crypto: Fix K1/K2 use in ChaCha20-Poly1305 AEAD #22331
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BIP324 mentions K1 is used for the associated data and K2 is used for the payload. The code does the opposite. This is not a security problem but will be a problem across implementations based on the HKDF key derivations.
|
Concept ACK |
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
|
Concept ACK |
|
utACK cd37356 |
sidhujag
pushed a commit
to syscoin/syscoin
that referenced
this pull request
Aug 20, 2021
cd37356 [crypto] Fix K1/K2 use in ChaCha20-Poly1305 AEAD (Dhruv Mehta) Pull request description: BIP324 mentions K1 is used for the associated data and K2 is used for the payload. The code does the opposite. This is not a security problem but will be a problem across implementations based on the HKDF key derivations. BIP324 author Jonas Schnelli thinks a [code update will be better](bitcoin#15649 (comment)) than a BIP update. If this PR is merged: - [ ] We need to update the test vector 3 in BIP324 ACKs for top commit: jonasschnelli: utACK cd37356 Tree-SHA512: e2165117bfbf7a031060e7376912f9af1c1bfc57916383799a0fa2c040e2caaab0d6aafc3425c083a233b96c84fafec75c938e00ceb6bd7d52607d58607cb145
laanwj
added a commit
to bitcoin-core/gui
that referenced
this pull request
Oct 21, 2021
… ChaCha20-Poly1305 AEAD be7f413 Fix K1/K2 use in the comments in ChaCha20-Poly1305 AEAD (=) Pull request description: As per [#22331](bitcoin/bitcoin#22331) and the [Detailed Construction of the ChaCha20Forward4064-Poly1305@Bitcoin cipher suite](https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#detailed-construction) mentioned in BIP 324, K1 is used for encrypting the associated data(message length) and instantiating the Poly1305 MAC while K2 is used for encrypting the payload. This PR fixes the comments which need to be updated in: 1. The test vector in `src/test/crypto_tests.cpp` 2. In `src/crypto/chacha_poly_aead.h`, `m_chacha_main` is a K2 ChaCha20 cipher instance and should be used for encrypting the payload. Also, `m_chacha_header` is a K1 ChaCha20 cipher instance and is used for encrypting the length and instantiating the Poly1305 MAC. ACKs for top commit: siv2r: ACK be7f413 jonatack: ACK be7f413 Zero-1729: ACK be7f413 shaavan: reACK be7f413 Tree-SHA512: 9d3d0f45cf95d0a87b9f04c26f04b9ea78b2f2fa578d3722146a79dd0d377b9867532fc62e02b8e1487420df7702a1f033d15db562327535940c2049cbde401f
sidhujag
pushed a commit
to syscoin/syscoin
that referenced
this pull request
Oct 21, 2021
…0-Poly1305 AEAD be7f413 Fix K1/K2 use in the comments in ChaCha20-Poly1305 AEAD (=) Pull request description: As per [bitcoin#22331](bitcoin#22331) and the [Detailed Construction of the ChaCha20Forward4064-Poly1305@Bitcoin cipher suite](https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#detailed-construction) mentioned in BIP 324, K1 is used for encrypting the associated data(message length) and instantiating the Poly1305 MAC while K2 is used for encrypting the payload. This PR fixes the comments which need to be updated in: 1. The test vector in `src/test/crypto_tests.cpp` 2. In `src/crypto/chacha_poly_aead.h`, `m_chacha_main` is a K2 ChaCha20 cipher instance and should be used for encrypting the payload. Also, `m_chacha_header` is a K1 ChaCha20 cipher instance and is used for encrypting the length and instantiating the Poly1305 MAC. ACKs for top commit: siv2r: ACK be7f413 jonatack: ACK be7f413 Zero-1729: ACK be7f413 shaavan: reACK be7f413 Tree-SHA512: 9d3d0f45cf95d0a87b9f04c26f04b9ea78b2f2fa578d3722146a79dd0d377b9867532fc62e02b8e1487420df7702a1f033d15db562327535940c2049cbde401f
kwvg
added a commit
to kwvg/dash
that referenced
this pull request
Nov 1, 2021
kwvg
added a commit
to kwvg/dash
that referenced
this pull request
Nov 3, 2021
pravblockc
pushed a commit
to pravblockc/dash
that referenced
this pull request
Nov 18, 2021
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
BIP324 mentions K1 is used for the associated data and K2 is used for the payload. The code does the opposite. This is not a security problem but will be a problem across implementations based on the HKDF key derivations.
BIP324 author Jonas Schnelli thinks a code update will be better than a BIP update.
If this PR is merged: