Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ChaCha20 encryption option (XOR) #15512

Merged
merged 2 commits into from May 10, 2019

Conversation

@jonasschnelli
Copy link
Member

commented Mar 1, 2019

The current ChaCha20 implementation does not support message encryption (it can only output the keystream which is sufficient for the RNG).

This PR adds the actual XORing of the plaintext with the keystream in order to return the desired ciphertext.

Required for v2 message transport protocol.

@DrahtBot

This comment has been minimized.

Copy link
Contributor

commented Mar 5, 2019

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

  • #15649 (Add ChaCha20Poly1305@Bitcoin AEAD by jonasschnelli)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

@ryanofsky
Copy link
Contributor

left a comment

utACK 4325da9. I don't know very much about chacha20 or this method of encryption, but this seems to do what is described.

src/crypto/chacha20.cpp Outdated Show resolved Hide resolved
@@ -100,6 +102,10 @@ void ChaCha20::Output(unsigned char* c, size_t bytes)

for (;;) {
if (bytes < 64) {
if (m != nullptr) {
for (i = 0;i < bytes;++i) tmp[i] = m[i];

This comment has been minimized.

Copy link
@ryanofsky

ryanofsky Mar 22, 2019

Contributor

Just memcpy(tmp, m, bytes) might be simpler and easy to read than this for loop.

This comment has been minimized.

Copy link
@jonasschnelli

jonasschnelli Mar 25, 2019

Author Member

I'm not to familiar with compiler optimisations and stuff but I just checked the reference implementation by DJB and some other C based ChaCha implementations and all of them seems to use the byte per byte assignment. I prefer to leave it as it is.

src/crypto/chacha20.cpp Outdated Show resolved Hide resolved
src/crypto/chacha20.h Outdated Show resolved Hide resolved
src/test/crypto_tests.cpp Show resolved Hide resolved
src/test/crypto_tests.cpp Outdated Show resolved Hide resolved

@jonasschnelli jonasschnelli force-pushed the jonasschnelli:2019/03/chacha branch from 4325da9 to 9d3ea6a Mar 25, 2019

laanwj added a commit that referenced this pull request Mar 27, 2019

Merge #15519: Add Poly1305 implementation
e9d5e97 Poly1305: tolerate the intentional unsigned wraparound in poly1305.cpp (Jonas Schnelli)
b34bf30 Add Poly1305 bench (Jonas Schnelli)
03be7f4 Add Poly1305 implementation (Jonas Schnelli)

Pull request description:

  This adds a currently unused Poly1305 implementation including test vectors from RFC7539.

  Required for BIP151 (and related to #15512).

Tree-SHA512: f8c1ad2f686b980a7498ca50c517e2348ac7b1fe550565156f6c2b20faf764978e4fa6b5b1c3777a16e7a12e2eca3fb57a59be9c788b00d4358ee80f2959edb1
@@ -71,7 +71,7 @@ void ChaCha20::Seek(uint64_t pos)
input[13] = pos >> 32;
}

void ChaCha20::Output(unsigned char* c, size_t bytes)
void ChaCha20::Output(const unsigned char* m, unsigned char* c, size_t bytes)

This comment has been minimized.

Copy link
@sipa

sipa Mar 27, 2019

Member

I think it would be better to duplicate the logic here and turn the stream cipher version into a separate function.

As is, it introduces an unnecessary branch in the output version.

This comment has been minimized.

Copy link
@jonasschnelli

jonasschnelli Mar 28, 2019

Author Member

Good point. Adapted the duplication approach.

This comment has been minimized.

Copy link
@jnewbery

jnewbery May 3, 2019

Member

What's the reasoning here? Performance?

How does the version in the refrence implementation compare?

void ECRYPT_keystream_bytes(ECRYPT_ctx *x,u8 *stream,u32 bytes)
{
  u32 i;
  for (i = 0;i < bytes;++i) stream[i] = 0;
  ECRYPT_encrypt_bytes(x,stream,stream,bytes);
}

ie setting Output(c, bytes) to call Crypt(c, c, bytes)?

