From fe3399dee5c9ed0268bd5a21c0fc798095672ae2 Mon Sep 17 00:00:00 2001
From: Charles Wright <cvwright@futo.org>
Date: Thu, 10 Feb 2022 14:59:33 -0600
Subject: [PATCH] Cut out all of the encryption stuff from monocypher. Should
now be OK to export from the US without issue.
---
monocypher.c | 236 ---------------------------------------------------
monocypher.h | 73 ----------------
2 files changed, 309 deletions(-)
diff --git a/monocypher.c b/monocypher.c
index 7ab3958..ed05e2b 100644
--- a/monocypher.c
+++ b/monocypher.c
@@ -159,156 +159,6 @@ void crypto_wipe(void *secret, size_t size)
ZERO(v_secret, size);
}
-/////////////////
-/// Chacha 20 ///
-/////////////////
-#define QUARTERROUND(a, b, c, d) \
- a += b; d = rotl32(d ^ a, 16); \
- c += d; b = rotl32(b ^ c, 12); \
- a += b; d = rotl32(d ^ a, 8); \
- c += d; b = rotl32(b ^ c, 7)
-
-static void chacha20_rounds(u32 out[16], const u32 in[16])
-{
- // The temporary variables make Chacha20 10% faster.
- u32 t0 = in[ 0]; u32 t1 = in[ 1]; u32 t2 = in[ 2]; u32 t3 = in[ 3];
- u32 t4 = in[ 4]; u32 t5 = in[ 5]; u32 t6 = in[ 6]; u32 t7 = in[ 7];
- u32 t8 = in[ 8]; u32 t9 = in[ 9]; u32 t10 = in[10]; u32 t11 = in[11];
- u32 t12 = in[12]; u32 t13 = in[13]; u32 t14 = in[14]; u32 t15 = in[15];
-
- FOR (i, 0, 10) { // 20 rounds, 2 rounds per loop.
- QUARTERROUND(t0, t4, t8 , t12); // column 0
- QUARTERROUND(t1, t5, t9 , t13); // column 1
- QUARTERROUND(t2, t6, t10, t14); // column 2
- QUARTERROUND(t3, t7, t11, t15); // column 3
- QUARTERROUND(t0, t5, t10, t15); // diagonal 0
- QUARTERROUND(t1, t6, t11, t12); // diagonal 1
- QUARTERROUND(t2, t7, t8 , t13); // diagonal 2
- QUARTERROUND(t3, t4, t9 , t14); // diagonal 3
- }
- out[ 0] = t0; out[ 1] = t1; out[ 2] = t2; out[ 3] = t3;
- out[ 4] = t4; out[ 5] = t5; out[ 6] = t6; out[ 7] = t7;
- out[ 8] = t8; out[ 9] = t9; out[10] = t10; out[11] = t11;
- out[12] = t12; out[13] = t13; out[14] = t14; out[15] = t15;
-}
-
-static void chacha20_init_key(u32 block[16], const u8 key[32])
-{
- load32_le_buf(block , (const u8*)"expand 32-byte k", 4); // constant
- load32_le_buf(block+4, key , 8); // key
-}
-
-void crypto_hchacha20(u8 out[32], const u8 key[32], const u8 in [16])
-{
- u32 block[16];
- chacha20_init_key(block, key);
- // input
- load32_le_buf(block + 12, in, 4);
- chacha20_rounds(block, block);
- // prevent reversal of the rounds by revealing only half of the buffer.
