Crypto++  7.0
Free C++ class library of cryptographic schemes
chacha.cpp
1 // chacha.cpp - written and placed in the public domain by Jeffrey Walton.
2 // Based on Wei Dai's Salsa20 and Bernstein's reference ChaCha
3 // family implementation at http://cr.yp.to/chacha.html.
4 
5 #include "pch.h"
6 #include "config.h"
7 #include "chacha.h"
8 #include "argnames.h"
9 #include "misc.h"
10 #include "cpu.h"
11 
12 NAMESPACE_BEGIN(CryptoPP)
13 
14 #define CHACHA_QUARTER_ROUND(a,b,c,d) \
15  a += b; d ^= a; d = rotlConstant<16,word32>(d); \
16  c += d; b ^= c; b = rotlConstant<12,word32>(b); \
17  a += b; d ^= a; d = rotlConstant<8,word32>(d); \
18  c += d; b ^= c; b = rotlConstant<7,word32>(b);
19 
20 #if defined(CRYPTOPP_DEBUG) && !defined(CRYPTOPP_DOXYGEN_PROCESSING)
21 void ChaCha_TestInstantiations()
22 {
26 }
27 #endif
28 
29 template <unsigned int R>
30 void ChaCha_Policy<R>::CipherSetKey(const NameValuePairs &params, const byte *key, size_t length)
31 {
32  CRYPTOPP_UNUSED(params);
33  CRYPTOPP_ASSERT(length == 16 || length == 32);
34 
35  // "expand 16-byte k" or "expand 32-byte k"
36  m_state[0] = 0x61707865;
37  m_state[1] = (length == 16) ? 0x3120646e : 0x3320646e;
38  m_state[2] = (length == 16) ? 0x79622d36 : 0x79622d32;
39  m_state[3] = 0x6b206574;
40 
42  get1(m_state[4])(m_state[5])(m_state[6])(m_state[7]);
43 
44  GetBlock<word32, LittleEndian> get2(key + ((length == 32) ? 16 : 0));
45  get2(m_state[8])(m_state[9])(m_state[10])(m_state[11]);
46 }
47 
48 template <unsigned int R>
49 void ChaCha_Policy<R>::CipherResynchronize(byte *keystreamBuffer, const byte *IV, size_t length)
50 {
51  CRYPTOPP_UNUSED(keystreamBuffer), CRYPTOPP_UNUSED(length);
52  CRYPTOPP_ASSERT(length==8);
53 
55  m_state[12] = m_state[13] = 0;
56  get(m_state[14])(m_state[15]);
57 }
58 
59 template<unsigned int R>
60 void ChaCha_Policy<R>::SeekToIteration(lword iterationCount)
61 {
62  CRYPTOPP_UNUSED(iterationCount);
63  throw NotImplemented(std::string(ChaCha_Info<R>::StaticAlgorithmName()) + ": SeekToIteration is not yet implemented");
64 
65  // TODO: these were Salsa20, and Wei re-arranged the state array for SSE2 operations.
66  // If we can generate some out-of-band test vectors, then test and implement. Also
67  // see the test vectors in salsa.txt and the use of Seek test argument.
