crypto: add FSChaCha20Poly1305, rekeying wrapper around ChaCha20Poly1305

sipa · sipa · commit aa8cee93342e · 2023-07-26T16:55:05.000-04:00
This adds the FSChaCha20Poly1305 AEAD as specified in BIP324, a wrapper
around the ChaCha20Poly1305 AEAD (as specified in RFC8439 section 2.8) which
automatically rekeys every N messages, and automatically increments the nonce
every message.
diff --git a/src/crypto/chacha20poly1305.cpp b/src/crypto/chacha20poly1305.cpp
@@ -8,6 +8,7 @@
 #include <crypto/chacha20.h>
 #include <crypto/poly1305.h>
 #include <span.h>
+#include <support/cleanse.h>
 
 #include <assert.h>
 #include <cstdint>
@@ -99,3 +100,41 @@ bool AEADChaCha20Poly1305::Decrypt(Span<const std::byte> cipher, Span<const std:
     m_chacha20.Crypt(UCharCast(cipher.data()), UCharCast(plain.data()), plain.size());
     return true;
 }
+
+void AEADChaCha20Poly1305::Keystream(Nonce96 nonce, Span<std::byte> keystream) noexcept
+{
+    // Skip the first output block, as it's used for generating the poly1305 key.
+    m_chacha20.Seek64(nonce, 1);
+    m_chacha20.Keystream(UCharCast(keystream.data()), keystream.size());
+}
+
+void FSChaCha20Poly1305::NextPacket() noexcept
+{
+    if (++m_packet_counter == m_rekey_interval) {
+        // Generate a full block of keystream, to avoid needing the ChaCha20 buffer, even though
+        // we only need KEYLEN (32) bytes.
+        std::byte one_block[64];
+        m_aead.Keystream({0xFFFFFFFF, m_rekey_counter}, one_block);
+        // Switch keys.
+        m_aead.SetKey(Span{one_block}.first(KEYLEN));
+        // Wipe the generated keystream (a copy remains inside m_aead, which will be cleaned up
+        // once it cycles again, or is destroyed).
+        memory_cleanse(one_block, sizeof(one_block));
+        // Update counters.
+        m_packet_counter = 0;
+        ++m_rekey_counter;
+    }
+}
+
+void FSChaCha20Poly1305::Encrypt(Span<const std::byte> plain, Span<const std::byte> aad, Span<std::byte> cipher) noexcept
+{
+    m_aead.Encrypt(plain, aad, {m_packet_counter, m_rekey_counter}, cipher);
+    NextPacket();
+}
+
+bool FSChaCha20Poly1305::Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Span<std::byte> plain) noexcept
+{
+    bool ret = m_aead.Decrypt(cipher, aad, {m_packet_counter, m_rekey_counter}, plain);
+    NextPacket();
+    return ret;
+}
diff --git a/src/crypto/chacha20poly1305.h b/src/crypto/chacha20poly1305.h
@@ -46,6 +46,68 @@ class AEADChaCha20Poly1305
      * Requires cipher.size() = plain.size() + EXPANSION.
      */
     bool Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> plain) noexcept;
+
+    /** Get a number of keystream bytes from the underlying stream cipher.
+     *
+     * This is equivalent to Encrypt() with plain set to that many zero bytes, and dropping the
+     * last EXPANSION bytes off the result.
+     */
+    void Keystream(Nonce96 nonce, Span<std::byte> keystream) noexcept;
+};
+
+/** Forward-secure wrapper around AEADChaCha20Poly1305.
+ *
+ * This implements an AEAD which automatically increments the nonce on every encryption or
+ * decryption, and cycles keys after a predetermined number of encryptions or decryptions.
+ *
+ * See BIP324 for details.
+ */
+class FSChaCha20Poly1305
+{
+private:
+    /** Internal AEAD. */
+    AEADChaCha20Poly1305 m_aead;
+
+    /** Every how many iterations this cipher rekeys. */
+    const uint32_t m_rekey_interval;
+
+    /** The number of encryptions/decryptions since the last rekey. */
+    uint32_t m_packet_counter{0};
+
+    /** The number of rekeys performed so far. */
+    uint64_t m_rekey_counter{0};
+
+    /** Update counters (and if necessary, key) to transition to the next message. */
+    void NextPacket() noexcept;
+
+public:
+    /** Length of keys expected by the constructor. */
+    static constexpr auto KEYLEN = AEADChaCha20Poly1305::KEYLEN;
+
+    /** Expansion when encrypting. */
+    static constexpr auto EXPANSION = AEADChaCha20Poly1305::EXPANSION;
+
+    // No copy or move to protect the secret.
+    FSChaCha20Poly1305(const FSChaCha20Poly1305&) = delete;
+    FSChaCha20Poly1305(FSChaCha20Poly1305&&) = delete;
+    FSChaCha20Poly1305& operator=(const FSChaCha20Poly1305&) = delete;
+    FSChaCha20Poly1305& operator=(FSChaCha20Poly1305&&) = delete;
+
+    /** Construct an FSChaCha20Poly1305 cipher that rekeys every rekey_interval operations. */
+    FSChaCha20Poly1305(Span<const std::byte> key, uint32_t rekey_interval) noexcept :
+        m_aead(key), m_rekey_interval(rekey_interval) {}
+
+    /** Encrypt a message with a specified aad.
+     *
+     * Requires cipher.size() = plain.size() + EXPANSION.
+     */
+    void Encrypt(Span<const std::byte> plain, Span<const std::byte> aad, Span<std::byte> cipher) noexcept;
+
+    /** Decrypt a message with a specified aad. Returns true if valid.
+     *
+     * Requires cipher.size() = plain.size() + EXPANSION.
+     */
+    bool Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Span<std::byte> plain) noexcept;
 };
 
