Skip to content

Commit

Permalink
BIP324 Cipher Suite
Browse files Browse the repository at this point in the history
  • Loading branch information
dhruv committed Sep 30, 2022
1 parent cc904e1 commit 082914e
Show file tree
Hide file tree
Showing 13 changed files with 463 additions and 591 deletions.
4 changes: 2 additions & 2 deletions src/Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -510,8 +510,8 @@ crypto_libbitcoin_crypto_base_la_LDFLAGS = $(AM_LDFLAGS) -static
crypto_libbitcoin_crypto_base_la_SOURCES = \
crypto/aes.cpp \
crypto/aes.h \
crypto/chacha_poly_aead.h \
crypto/chacha_poly_aead.cpp \
crypto/bip324_suite.h \
crypto/bip324_suite.cpp \
crypto/chacha20.h \
crypto/chacha20.cpp \
crypto/common.h \
Expand Down
2 changes: 1 addition & 1 deletion src/Makefile.bench.include
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,10 @@ bench_bench_bitcoin_SOURCES = \
bench/bench.cpp \
bench/bench.h \
bench/bench_bitcoin.cpp \
bench/bip324_suite.cpp \
bench/block_assemble.cpp \
bench/ccoins_caching.cpp \
bench/chacha20.cpp \
bench/chacha_poly_aead.cpp \
bench/checkblock.cpp \
bench/checkqueue.cpp \
bench/crypto_hash.cpp \
Expand Down
2 changes: 1 addition & 1 deletion src/Makefile.test.include
Original file line number Diff line number Diff line change
Expand Up @@ -251,8 +251,8 @@ test_fuzz_fuzz_SOURCES = \
test/fuzz/crypto.cpp \
test/fuzz/crypto_aes256.cpp \
test/fuzz/crypto_aes256cbc.cpp \
test/fuzz/crypto_bip324_suite.cpp \
test/fuzz/crypto_chacha20.cpp \
test/fuzz/crypto_chacha20_poly1305_aead.cpp \
test/fuzz/crypto_common.cpp \
test/fuzz/crypto_diff_fuzz_chacha20.cpp \
test/fuzz/crypto_hkdf_hmac_sha256_l32.cpp \
Expand Down
120 changes: 120 additions & 0 deletions src/bench/bip324_suite.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
// Copyright (c) 2019-2020 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.


#include <assert.h>
#include <bench/bench.h>
#include <crypto/bip324_suite.h>
#include <crypto/rfc8439.h> // for the RFC8439_EXPANSION constant
#include <hash.h>

#include <array>
#include <cstddef>
#include <vector>

/* Number of bytes to process per iteration */
static constexpr uint64_t BUFFER_SIZE_TINY = 64;
static constexpr uint64_t BUFFER_SIZE_SMALL = 256;
static constexpr uint64_t BUFFER_SIZE_LARGE = 1024 * 1024;

static const std::vector<std::byte> zero_vec(BIP324_KEY_LEN, std::byte{0x00});

static void BIP324_CIPHER_SUITE(benchmark::Bench& bench, size_t contents_len, bool include_decryption)
{
BIP324Key zero_arr;
std::array<std::byte, BIP324_REKEY_SALT_LEN> zero_rekey_salt;
memcpy(zero_arr.data(), zero_vec.data(), BIP324_KEY_LEN);
memcpy(zero_rekey_salt.data(), zero_vec.data(), BIP324_REKEY_SALT_LEN);

BIP324CipherSuite enc{zero_arr, zero_arr, zero_rekey_salt};
BIP324CipherSuite dec{zero_arr, zero_arr, zero_rekey_salt};

auto packet_len = BIP324_LENGTH_FIELD_LEN + BIP324_HEADER_LEN + contents_len + RFC8439_EXPANSION;

std::vector<std::byte> in(contents_len, std::byte{0x00});
std::vector<std::byte> out(packet_len, std::byte{0x00});