- store32_le_buf(out , block , 4); // constant
- store32_le_buf(out+16, block+12, 4); // counter and nonce
- WIPE_BUFFER(block);
-}
-
-u64 crypto_chacha20_ctr(u8 *cipher_text, const u8 *plain_text,
- size_t text_size, const u8 key[32], const u8 nonce[8],
- u64 ctr)
-{
- u32 input[16];
- chacha20_init_key(input, key);
- input[12] = (u32) ctr;
- input[13] = (u32)(ctr >> 32);
- load32_le_buf(input+14, nonce, 2);
-
- // Whole blocks
- u32 pool[16];
- size_t nb_blocks = text_size >> 6;
- FOR (i, 0, nb_blocks) {
- chacha20_rounds(pool, input);
- if (plain_text != 0) {
- FOR (j, 0, 16) {
- u32 p = pool[j] + input[j];
- store32_le(cipher_text, p ^ load32_le(plain_text));
- cipher_text += 4;
- plain_text += 4;
- }
- } else {
- FOR (j, 0, 16) {
- u32 p = pool[j] + input[j];
- store32_le(cipher_text, p);
- cipher_text += 4;
- }
- }
- input[12]++;
- if (input[12] == 0) {
- input[13]++;
- }
- }
- text_size &= 63;
-
- // Last (incomplete) block
- if (text_size > 0) {
- if (plain_text == 0) {
- plain_text = zero;
- }
- chacha20_rounds(pool, input);
- u8 tmp[64];
- FOR (i, 0, 16) {
- store32_le(tmp + i*4, pool[i] + input[i]);
- }
- FOR (i, 0, text_size) {
- cipher_text[i] = tmp[i] ^ plain_text[i];
- }
- WIPE_BUFFER(tmp);
- }
- ctr = input[12] + ((u64)input[13] << 32) + (text_size > 0);
-
- WIPE_BUFFER(pool);
- WIPE_BUFFER(input);
- return ctr;
-}
-
-u32 crypto_ietf_chacha20_ctr(u8 *cipher_text, const u8 *plain_text,
- size_t text_size,
- const u8 key[32], const u8 nonce[12], u32 ctr)
-{
- u64 big_ctr = ctr + ((u64)load32_le(nonce) << 32);
- return (u32)crypto_chacha20_ctr(cipher_text, plain_text, text_size,
- key, nonce + 4, big_ctr);
-}
-
-u64 crypto_xchacha20_ctr(u8 *cipher_text, const u8 *plain_text,
- size_t text_size,
- const u8 key[32], const u8 nonce[24], u64 ctr)
-{
- u8 sub_key[32];
- crypto_hchacha20(sub_key, key, nonce);
- ctr = crypto_chacha20_ctr(cipher_text, plain_text, text_size,
- sub_key, nonce+16, ctr);
- WIPE_BUFFER(sub_key);
- return ctr;
-}
-
-void crypto_chacha20(u8 *cipher_text, const u8 *plain_text, size_t text_size,
- const u8 key[32], const u8 nonce[8])
-{
- crypto_chacha20_ctr(cipher_text, plain_text, text_size, key, nonce, 0);
-
-}
-void crypto_ietf_chacha20(u8 *cipher_text, const u8 *plain_text,
- size_t text_size,
- const u8 key[32], const u8 nonce[12])
-{
- crypto_ietf_chacha20_ctr(cipher_text, plain_text, text_size, key, nonce, 0);
-}
-
-void crypto_xchacha20(u8 *cipher_text, const u8 *plain_text, size_t text_size,
- const u8 key[32], const u8 nonce[24])
-{
- crypto_xchacha20_ctr(cipher_text, plain_text, text_size, key, nonce, 0);
-}
-
/////////////////
/// Poly 1305 ///
/////////////////
@@ -2821,38 +2671,6 @@ int crypto_curve_to_hidden(u8 hidden[32], const u8 public_key[32], u8 tweak)
return 0;
}
-void crypto_hidden_key_pair(u8 hidden[32], u8 secret_key[32], u8 seed[32])
-{
- u8 pk [32]; // public key
- u8 buf[64]; // seed + representative
- COPY(buf + 32, seed, 32);
- do {
- crypto_chacha20(buf, 0, 64, buf+32, zero);
- crypto_x25519_dirty_fast(pk, buf); // or the "small" version
- } while(crypto_curve_to_hidden(buf+32, pk, buf[32]));
- // Note that the return value of crypto_curve_to_hidden() is
- // independent from its tweak parameter.
- // Therefore, buf[32] is not actually reused. Either we loop one
- // more time and buf[32] is used for the new seed, or we succeeded,
- // and buf[32] becomes the tweak parameter.
-
- crypto_wipe(seed, 32);
- COPY(hidden , buf + 32, 32);
- COPY(secret_key, buf , 32);
- WIPE_BUFFER(buf);
- WIPE_BUFFER(pk);
-}
-
-////////////////////
-/// Key exchange ///
-////////////////////
-void crypto_key_exchange(u8 shared_key[32],
- const u8 your_secret_key [32],
- const u8 their_public_key[32])
-{
- crypto_x25519(shared_key, your_secret_key, their_public_key);
- crypto_hchacha20(shared_key, shared_key, zero);
-}
///////////////////////
/// Scalar division ///
@@ -2990,57 +2808,3 @@ static void lock_auth(u8 mac[16], const u8 auth_key[32],
crypto_poly1305_final (&poly_ctx, mac); // ...here
}
-void crypto_lock_aead(u8 mac[16], u8 *cipher_text,
- const u8 key[32], const u8 nonce[24],
- const u8 *ad , size_t ad_size,
