Version v0.2.101 - Update entropy addition

nostr_chacha20.c

@@ -0,0 +1,163 @@
+/*
+ * nostr_chacha20.c - ChaCha20 stream cipher implementation
+ * 
+ * Implementation based on RFC 8439 "ChaCha20 and Poly1305 for IETF Protocols"
+ * 
+ * This implementation is adapted from the RFC 8439 reference specification.
+ * It prioritizes correctness and clarity over performance optimization.
+ */
+
+#include "nostr_chacha20.h"
+#include <string.h>
+
+/*
+ * ============================================================================
+ * UTILITY MACROS AND FUNCTIONS
+ * ============================================================================
+ */
+
+/* Left rotate a 32-bit value by n bits */
+#define ROTLEFT(a, b) (((a) << (b)) | ((a) >> (32 - (b))))
+
+/* Convert 4 bytes to 32-bit little-endian */
+static uint32_t bytes_to_u32_le(const uint8_t *bytes) {
+    return ((uint32_t)bytes[0]) |
+           ((uint32_t)bytes[1] << 8) |
+           ((uint32_t)bytes[2] << 16) |
+           ((uint32_t)bytes[3] << 24);
+}
+
+/* Convert 32-bit to 4 bytes little-endian */
+static void u32_to_bytes_le(uint32_t val, uint8_t *bytes) {
+    bytes[0] = (uint8_t)(val & 0xff);
+    bytes[1] = (uint8_t)((val >> 8) & 0xff);
+    bytes[2] = (uint8_t)((val >> 16) & 0xff);
+    bytes[3] = (uint8_t)((val >> 24) & 0xff);
+}
+
+/*
+ * ============================================================================
+ * CHACHA20 CORE FUNCTIONS
+ * ============================================================================
+ */
+
+void chacha20_quarter_round(uint32_t state[16], int a, int b, int c, int d) {
+    state[a] += state[b]; 
+    state[d] ^= state[a]; 
+    state[d] = ROTLEFT(state[d], 16);
+    
+    state[c] += state[d]; 
+    state[b] ^= state[c]; 
+    state[b] = ROTLEFT(state[b], 12);
+    
+    state[a] += state[b]; 
+    state[d] ^= state[a]; 
+    state[d] = ROTLEFT(state[d], 8);
+    
+    state[c] += state[d]; 
+    state[b] ^= state[c]; 
+    state[b] = ROTLEFT(state[b], 7);
+}
+
+void chacha20_init_state(uint32_t state[16], const uint8_t key[32], 
+                         uint32_t counter, const uint8_t nonce[12]) {
+    /* ChaCha20 constants "expand 32-byte k" */
+    state[0] = 0x61707865;
+    state[1] = 0x3320646e;
+    state[2] = 0x79622d32;
+    state[3] = 0x6b206574;
+    
+    /* Key (8 words) */
+    state[4]  = bytes_to_u32_le(key + 0);
+    state[5]  = bytes_to_u32_le(key + 4);
+    state[6]  = bytes_to_u32_le(key + 8);
+    state[7]  = bytes_to_u32_le(key + 12);
+    state[8]  = bytes_to_u32_le(key + 16);
+    state[9]  = bytes_to_u32_le(key + 20);
+    state[10] = bytes_to_u32_le(key + 24);
+    state[11] = bytes_to_u32_le(key + 28);
+    
+    /* Counter (1 word) */
+    state[12] = counter;
+    
+    /* Nonce (3 words) */
+    state[13] = bytes_to_u32_le(nonce + 0);
+    state[14] = bytes_to_u32_le(nonce + 4);
+    state[15] = bytes_to_u32_le(nonce + 8);
+}
+
+void chacha20_serialize_state(const uint32_t state[16], uint8_t output[64]) {
+    for (int i = 0; i < 16; i++) {
+        u32_to_bytes_le(state[i], output + (i * 4));
+    }
+}
+
+int chacha20_block(const uint8_t key[32], uint32_t counter, 
+                   const uint8_t nonce[12], uint8_t output[64]) {
+    uint32_t state[16];
+    uint32_t initial_state[16];
+    
+    /* Initialize state */
+    chacha20_init_state(state, key, counter, nonce);
+    
+    /* Save initial state for later addition */
+    memcpy(initial_state, state, sizeof(initial_state));
+    
+    /* Perform 20 rounds (10 iterations of the 8 quarter rounds) */
+    for (int i = 0; i < 10; i++) {
+        /* Column rounds */
+        chacha20_quarter_round(state, 0, 4, 8,  12);
+        chacha20_quarter_round(state, 1, 5, 9,  13);
+        chacha20_quarter_round(state, 2, 6, 10, 14);
+        chacha20_quarter_round(state, 3, 7, 11, 15);
+        
+        /* Diagonal rounds */
+        chacha20_quarter_round(state, 0, 5, 10, 15);
+        chacha20_quarter_round(state, 1, 6, 11, 12);
+        chacha20_quarter_round(state, 2, 7, 8,  13);
+        chacha20_quarter_round(state, 3, 4, 9,  14);
+    }
+    
+    /* Add initial state back (prevents slide attacks) */
+    for (int i = 0; i < 16; i++) {
+        state[i] += initial_state[i];
+    }
+    
+    /* Serialize to output bytes */
+    chacha20_serialize_state(state, output);
+    
+    return 0;
+}
+
+int chacha20_encrypt(const uint8_t key[32], uint32_t counter, 
+                     const uint8_t nonce[12], const uint8_t* input, 
+                     uint8_t* output, size_t length) {
+    uint8_t keystream[CHACHA20_BLOCK_SIZE];
+    size_t offset = 0;
+    
+    while (length > 0) {
+        /* Generate keystream block */
+        int ret = chacha20_block(key, counter, nonce, keystream);
+        if (ret != 0) {
+            return ret;
+        }
+        
+        /* XOR with input to produce output */
+        size_t block_len = (length < CHACHA20_BLOCK_SIZE) ? length : CHACHA20_BLOCK_SIZE;
+        for (size_t i = 0; i < block_len; i++) {
+            output[offset + i] = input[offset + i] ^ keystream[i];
+        }
+        
+        /* Move to next block */
+        offset += block_len;
+        length -= block_len;
+        counter++;
+        
+        /* Check for counter overflow */
+        if (counter == 0) {
+            return -1; /* Counter wrapped around */
+        }
+    }
+    
+    return 0;
+}