This comment has been minimized.

Copy link
@jonasschnelli

jonasschnelli May 3, 2019

Author Member

I had it in the initial version like @jnewbery just proposed.
After @sipa recommended to separate it, I thought that a strict separation may be beneficial for verification and later optimizations. But maybe @sipa can clarify...

@jonasschnelli jonasschnelli force-pushed the jonasschnelli:2019/03/chacha branch from 9d3ea6a to 7f2028f Mar 28, 2019

x14 += j14;
x15 += j15;

if (m != nullptr) {

This comment has been minimized.

Copy link
@sipa

sipa Mar 28, 2019

Member

No need for this if.

This comment has been minimized.

Copy link
@jonasschnelli

jonasschnelli Mar 29, 2019

Author Member

Yes. Fixed.

@jonasschnelli jonasschnelli force-pushed the jonasschnelli:2019/03/chacha branch from 7f2028f to 427b49d Mar 29, 2019

@ryanofsky
Copy link
Contributor

left a comment

utACK 427b49d. Changes since last review: splitting Output/Crypt functions, dropping comment describing function arguments, adding comment describing m/tmp copy, dropping XOR macro, and making suggested test changes.

@jnewbery
Copy link
Member

left a comment

Implementation and tests look good and match the reference implementation here: https://cr.yp.to/streamciphers/timings/estreambench/submissions/salsa20/chacha8/merged/chacha.c and test vector here: https://tools.ietf.org/html/rfc7539#section-2.4.2

I have a few minor comments inline, and would be curious about the answer to:
#15512 (comment)

src/crypto/chacha20.h Show resolved Hide resolved
src/crypto/chacha20.h Show resolved Hide resolved
src/crypto/chacha20.h Outdated Show resolved Hide resolved
src/test/crypto_tests.cpp Show resolved Hide resolved

@jonasschnelli jonasschnelli force-pushed the jonasschnelli:2019/03/chacha branch from 427b49d to d5d6f81 May 3, 2019

@jonasschnelli jonasschnelli force-pushed the jonasschnelli:2019/03/chacha branch from d5d6f81 to 66d682b May 3, 2019

@jnewbery
Copy link
Member

left a comment

Looks great. Thanks for adding the comments to chacha20.h!

Just a couple of nits in the bench file. I'm still curious about the code duplication between Keystream() and Crypt().

src/bench/chacha20.cpp Show resolved Hide resolved
ctx.Crypt(in.data(), out.data(), in.size());
}

static void HASH(benchmark::State& state, size_t buffersize)

This comment has been minimized.

Copy link
@jnewbery

jnewbery May 3, 2019

Member

Is a reason you've added these CHash256 benchmarks to chacha20.cpp?

This comment has been minimized.

Copy link
@jonasschnelli

jonasschnelli May 3, 2019

Author Member

I added if for comparison and the impact on the networking... though I think it belong to an extra commit in #15649
Will remove it from here.

@jonasschnelli jonasschnelli force-pushed the jonasschnelli:2019/03/chacha branch 2 times, most recently from c8df2c0 to 2dfe275 May 3, 2019

@jnewbery

This comment has been minimized.

Copy link
Member

commented May 3, 2019

Looks good. utACK 2dfe275.

In general, it's better to have less code duplication, so I'd like to hear from @sipa his reasoning for #15512 (comment)

@sipa

This comment has been minimized.

Copy link
Member

commented May 3, 2019

@jnewbery I just thought that it'd be preferable not to burden the RNG code with branches that are only used for encryption. In cryptographic code like this, I don't care too much about duplication, as it isn't code that subject to many possible future changes.

@jnewbery

This comment has been minimized.

Copy link
Member

commented May 6, 2019

ok, my aesthetic preference is for less duplication, either by having a single Keystream/Crypt function, or by calling Keystream() from Crypt() with a zero'ed message. As sipa points out though, this code is unlikely to be modified much in future, so it's not a big deal either way.

utACK 2dfe275

@ryanofsky
Copy link
Contributor

left a comment

utACK 2dfe275. Changes since last review are just renaming the Crypt method, adding comments, and simplifying the benchmark.

