From 9ef768a6b96e7f63146b46d7af5eb042ad8377f7 Mon Sep 17 00:00:00 2001 From: Loup Vaillant Date: Wed, 11 Jan 2017 17:32:37 +0100 Subject: [PATCH] added ietf initialization to Chacha20 --- chacha20.c | 28 ++++++++++++++++++++-------- chacha20.h | 19 +++++++++++++++---- vectors_ietf_chacha20.txt | 4 ++++ 3 files changed, 39 insertions(+), 12 deletions(-) create mode 100644 vectors_ietf_chacha20.txt diff --git a/chacha20.c b/chacha20.c index 164b10d..342090d 100644 --- a/chacha20.c +++ b/chacha20.c @@ -60,10 +60,11 @@ chacha20_rounds(uint32_t out[16], const uint32_t in[16]) static void init_constant(crypto_chacha_ctx *ctx) { - ctx->input[0] = load32_le((uint8_t*)"expa"); - ctx->input[1] = load32_le((uint8_t*)"nd 3"); - ctx->input[2] = load32_le((uint8_t*)"2-by"); - ctx->input[3] = load32_le((uint8_t*)"te k"); + ctx->input[0] = load32_le((uint8_t*)"expa"); + ctx->input[1] = load32_le((uint8_t*)"nd 3"); + ctx->input[2] = load32_le((uint8_t*)"2-by"); + ctx->input[3] = load32_le((uint8_t*)"te k"); + ctx->pool_index = 64; // the random pool starts empty } static void @@ -93,7 +94,19 @@ crypto_init_chacha20(crypto_chacha_ctx *ctx, init_constant(ctx ); init_key (ctx, key ); init_nonce (ctx, nonce); - ctx->pool_index = 64; // the random pool starts empty +} + +void +crypto_init_ietf_chacha20(crypto_chacha_ctx *ctx, + const uint8_t key[32], + const uint8_t nonce[12]) +{ + init_constant(ctx); + init_key(ctx, key); + ctx->input[12] = 0; + ctx->input[13] = load32_le(nonce ); + ctx->input[14] = load32_le(nonce + 4); + ctx->input[15] = load32_le(nonce + 8); } void @@ -104,7 +117,7 @@ crypto_init_Xchacha20(crypto_chacha_ctx *ctx, crypto_chacha_ctx init_ctx; init_constant (&init_ctx ); init_key (&init_ctx, key); - // init big nonce + // init big nonce (first 16 bytes) for (int i = 0; i < 4; i++) init_ctx.input[i + 12] = load32_le(nonce + i*4); @@ -116,8 +129,7 @@ crypto_init_Xchacha20(crypto_chacha_ctx *ctx, ctx->input[i + 4] = buffer[i ]; // constant ctx->input[i + 8] = buffer[i + 12]; // counter and nonce } - init_nonce(ctx, nonce + 16); - ctx->pool_index = 64; // the random pool starts empty + init_nonce(ctx, nonce + 16); // init big nonce (last 8 bytes) } void diff --git a/chacha20.h b/chacha20.h index 4f1f221..5ac197a 100644 --- a/chacha20.h +++ b/chacha20.h @@ -36,11 +36,22 @@ crypto_init_chacha20(crypto_chacha_ctx *ctx, const uint8_t key[32], const uint8_t nonce[8]); -// Initializes a chacha context, with a bigger nonce (192 bits). +// Initializes a chacha context, with a slightly bigger nonce (96 bits), +// barely enough to be selected at random (if in doubt, don't). // -// It's slower than regular initialization, but that big nonce can now -// be selected at random without fear of collision. No more complex, -// stateful headache. +// The price you pay for this nonce is a smaller counter, which cannot +// handle messages biger than 128Gib. +// WARNING: ANY MESSAGE THAT EXCEEDS 128Gib WILL SPILL ITS SECRETS. +void +crypto_init_ietf_chacha20(crypto_chacha_ctx *ctx, + const uint8_t key[32], + const uint8_t nonce[12]); + +// Initializes a chacha context, with an even bigger nonce (192 bits), +// more than enough to be selected at random. +// +// The price you pay for that is a slower initialization. The security +// guarantees are the same as regular initialization. void crypto_init_Xchacha20(crypto_chacha_ctx *ctx, const uint8_t key[32], diff --git a/vectors_ietf_chacha20.txt b/vectors_ietf_chacha20.txt new file mode 100644 index 0000000..06601d6 --- /dev/null +++ b/vectors_ietf_chacha20.txt @@ -0,0 +1,4 @@ +key: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f +nonce: 000000000000004a00000000 +text: 4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e +cipher: 6e2e359a2568f98041ba0728dd0d6981e97e7aec1d4360c20a27afccfd9fae0bf91b65c5524733ab8f593dabcd62b3571639d624e65152ab8f530c359f0861d807ca0dbf500d6a6156a38e088a22b65e52bc514d16ccf806818ce91ab77937365af90bbf74a35be6b40b8eedf2785e42874d -- 2.47.3