BIP324HeaderFlags flags{BIP324_NONE};

bench.batch(contents_len).unit("byte").run([&] {
// encrypt or decrypt the buffer with a static key
const bool crypt_ok_1 = enc.Crypt(in, out, flags, true);
assert(crypt_ok_1);

if (include_decryption) {
// if we decrypt, we need to decrypt the length first
std::array<std::byte, BIP324_LENGTH_FIELD_LEN> encrypted_pkt_len;
memcpy(encrypted_pkt_len.data(), out.data(), BIP324_LENGTH_FIELD_LEN);
(void)dec.DecryptLength(encrypted_pkt_len);
const bool crypt_ok_2 = dec.Crypt({out.data() + BIP324_LENGTH_FIELD_LEN, out.size() - BIP324_LENGTH_FIELD_LEN}, in, flags, false);
assert(crypt_ok_2);
}
});
}

static void BIP324_CIPHER_SUITE_64BYTES_ONLY_ENCRYPT(benchmark::Bench& bench)
{
BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_TINY, false);
}

static void BIP324_CIPHER_SUITE_256BYTES_ONLY_ENCRYPT(benchmark::Bench& bench)
{
BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_SMALL, false);
}

static void BIP324_CIPHER_SUITE_1MB_ONLY_ENCRYPT(benchmark::Bench& bench)
{
BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_LARGE, false);
}

static void BIP324_CIPHER_SUITE_64BYTES_ENCRYPT_DECRYPT(benchmark::Bench& bench)
{
BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_TINY, true);
}

static void BIP324_CIPHER_SUITE_256BYTES_ENCRYPT_DECRYPT(benchmark::Bench& bench)
{
BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_SMALL, true);
}

static void BIP324_CIPHER_SUITE_1MB_ENCRYPT_DECRYPT(benchmark::Bench& bench)
{
BIP324_CIPHER_SUITE(bench, BUFFER_SIZE_LARGE, true);
}

// Add Hash() (dbl-sha256) bench for comparison

static void HASH(benchmark::Bench& bench, size_t buffersize)
{
uint8_t hash[CHash256::OUTPUT_SIZE];
std::vector<uint8_t> in(buffersize, 0);
bench.batch(in.size()).unit("byte").run([&] {
CHash256().Write(in).Finalize(hash);
});
}

static void HASH_64BYTES(benchmark::Bench& bench)
{
HASH(bench, BUFFER_SIZE_TINY);
}

static void HASH_256BYTES(benchmark::Bench& bench)
{
HASH(bench, BUFFER_SIZE_SMALL);
}

static void HASH_1MB(benchmark::Bench& bench)
{
HASH(bench, BUFFER_SIZE_LARGE);
}

BENCHMARK(BIP324_CIPHER_SUITE_64BYTES_ONLY_ENCRYPT);
BENCHMARK(BIP324_CIPHER_SUITE_256BYTES_ONLY_ENCRYPT);
BENCHMARK(BIP324_CIPHER_SUITE_1MB_ONLY_ENCRYPT);
BENCHMARK(BIP324_CIPHER_SUITE_64BYTES_ENCRYPT_DECRYPT);
BENCHMARK(BIP324_CIPHER_SUITE_256BYTES_ENCRYPT_DECRYPT);
BENCHMARK(BIP324_CIPHER_SUITE_1MB_ENCRYPT_DECRYPT);
BENCHMARK(HASH_64BYTES);
BENCHMARK(HASH_256BYTES);
BENCHMARK(HASH_1MB);
126 changes: 0 additions & 126 deletions src/bench/chacha_poly_aead.cpp

This file was deleted.

118 changes: 118 additions & 0 deletions src/crypto/bip324_suite.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
// Copyright (c) 2019-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.

#include <crypto/bip324_suite.h>

#include <crypto/common.h>
#include <crypto/poly1305.h>
#include <crypto/sha256.h>
#include <support/cleanse.h>