I just thought that it'd be preferable not to burden the RNG code with branches that are only used for encryption.

I think the duplication is fine, but it's unclear if the concern with branches is about readability or performance. If it's performance, you could give the previous Output() function an additional template<bool use_input> template argument, and have Crypt() and Keystream() both call it inlined.

@sipa

This comment has been minimized.

Copy link
Member

commented May 10, 2019

utACK 2dfe275

@jonasschnelli jonasschnelli merged commit 2dfe275 into bitcoin:master May 10, 2019

2 checks passed

continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jonasschnelli added a commit that referenced this pull request May 10, 2019

Merge #15512: Add ChaCha20 encryption option (XOR)
2dfe275 Add ChaCha20 bench (Jonas Schnelli)
2bc2b8b Add ChaCha20 encryption option (XOR) (Jonas Schnelli)

Pull request description:

  The current ChaCha20 implementation does not support message encryption (it can only output the keystream which is sufficient for the RNG).

  This PR adds the actual XORing of the `plaintext` with the `keystream` in order to return the desired `ciphertext`.

  Required for v2 message transport protocol.

ACKs for commit 2dfe27:
  jnewbery:
    Looks good. utACK 2dfe275.
  jnewbery:
    utACK 2dfe275
  sipa:
    utACK 2dfe275
  ryanofsky:
    utACK 2dfe275. Changes since last review are just renaming the Crypt method, adding comments, and simplifying the benchmark.

Tree-SHA512: 84bb234da2ca9fdc44bc29a786d9dd215520f81245270c1aef801ef66b6091b7793e2eb38ad6dbb084925245065c5dce9e5582f2d0fa220ab3e182d43412d5b5

@jonasschnelli jonasschnelli removed this from Blockers in High-priority for review May 10, 2019

sidhujag pushed a commit to syscoin/syscoin that referenced this pull request May 10, 2019

Merge bitcoin#15512: Add ChaCha20 encryption option (XOR)
2dfe275 Add ChaCha20 bench (Jonas Schnelli)
2bc2b8b Add ChaCha20 encryption option (XOR) (Jonas Schnelli)

Pull request description:

  The current ChaCha20 implementation does not support message encryption (it can only output the keystream which is sufficient for the RNG).

  This PR adds the actual XORing of the `plaintext` with the `keystream` in order to return the desired `ciphertext`.

  Required for v2 message transport protocol.

ACKs for commit 2dfe27:
  jnewbery:
    Looks good. utACK 2dfe275.
  jnewbery:
    utACK 2dfe275
  sipa:
    utACK 2dfe275
  ryanofsky:
    utACK 2dfe275. Changes since last review are just renaming the Crypt method, adding comments, and simplifying the benchmark.

Tree-SHA512: 84bb234da2ca9fdc44bc29a786d9dd215520f81245270c1aef801ef66b6091b7793e2eb38ad6dbb084925245065c5dce9e5582f2d0fa220ab3e182d43412d5b5

LitecoinZ added a commit to litecoinz-core/wip that referenced this pull request May 31, 2019

Merge bitcoin#15519: Add Poly1305 implementation
e9d5e97 Poly1305: tolerate the intentional unsigned wraparound in poly1305.cpp (Jonas Schnelli)
b34bf30 Add Poly1305 bench (Jonas Schnelli)
03be7f4 Add Poly1305 implementation (Jonas Schnelli)

Pull request description:

  This adds a currently unused Poly1305 implementation including test vectors from RFC7539.

  Required for BIP151 (and related to bitcoin#15512).