68  // m_state[8] = (word32)iterationCount;
69  // m_state[5] = (word32)SafeRightShift<32>(iterationCount);
70 }
71 
72 template<unsigned int R>
73 unsigned int ChaCha_Policy<R>::GetAlignment() const
74 {
75 #if CRYPTOPP_SSE2_ASM_AVAILABLE && 0
76  if (HasSSE2())
77  return 16;
78  else
79 #endif
80  return GetAlignmentOf<word32>();
81 }
82 
83 template<unsigned int R>
84 unsigned int ChaCha_Policy<R>::GetOptimalBlockSize() const
85 {
86 #if CRYPTOPP_SSE2_ASM_AVAILABLE && 0
87  if (HasSSE2())
88  return 4*BYTES_PER_ITERATION;
89  else
90 #endif
91  return BYTES_PER_ITERATION;
92 }
93 
94 template<unsigned int R>
95 void ChaCha_Policy<R>::OperateKeystream(KeystreamOperation operation, byte *output, const byte *input, size_t iterationCount)
96 {
97  word32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
98 
99  while (iterationCount--)
100  {
101  x0 = m_state[0]; x1 = m_state[1]; x2 = m_state[2]; x3 = m_state[3];
102  x4 = m_state[4]; x5 = m_state[5]; x6 = m_state[6]; x7 = m_state[7];
103  x8 = m_state[8]; x9 = m_state[9]; x10 = m_state[10]; x11 = m_state[11];
104  x12 = m_state[12]; x13 = m_state[13]; x14 = m_state[14]; x15 = m_state[15];
105 
106  for (int i = static_cast<int>(ROUNDS); i > 0; i -= 2)
107  {
108  CHACHA_QUARTER_ROUND(x0, x4, x8, x12);
109  CHACHA_QUARTER_ROUND(x1, x5, x9, x13);
110  CHACHA_QUARTER_ROUND(x2, x6, x10, x14);
111  CHACHA_QUARTER_ROUND(x3, x7, x11, x15);
112 
113  CHACHA_QUARTER_ROUND(x0, x5, x10, x15);
114  CHACHA_QUARTER_ROUND(x1, x6, x11, x12);
115  CHACHA_QUARTER_ROUND(x2, x7, x8, x13);
116  CHACHA_QUARTER_ROUND(x3, x4, x9, x14);
117  }
118 
119  #undef CHACHA_OUTPUT
120  #define CHACHA_OUTPUT(x){\
121  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 0, x0 + m_state[0]);\
122  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 1, x1 + m_state[1]);\
123  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 2, x2 + m_state[2]);\
124  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 3, x3 + m_state[3]);\
125  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 4, x4 + m_state[4]);\
126  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 5, x5 + m_state[5]);\
127  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 6, x6 + m_state[6]);\
128  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 7, x7 + m_state[7]);\
129  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 8, x8 + m_state[8]);\
130  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 9, x9 + m_state[9]);\
131  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 10, x10 + m_state[10]);\
132  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 11, x11 + m_state[11]);\
133  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 12, x12 + m_state[12]);\
134  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 13, x13 + m_state[13]);\
135  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 14, x14 + m_state[14]);\
136  CRYPTOPP_KEYSTREAM_OUTPUT_WORD(x, LITTLE_ENDIAN_ORDER, 15, x15 + m_state[15]);}
137 
138 #ifndef CRYPTOPP_DOXYGEN_PROCESSING
139  CRYPTOPP_KEYSTREAM_OUTPUT_SWITCH(CHACHA_OUTPUT, BYTES_PER_ITERATION);
140 #endif
141 
142  ++m_state[12];
143  m_state[13] += static_cast<word32>(m_state[12] == 0);
144  }
145 }
146 
147 template class ChaCha_Policy<8>;
148 template class ChaCha_Policy<12>;
149 template class ChaCha_Policy<20>;
150 
151 NAMESPACE_END
152 
Standard names for retrieving values by name when working with NameValuePairs.
ChaCha stream cipher information.
Definition: chacha.h:24
Utility functions for the Crypto++ library.
Library configuration file.
#define CRYPTOPP_KEYSTREAM_OUTPUT_SWITCH(x, y)
Helper macro to implement OperateKeystream.
Definition: strciphr.h:230
A method was called which was not implemented.
Definition: cryptlib.h:220
ChaCha stream cipher implementation.
Definition: chacha.h:34
Precompiled header file.
#define CRYPTOPP_ASSERT(exp)
Debugging and diagnostic assertion.
Definition: trap.h:60
Functions for CPU features and intrinsics.
const char * IV()
ConstByteArrayParameter, also accepts const byte * for backwards compatibility.
Definition: argnames.h:21
bool HasSSE2()
Determines SSE2 availability.
Definition: cpu.h:114
Access a block of memory.
Definition: misc.h:2324
KeystreamOperation
Keystream operation flags.
Definition: strciphr.h:88
Crypto++ library namespace.
SymmetricCipher implementation.
Definition: strciphr.h:571
Classes for ChaCha8, ChaCha12 and ChaCha20 stream ciphers.
Interface for retrieving values given their names.
Definition: cryptlib.h:290