 #endif // BITCOIN_CRYPTO_CHACHA20POLY1305_H
diff --git a/src/test/crypto_tests.cpp b/src/test/crypto_tests.cpp
@@ -264,6 +264,41 @@ static void TestChaCha20Poly1305(const std::string& plain_hex, const std::string
     bool ret = aead.Decrypt(cipher, aad, nonce, decipher);
     BOOST_CHECK(ret);
     BOOST_CHECK(decipher == plain);
+
+    std::vector<std::byte> keystream(plain.size());
+    aead.Keystream(nonce, keystream);
+    for (size_t i = 0; i < plain.size(); ++i) {
+        BOOST_CHECK_EQUAL(plain[i] ^ keystream[i], cipher[i]);
+    }
+}
+
+static void TestFSChaCha20Poly1305(const std::string& plain_hex, const std::string& aad_hex, const std::string& key_hex, uint64_t msg_idx, const std::string& cipher_hex)
+{
+    auto plain = ParseHex<std::byte>(plain_hex);
+    auto aad = ParseHex<std::byte>(aad_hex);
+    auto key = ParseHex<std::byte>(key_hex);
+    auto expected_cipher = ParseHex<std::byte>(cipher_hex);
+    std::vector<std::byte> cipher(plain.size() + FSChaCha20Poly1305::EXPANSION);
+
+    FSChaCha20Poly1305 enc_aead{key, 224};
+    for (uint64_t i = 0; i < msg_idx; ++i) {
+        std::byte dummy_tag[FSChaCha20Poly1305::EXPANSION] = {{}};
+        enc_aead.Encrypt(Span{dummy_tag}.first(0), Span{dummy_tag}.first(0), dummy_tag);
+    }
+
+    enc_aead.Encrypt(plain, aad, cipher);
+    BOOST_CHECK(cipher == expected_cipher);
+
+    FSChaCha20Poly1305 dec_aead{key, 224};
+    for (uint64_t i = 0; i < msg_idx; ++i) {
+        std::byte dummy_tag[FSChaCha20Poly1305::EXPANSION] = {{}};
+        dec_aead.Decrypt(dummy_tag, Span{dummy_tag}.first(0), Span{dummy_tag}.first(0));
+    }
+
+    std::vector<std::byte> decipher(cipher.size() - AEADChaCha20Poly1305::EXPANSION);
+    bool ret = dec_aead.Decrypt(cipher, aad, decipher);
+    BOOST_CHECK(ret);
+    BOOST_CHECK(decipher == plain);
 }
 
 static void TestHKDF_SHA256_32(const std::string &ikm_hex, const std::string &salt_hex, const std::string &info_hex, const std::string &okm_check_hex) {
@@ -947,6 +982,29 @@ BOOST_AUTO_TEST_CASE(chacha20poly1305_testvectors)
                          "77adda51d6730b9ad6c995658cbd49f581b2547e7c0c08fcc24ceec797461021",
                          {0x1f90da88, 0x75dafa3ef84471a4},
                          "aaae5bb81e8407c94b2ae86ae0c7efbe");
+
+    // FSChaCha20Poly1305 tests.
+    TestFSChaCha20Poly1305("d6a4cb04ef0f7c09c1866ed29dc24d820e75b0491032a51b4c3366f9ca35c19e"
+                           "a3047ec6be9d45f9637b63e1cf9eb4c2523a5aab7b851ebeba87199db0e839cf"
+                           "0d5c25e50168306377aedbe9089fd2463ded88b83211cf51b73b150608cc7a60"
+                           "0d0f11b9a742948482e1b109d8faf15b450aa7322e892fa2208c6691e3fecf4c"
+                           "711191b14d75a72147",
+                           "786cb9b6ebf44288974cf0",
+                           "5c9e1c3951a74fba66708bf9d2c217571684556b6a6a3573bff2847d38612654",
+                           500,
+                           "9dcebbd3281ea3dd8e9a1ef7d55a97abd6743e56ebc0c190cb2c4e14160b385e"
+                           "0bf508dddf754bd02c7c208447c131ce23e47a4a14dfaf5dd8bc601323950f75"
+                           "4e05d46e9232f83fc5120fbbef6f5347a826ec79a93820718d4ec7a2b7cfaaa4"
+                           "4b21e16d726448b62f803811aff4f6d827ed78e738ce8a507b81a8ae13131192"
+                           "8039213de18a5120dc9b7370baca878f50ff254418de3da50c");
+    TestFSChaCha20Poly1305("8349b7a2690b63d01204800c288ff1138a1d473c832c90ea8b3fc102d0bb3adc"
+                           "44261b247c7c3d6760bfbe979d061c305f46d94c0582ac3099f0bf249f8cb234",
+                           "",
+                           "3bd2093fcbcb0d034d8c569583c5425c1a53171ea299f8cc3bbf9ae3530adfce",
+                           60000,
+                           "30a6757ff8439b975363f166a0fa0e36722ab35936abd704297948f45083f4d4"
+                           "99433137ce931f7fca28a0acd3bc30f57b550acbc21cbd45bbef0739d9caf30c"
+                           "14b94829deb27f0b1923a2af704ae5d6");
 }
 
 BOOST_AUTO_TEST_CASE(hkdf_hmac_sha256_l32_tests)