Tree-SHA512: f8c1ad2f686b980a7498ca50c517e2348ac7b1fe550565156f6c2b20faf764978e4fa6b5b1c3777a16e7a12e2eca3fb57a59be9c788b00d4358ee80f2959edb1
@LitecoinZ LitecoinZ referenced this pull request May 31, 2019
44 of 244 tasks complete

PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this pull request Jun 19, 2019

Merge bitcoin#15512: Add ChaCha20 encryption option (XOR)
2dfe275 Add ChaCha20 bench (Jonas Schnelli)
2bc2b8b Add ChaCha20 encryption option (XOR) (Jonas Schnelli)

Pull request description:

  The current ChaCha20 implementation does not support message encryption (it can only output the keystream which is sufficient for the RNG).

  This PR adds the actual XORing of the `plaintext` with the `keystream` in order to return the desired `ciphertext`.

  Required for v2 message transport protocol.

ACKs for commit 2dfe27:
  jnewbery:
    Looks good. utACK 2dfe275.
  jnewbery:
    utACK 2dfe275
  sipa:
    utACK 2dfe275
  ryanofsky:
    utACK 2dfe275. Changes since last review are just renaming the Crypt method, adding comments, and simplifying the benchmark.

Tree-SHA512: 84bb234da2ca9fdc44bc29a786d9dd215520f81245270c1aef801ef66b6091b7793e2eb38ad6dbb084925245065c5dce9e5582f2d0fa220ab3e182d43412d5b5

PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this pull request Jun 19, 2019

Merge bitcoin#15519: Add Poly1305 implementation
e9d5e97 Poly1305: tolerate the intentional unsigned wraparound in poly1305.cpp (Jonas Schnelli)
b34bf30 Add Poly1305 bench (Jonas Schnelli)
03be7f4 Add Poly1305 implementation (Jonas Schnelli)

Pull request description:

  This adds a currently unused Poly1305 implementation including test vectors from RFC7539.

  Required for BIP151 (and related to bitcoin#15512).

Tree-SHA512: f8c1ad2f686b980a7498ca50c517e2348ac7b1fe550565156f6c2b20faf764978e4fa6b5b1c3777a16e7a12e2eca3fb57a59be9c788b00d4358ee80f2959edb1

if (bytes <= 64) {
if (bytes < 64) {
for (i = 0;i < bytes;++i) ctarget[i] = c[i];

This comment has been minimized.

Copy link
@Kixunil

Kixunil Jul 2, 2019

Isn't this no-op? When bytes < 64 line 215 get's executed which makes ctarget and c equal pointers, therefore it's copying a value to itself.

This comment has been minimized.

Copy link
@jonasschnelli

jonasschnelli Jul 3, 2019

Author Member

I don't think so.
If we do less then 64 bytes, we execute the round on tmp (because we do 64bytes always, see line 216, c points to tmp if <64 bytes). So in the case of <64 bytes, c points to the temporary 64byte buffer and ctarget points to the function provided c argument.

This comment has been minimized.

Copy link
@Kixunil

Kixunil Jul 4, 2019

Ah, yes, missed that. Thanks and sorry for bothering.

void SetIV(uint64_t iv);
void Seek(uint64_t pos);
void Output(unsigned char* output, size_t bytes);
void SetKey(const unsigned char* key, size_t keylen); //!< set key with flexible keylength; 256bit recommended */

This comment has been minimized.

Copy link
@Kixunil

Kixunil Jul 2, 2019

I like the renaming. Would be nice if the comments included information about pointers (e.g. "key must be non-null, pointer isn't stored").

This comment has been minimized.

Copy link
@jonasschnelli

jonasschnelli Jul 3, 2019

Author Member

Yes. That would have been useful. Feel free to PR.

@Warrows Warrows referenced this pull request Jul 9, 2019
30 of 42 tasks complete

laanwj added a commit that referenced this pull request Jul 11, 2019

Merge #15649: Add ChaCha20Poly1305@Bitcoin AEAD
bb326ad Add ChaCha20Poly1305@Bitcoin AEAD benchmark (Jonas Schnelli)
99aea04 Add ChaCha20Poly1305@Bitcoin tests (Jonas Schnelli)
af5d1b5 Add ChaCha20Poly1305@Bitcoin AEAD implementation (Jonas Schnelli)

Pull request description:

  This adds a new AEAD (authenticated encryption with additional data) construct optimised for small messages (like used in Bitcoins p2p network).

