1);
ASSERT_EQUAL(out_full , out1, 64);
ASSERT_EQUAL(out_full + 64, out2, 64);
}
u8 zeroes [INPUT_SIZE] = {0};
RANDOM_INPUT(key , 32);
RANDOM_INPUT(nonce, 8);
- crypto_chacha20(output_normal, zeroes, i, key, nonce);
- crypto_chacha20(output_stream, 0 , i, key, nonce);
+ crypto_chacha20_djb(output_normal, zeroes, i, key, nonce, 0);
+ crypto_chacha20_djb(output_stream, 0 , i, key, nonce, 0);
ASSERT_EQUAL(output_normal, output_stream, i);
}
RANDOM_INPUT(input, INPUT_SIZE);
RANDOM_INPUT(key , 32);
RANDOM_INPUT(nonce, 8);
- crypto_chacha20(output, input, INPUT_SIZE, key, nonce);
- crypto_chacha20(input , input, INPUT_SIZE, key, nonce);
+ crypto_chacha20_djb(output, input, INPUT_SIZE, key, nonce, 0);
+ crypto_chacha20_djb(input , input, INPUT_SIZE, key, nonce, 0);
ASSERT_EQUAL(output, input, INPUT_SIZE);
}
u8 out_full[128];
u8 out1 [64];
u8 out2 [64];
- crypto_ietf_chacha20 (out_full, plain , 128, key, nonce);
- crypto_ietf_chacha20_ctr(out1 , plain + 0, 64, key, nonce, 0);
- crypto_ietf_chacha20_ctr(out2 , plain + 64, 64, key, nonce, 1);
+ crypto_chacha20_ietf(out_full, plain , 128, key, nonce, 0);
+ crypto_chacha20_ietf(out1 , plain + 0, 64, key, nonce, 0);
+ crypto_chacha20_ietf(out2 , plain + 64, 64, key, nonce, 1);
ASSERT_EQUAL(out_full , out1, 64);
ASSERT_EQUAL(out_full + 64, out2, 64);
}
u8 out_full[128];
u8 out1 [64];
u8 out2 [64];
- crypto_xchacha20 (out_full, plain , 128, key, nonce);
- crypto_xchacha20_ctr(out1 , plain + 0, 64, key, nonce, 0);
- crypto_xchacha20_ctr(out2 , plain + 64, 64, key, nonce, 1);
+ crypto_chacha20_x(out_full, plain , 128, key, nonce, 0);
+ crypto_chacha20_x(out1 , plain + 0, 64, key, nonce, 0);
+ crypto_chacha20_x(out2 , plain + 64, 64, key, nonce, 1);
ASSERT_EQUAL(out_full , out1, 64);
ASSERT_EQUAL(out_full + 64, out2, 64);
}
// Run with and without overlap, then compare
u8 out[32];
- crypto_hchacha20(out, key, in);
- crypto_hchacha20(buffer + out_idx, buffer + key_idx, buffer + in_idx);
+ crypto_chacha20_h(out, key, in);
+ crypto_chacha20_h(buffer + out_idx, buffer + key_idx, buffer + in_idx);
ASSERT_EQUAL(out, buffer + out_idx, 32);
}
}
u64 ctr = load64_le(next_input(reader).buf);
vector out = next_output(reader);
u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0);
- u64 new_ctr = crypto_chacha20_ctr(out.buf, plain.buf, plain.size,
+ u64 new_ctr = crypto_chacha20_djb(out.buf, plain.buf, plain.size,
key.buf, nonce.buf, ctr);
if (new_ctr - ctr != nb_blocks) {
printf("FAILURE: Chacha20 returned counter not correct: ");
u64 ctr = load64_le(next_input(reader).buf);
vector out = next_output(reader);
u32 nb_blocks = (u32)(plain.size / 64 + (plain.size % 64 != 0));
- u32 new_ctr = crypto_ietf_chacha20_ctr(out.buf, plain.buf, plain.size,
- key.buf, nonce.buf, ctr);
+ u32 new_ctr = crypto_chacha20_ietf(out.buf, plain.buf, plain.size,
+ key.buf, nonce.buf, ctr);
if (new_ctr - ctr != nb_blocks) {
printf("FAILURE: IETF Chacha20 returned counter not correct: ");
}
vector key = next_input(reader);
vector nonce = next_input(reader);
vector out = next_output(reader);
- crypto_hchacha20(out.buf, key.buf, nonce.buf);
+ crypto_chacha20_h(out.buf, key.buf, nonce.buf);
}
static void xchacha20(vector_reader *reader)
u64 ctr = load64_le(next_input(reader).buf);
vector out = next_output(reader);
u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0);
- u64 new_ctr = crypto_xchacha20_ctr(out.buf, plain.buf, plain.size,
- key.buf, nonce.buf, ctr);
+ u64 new_ctr = crypto_chacha20_x(out.buf, plain.buf, plain.size,
+ key.buf, nonce.buf, ctr);
if (new_ctr - ctr != nb_blocks) {
printf("FAILURE: XChacha20 returned counter not correct: ");
}
projects / Monocypher.git / commitdiff