#include <assert.h>
#include <cstring>
#include <string.h>

#ifndef HAVE_TIMINGSAFE_BCMP

int timingsafe_bcmp(const unsigned char* b1, const unsigned char* b2, size_t n)
{
const unsigned char *p1 = b1, *p2 = b2;
int ret = 0;

for (; n > 0; n--)
ret |= *p1++ ^ *p2++;
return (ret != 0);
}

#endif // TIMINGSAFE_BCMP

BIP324CipherSuite::~BIP324CipherSuite()
{
memory_cleanse(key_P.data(), key_P.size());
}

void BIP324CipherSuite::CommitToKeys(const Span<const std::byte> data, bool commit_to_L, bool commit_to_P)
{
if (commit_to_L) {
fsc20.CommitToKey(data);
}

if (commit_to_P) {
assert(CSHA256::OUTPUT_SIZE == BIP324_KEY_LEN);
auto hasher = rekey_hasher;
hasher << MakeUCharSpan(data) << MakeUCharSpan(key_P);
auto new_key = hasher.GetSHA256();
memcpy(key_P.data(), new_key.data(), BIP324_KEY_LEN);
}

set_nonce();
}

bool BIP324CipherSuite::Crypt(const Span<const std::byte> input, Span<std::byte> output,
BIP324HeaderFlags& flags, bool encrypt)
{
// check buffer boundaries
if (
// if we encrypt, make sure the destination has the space for the encrypted length field, header, contents and MAC
(encrypt && (output.size() < BIP324_LENGTH_FIELD_LEN + BIP324_HEADER_LEN + input.size() + RFC8439_EXPANSION)) ||
// if we decrypt, make sure the source contains at least the encrypted header + mac and the destination has the space for the input - MAC - header
(!encrypt && (input.size() < BIP324_HEADER_LEN + RFC8439_EXPANSION || output.size() < input.size() - BIP324_HEADER_LEN - RFC8439_EXPANSION))) {
return false;
}

if (encrypt) {
// input is just the contents
// output will be encrypted contents length + encrypted (header and contents) + mac tag
uint32_t contents_len = input.size();
WriteLE32(reinterpret_cast<unsigned char*>(&contents_len), contents_len);

std::vector<std::byte> header_and_contents(BIP324_HEADER_LEN + input.size());

memcpy(header_and_contents.data(), &flags, BIP324_HEADER_LEN);
if (!input.empty()) {
memcpy(header_and_contents.data() + BIP324_HEADER_LEN, input.data(), input.size());
}

auto write_pos = output.data();
fsc20.Crypt({reinterpret_cast<std::byte*>(&contents_len), BIP324_LENGTH_FIELD_LEN},
{write_pos, BIP324_LENGTH_FIELD_LEN});
write_pos += BIP324_LENGTH_FIELD_LEN;
RFC8439Encrypt({}, key_P, nonce, header_and_contents, {write_pos, BIP324_HEADER_LEN + input.size() + RFC8439_EXPANSION});
} else {
// we must use BIP324CipherSuite::DecryptLength before calling BIP324CipherSuite::Crypt
// input is encrypted (header + contents) and the MAC tag i.e. the RFC8439 ciphertext blob
// decrypted header will be put in flags and output will be plaintext contents.
std::vector<std::byte> decrypted_header_and_contents(input.size() - RFC8439_EXPANSION);
auto authenticated = RFC8439Decrypt({}, key_P, nonce, input, decrypted_header_and_contents);
if (!authenticated) {
return false;
}

memcpy(&flags, decrypted_header_and_contents.data(), BIP324_HEADER_LEN);
if (!output.empty()) {
memcpy(output.data(),
decrypted_header_and_contents.data() + BIP324_HEADER_LEN,
input.size() - BIP324_HEADER_LEN - RFC8439_EXPANSION);
}
}

packet_counter++;
if (packet_counter % REKEY_INTERVAL == 0) {
// Rekey key_P. key_L is automatically re-keyed since we're using a forward-secure version
// of ChaCha20, FSChacha20
CommitToKeys({(std::byte*)nullptr, 0}, false, true);
}
set_nonce();
return true;
}

uint32_t BIP324CipherSuite::DecryptLength(const std::array<std::byte, BIP324_LENGTH_FIELD_LEN>& encrypted_length)
{
std::array<uint8_t, BIP324_LENGTH_FIELD_LEN> length_buffer;
fsc20.Crypt(encrypted_length, MakeWritableByteSpan(length_buffer));

return (uint32_t{length_buffer[0]}) |
(uint32_t{length_buffer[1]} << 8) |
(uint32_t{length_buffer[2]} << 16);
}
Loading

0 comments on commit 082914e

Please sign in to comment.