  Includes: #15519, #15512 (please review those first).

  The construct is specified here.
  https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#ChaCha20Poly1305Bitcoin_Cipher_Suite

  This aims for being used in v2 peer-to-peer messages.

ACKs for top commit:
  laanwj:
    code review ACK bb326ad

Tree-SHA512: 15bcb86c510fce7abb7a73536ff2ae89893b24646bf108c6cf18f064d672dbbbea8b1dd0868849fdac0c6854e498f1345d01dab56d1c92031afd728302234686

sidhujag pushed a commit to syscoin/syscoin that referenced this pull request Jul 11, 2019

Merge bitcoin#15649: Add ChaCha20Poly1305@Bitcoin AEAD
bb326ad Add ChaCha20Poly1305@Bitcoin AEAD benchmark (Jonas Schnelli)
99aea04 Add ChaCha20Poly1305@Bitcoin tests (Jonas Schnelli)
af5d1b5 Add ChaCha20Poly1305@Bitcoin AEAD implementation (Jonas Schnelli)

Pull request description:

  This adds a new AEAD (authenticated encryption with additional data) construct optimised for small messages (like used in Bitcoins p2p network).

  Includes: bitcoin#15519, bitcoin#15512 (please review those first).

  The construct is specified here.
  https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#ChaCha20Poly1305Bitcoin_Cipher_Suite

  This aims for being used in v2 peer-to-peer messages.

ACKs for top commit:
  laanwj:
    code review ACK bb326ad

Tree-SHA512: 15bcb86c510fce7abb7a73536ff2ae89893b24646bf108c6cf18f064d672dbbbea8b1dd0868849fdac0c6854e498f1345d01dab56d1c92031afd728302234686

PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this pull request Jul 18, 2019

Merge bitcoin#15512: Add ChaCha20 encryption option (XOR)
2dfe275 Add ChaCha20 bench (Jonas Schnelli)
2bc2b8b Add ChaCha20 encryption option (XOR) (Jonas Schnelli)

Pull request description:

  The current ChaCha20 implementation does not support message encryption (it can only output the keystream which is sufficient for the RNG).

  This PR adds the actual XORing of the `plaintext` with the `keystream` in order to return the desired `ciphertext`.

  Required for v2 message transport protocol.

ACKs for commit 2dfe27:
  jnewbery:
    Looks good. utACK 2dfe275.
  jnewbery:
    utACK 2dfe275
  sipa:
    utACK 2dfe275
  ryanofsky:
    utACK 2dfe275. Changes since last review are just renaming the Crypt method, adding comments, and simplifying the benchmark.

Tree-SHA512: 84bb234da2ca9fdc44bc29a786d9dd215520f81245270c1aef801ef66b6091b7793e2eb38ad6dbb084925245065c5dce9e5582f2d0fa220ab3e182d43412d5b5

PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this pull request Jul 18, 2019

Merge bitcoin#15512: Add ChaCha20 encryption option (XOR)
2dfe275 Add ChaCha20 bench (Jonas Schnelli)
2bc2b8b Add ChaCha20 encryption option (XOR) (Jonas Schnelli)

Pull request description:

  The current ChaCha20 implementation does not support message encryption (it can only output the keystream which is sufficient for the RNG).

  This PR adds the actual XORing of the `plaintext` with the `keystream` in order to return the desired `ciphertext`.

  Required for v2 message transport protocol.

ACKs for commit 2dfe27:
  jnewbery:
    Looks good. utACK 2dfe275.
  jnewbery:
    utACK 2dfe275
  sipa:
    utACK 2dfe275
  ryanofsky:
    utACK 2dfe275. Changes since last review are just renaming the Crypt method, adding comments, and simplifying the benchmark.