- const u8 *plain_text, size_t text_size)
-{
- u8 sub_key[32];
- u8 auth_key[64]; // "Wasting" the whole Chacha block is faster
- crypto_hchacha20(sub_key, key, nonce);
- crypto_chacha20(auth_key, 0, 64, sub_key, nonce + 16);
- crypto_chacha20_ctr(cipher_text, plain_text, text_size,
- sub_key, nonce + 16, 1);
- lock_auth(mac, auth_key, ad, ad_size, cipher_text, text_size);
- WIPE_BUFFER(sub_key);
- WIPE_BUFFER(auth_key);
-}
-
-int crypto_unlock_aead(u8 *plain_text, const u8 key[32], const u8 nonce[24],
- const u8 mac[16],
- const u8 *ad , size_t ad_size,
- const u8 *cipher_text, size_t text_size)
-{
- u8 sub_key[32];
- u8 auth_key[64]; // "Wasting" the whole Chacha block is faster
- crypto_hchacha20(sub_key, key, nonce);
- crypto_chacha20(auth_key, 0, 64, sub_key, nonce + 16);
- u8 real_mac[16];
- lock_auth(real_mac, auth_key, ad, ad_size, cipher_text, text_size);
- WIPE_BUFFER(auth_key);
- if (crypto_verify16(mac, real_mac)) {
- WIPE_BUFFER(sub_key);
- WIPE_BUFFER(real_mac);
- return -1;
- }
- crypto_chacha20_ctr(plain_text, cipher_text, text_size,
- sub_key, nonce + 16, 1);
- WIPE_BUFFER(sub_key);
- WIPE_BUFFER(real_mac);
- return 0;
-}
-
-void crypto_lock(u8 mac[16], u8 *cipher_text,
- const u8 key[32], const u8 nonce[24],
- const u8 *plain_text, size_t text_size)
-{
- crypto_lock_aead(mac, cipher_text, key, nonce, 0, 0, plain_text, text_size);
-}
-
-int crypto_unlock(u8 *plain_text,
- const u8 key[32], const u8 nonce[24], const u8 mac[16],
- const u8 *cipher_text, size_t text_size)
-{
- return crypto_unlock_aead(plain_text, key, nonce, mac, 0, 0,
- cipher_text, text_size);
-}
diff --git a/monocypher.h b/monocypher.h
index 040ee25..30ac774 100644
--- a/monocypher.h
+++ b/monocypher.h
@@ -130,34 +130,6 @@ int crypto_verify64(const uint8_t a[64], const uint8_t b[64]);
void crypto_wipe(void *secret, size_t size);
-// Authenticated encryption
-// ------------------------
-void crypto_lock(uint8_t mac[16],
- uint8_t *cipher_text,
- const uint8_t key[32],
- const uint8_t nonce[24],
- const uint8_t *plain_text, size_t text_size);
-int crypto_unlock(uint8_t *plain_text,
- const uint8_t key[32],
- const uint8_t nonce[24],
- const uint8_t mac[16],
- const uint8_t *cipher_text, size_t text_size);
-
-// With additional data
-void crypto_lock_aead(uint8_t mac[16],
- uint8_t *cipher_text,
- const uint8_t key[32],
- const uint8_t nonce[24],
- const uint8_t *ad , size_t ad_size,
- const uint8_t *plain_text, size_t text_size);
-int crypto_unlock_aead(uint8_t *plain_text,
- const uint8_t key[32],
- const uint8_t nonce[24],
- const uint8_t mac[16],
- const uint8_t *ad , size_t ad_size,
- const uint8_t *cipher_text, size_t text_size);
-
-
// General purpose hash (Blake2b)
// ------------------------------
@@ -229,51 +201,6 @@ int crypto_check(const uint8_t signature [64],
// For experts only. You have been warned.
-// Chacha20
-// --------
-
-// Specialised hash.
-// Used to hash X25519 shared secrets.
-void crypto_hchacha20(uint8_t out[32],
- const uint8_t key[32],
- const uint8_t in [16]);
-
-// Unauthenticated stream cipher.
-// Don't forget to add authentication.
-void crypto_chacha20(uint8_t *cipher_text,
- const uint8_t *plain_text,
- size_t text_size,
- const uint8_t key[32],
- const uint8_t nonce[8]);
-void crypto_xchacha20(uint8_t *cipher_text,
- const uint8_t *plain_text,
- size_t text_size,
- const uint8_t key[32],
- const uint8_t nonce[24]);
-void crypto_ietf_chacha20(uint8_t *cipher_text,
- const uint8_t *plain_text,
- size_t text_size,
- const uint8_t key[32],
- const uint8_t nonce[12]);
-uint64_t crypto_chacha20_ctr(uint8_t *cipher_text,
- const uint8_t *plain_text,
- size_t text_size,
- const uint8_t key[32],
- const uint8_t nonce[8],
- uint64_t ctr);
-uint64_t crypto_xchacha20_ctr(uint8_t *cipher_text,
- const uint8_t *plain_text,
- size_t text_size,
- const uint8_t key[32],
- const uint8_t nonce[24],
- uint64_t ctr);
-uint32_t crypto_ietf_chacha20_ctr(uint8_t *cipher_text,
- const uint8_t *plain_text,
- size_t text_size,
- const uint8_t key[32],
- const uint8_t nonce[12],
- uint32_t ctr);
-
// Poly 1305
// ---------
--
GitLab