Tree-SHA512: 84bb234da2ca9fdc44bc29a786d9dd215520f81245270c1aef801ef66b6091b7793e2eb38ad6dbb084925245065c5dce9e5582f2d0fa220ab3e182d43412d5b5

PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this pull request Jul 18, 2019

Merge bitcoin#15519: Add Poly1305 implementation
e9d5e97 Poly1305: tolerate the intentional unsigned wraparound in poly1305.cpp (Jonas Schnelli)
b34bf30 Add Poly1305 bench (Jonas Schnelli)
03be7f4 Add Poly1305 implementation (Jonas Schnelli)

Pull request description:

  This adds a currently unused Poly1305 implementation including test vectors from RFC7539.

  Required for BIP151 (and related to bitcoin#15512).

Tree-SHA512: f8c1ad2f686b980a7498ca50c517e2348ac7b1fe550565156f6c2b20faf764978e4fa6b5b1c3777a16e7a12e2eca3fb57a59be9c788b00d4358ee80f2959edb1

PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this pull request Jul 18, 2019

Merge bitcoin#15649: Add ChaCha20Poly1305@Bitcoin AEAD
bb326ad Add ChaCha20Poly1305@Bitcoin AEAD benchmark (Jonas Schnelli)
99aea04 Add ChaCha20Poly1305@Bitcoin tests (Jonas Schnelli)
af5d1b5 Add ChaCha20Poly1305@Bitcoin AEAD implementation (Jonas Schnelli)

Pull request description:

  This adds a new AEAD (authenticated encryption with additional data) construct optimised for small messages (like used in Bitcoins p2p network).

  Includes: bitcoin#15519, bitcoin#15512 (please review those first).

  The construct is specified here.
  https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#ChaCha20Poly1305Bitcoin_Cipher_Suite

  This aims for being used in v2 peer-to-peer messages.

ACKs for top commit:
  laanwj:
    code review ACK bb326ad

Tree-SHA512: 15bcb86c510fce7abb7a73536ff2ae89893b24646bf108c6cf18f064d672dbbbea8b1dd0868849fdac0c6854e498f1345d01dab56d1c92031afd728302234686

PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this pull request Jul 23, 2019

Merge bitcoin#15512: Add ChaCha20 encryption option (XOR)
2dfe275 Add ChaCha20 bench (Jonas Schnelli)
2bc2b8b Add ChaCha20 encryption option (XOR) (Jonas Schnelli)

Pull request description:

  The current ChaCha20 implementation does not support message encryption (it can only output the keystream which is sufficient for the RNG).

  This PR adds the actual XORing of the `plaintext` with the `keystream` in order to return the desired `ciphertext`.

  Required for v2 message transport protocol.

ACKs for commit 2dfe27:
  jnewbery:
    Looks good. utACK 2dfe275.
  jnewbery:
    utACK 2dfe275
  sipa:
    utACK 2dfe275
  ryanofsky:
    utACK 2dfe275. Changes since last review are just renaming the Crypt method, adding comments, and simplifying the benchmark.

Tree-SHA512: 84bb234da2ca9fdc44bc29a786d9dd215520f81245270c1aef801ef66b6091b7793e2eb38ad6dbb084925245065c5dce9e5582f2d0fa220ab3e182d43412d5b5

PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this pull request Jul 23, 2019

Merge bitcoin#15519: Add Poly1305 implementation
e9d5e97 Poly1305: tolerate the intentional unsigned wraparound in poly1305.cpp (Jonas Schnelli)
b34bf30 Add Poly1305 bench (Jonas Schnelli)
03be7f4 Add Poly1305 implementation (Jonas Schnelli)

Pull request description:

  This adds a currently unused Poly1305 implementation including test vectors from RFC7539.

  Required for BIP151 (and related to bitcoin#15512).

Tree-SHA512: f8c1ad2f686b980a7498ca50c517e2348ac7b1fe550565156f6c2b20faf764978e4fa6b5b1c3777a16e7a12e2eca3fb57a59be9c788b00d4358ee80f2959edb1

PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this pull request Jul 23, 2019

Merge bitcoin#15649: Add ChaCha20Poly1305@Bitcoin AEAD
bb326ad Add ChaCha20Poly1305@Bitcoin AEAD benchmark (Jonas Schnelli)
99aea04 Add ChaCha20Poly1305@Bitcoin tests (Jonas Schnelli)
af5d1b5 Add ChaCha20Poly1305@Bitcoin AEAD implementation (Jonas Schnelli)

Pull request description:

  This adds a new AEAD (authenticated encryption with additional data) construct optimised for small messages (like used in Bitcoins p2p network).

  Includes: bitcoin#15519, bitcoin#15512 (please review those first).

  The construct is specified here.
  https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#ChaCha20Poly1305Bitcoin_Cipher_Suite

  This aims for being used in v2 peer-to-peer messages.

ACKs for top commit:
  laanwj:
    code review ACK bb326ad

Tree-SHA512: 15bcb86c510fce7abb7a73536ff2ae89893b24646bf108c6cf18f064d672dbbbea8b1dd0868849fdac0c6854e498f1345d01dab56d1c92031afd728302234686

Add new line

PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this pull request Aug 6, 2019

Merge bitcoin#15512: Add ChaCha20 encryption option (XOR)
2dfe275 Add ChaCha20 bench (Jonas Schnelli)
2bc2b8b Add ChaCha20 encryption option (XOR) (Jonas Schnelli)

Pull request description:

  The current ChaCha20 implementation does not support message encryption (it can only output the keystream which is sufficient for the RNG).

  This PR adds the actual XORing of the `plaintext` with the `keystream` in order to return the desired `ciphertext`.

  Required for v2 message transport protocol.

ACKs for commit 2dfe27:
  jnewbery:
    Looks good. utACK 2dfe275.
  jnewbery:
    utACK 2dfe275
  sipa:
    utACK 2dfe275
  ryanofsky:
    utACK 2dfe275. Changes since last review are just renaming the Crypt method, adding comments, and simplifying the benchmark.

Tree-SHA512: 84bb234da2ca9fdc44bc29a786d9dd215520f81245270c1aef801ef66b6091b7793e2eb38ad6dbb084925245065c5dce9e5582f2d0fa220ab3e182d43412d5b5

PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this pull request Aug 6, 2019

Merge bitcoin#15519: Add Poly1305 implementation
e9d5e97 Poly1305: tolerate the intentional unsigned wraparound in poly1305.cpp (Jonas Schnelli)
b34bf30 Add Poly1305 bench (Jonas Schnelli)
03be7f4 Add Poly1305 implementation (Jonas Schnelli)

Pull request description:

  This adds a currently unused Poly1305 implementation including test vectors from RFC7539.

  Required for BIP151 (and related to bitcoin#15512).

Tree-SHA512: f8c1ad2f686b980a7498ca50c517e2348ac7b1fe550565156f6c2b20faf764978e4fa6b5b1c3777a16e7a12e2eca3fb57a59be9c788b00d4358ee80f2959edb1

PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this pull request Aug 6, 2019

Merge bitcoin#15649: Add ChaCha20Poly1305@Bitcoin AEAD
bb326ad Add ChaCha20Poly1305@Bitcoin AEAD benchmark (Jonas Schnelli)
99aea04 Add ChaCha20Poly1305@Bitcoin tests (Jonas Schnelli)
af5d1b5 Add ChaCha20Poly1305@Bitcoin AEAD implementation (Jonas Schnelli)

Pull request description:

  This adds a new AEAD (authenticated encryption with additional data) construct optimised for small messages (like used in Bitcoins p2p network).

  Includes: bitcoin#15519, bitcoin#15512 (please review those first).

  The construct is specified here.
  https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#ChaCha20Poly1305Bitcoin_Cipher_Suite

  This aims for being used in v2 peer-to-peer messages.

ACKs for top commit:
  laanwj:
    code review ACK bb326ad

Tree-SHA512: 15bcb86c510fce7abb7a73536ff2ae89893b24646bf108c6cf18f064d672dbbbea8b1dd0868849fdac0c6854e498f1345d01dab56d1c92031afd728302234686

Add new line
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.