Simplify algorithm by no longer generating keystream with custom implementation. Use CTR mode implementation of BouncyCastle instead.

Author: overheadhunter

src/main/java/org/cryptomator/siv/CustomCtrComputer.java

@@ -0,0 +1,36 @@
+package org.cryptomator.siv;
+
+import org.bouncycastle.crypto.BlockCipher;
+import org.bouncycastle.crypto.CipherParameters;
+import org.bouncycastle.crypto.OutputLengthException;
+import org.bouncycastle.crypto.modes.SICBlockCipher;
+import org.bouncycastle.crypto.params.KeyParameter;
+import org.bouncycastle.crypto.params.ParametersWithIV;
+
+import java.util.function.Supplier;
+
+/**
+ * Performs CTR Mode computations facilitating BouncyCastle's {@link SICBlockCipher}.
+ */
+class CustomCtrComputer implements SivMode.CtrComputer {
+
+	private final Supplier<BlockCipher> blockCipherSupplier;
+
+	public CustomCtrComputer(Supplier<BlockCipher> blockCipherSupplier) {
+		this.blockCipherSupplier = blockCipherSupplier;
+	}
+	
+	@Override
+	public byte[] computeCtr(byte[] input, byte[] key, byte[] iv) {
+		SICBlockCipher cipher = new SICBlockCipher(blockCipherSupplier.get());
+		CipherParameters params = new ParametersWithIV(new KeyParameter(key), iv);
+		cipher.init(true, params);
+		try {
+			byte[] output = new byte[input.length];
+			cipher.processBytes(input, 0, input.length, output, 0);
+			return output;
+		} catch (OutputLengthException e) {
+			throw new IllegalStateException("In CTR mode output length must be equal to input length", e);
+		}
+	}
+}

src/main/java/org/cryptomator/siv/SivMode.java

@@ -30,6 +30,7 @@ public final class SivMode {
 	private static final byte DOUBLING_CONST = (byte) 0x87;
 
 	private final ThreadLocal<BlockCipher> threadLocalCipher;
+	private final CtrComputer ctrComputer;
 
 	/**
 	 * Creates an AES-SIV instance using JCE's cipher implementation, which should normally be the best choice.<br>
@@ -67,29 +68,40 @@ public BlockCipher create() {
 	 * @param cipherFactory A factory method creating a Blockcipher.get(). Must use a block size of 128 bits (16 bytes).
 	 */
 	public SivMode(final BlockCipherFactory cipherFactory) {
+		this(ThreadLocal.withInitial(() -> cipherFactory.create()));
+	}
+
+	private SivMode(final ThreadLocal<BlockCipher> threadLocalCipher) {
+		this(threadLocalCipher, new CustomCtrComputer(threadLocalCipher::get));
+	}
+	
+	private SivMode(final ThreadLocal<BlockCipher> threadLocalCipher, final CtrComputer ctrComputer) {
 		// Try using cipherFactory to check that the block size is valid.
 		// We assume here that the block size will not vary across calls to .create().
-		if (cipherFactory.create().getBlockSize() != 16) {
+		if (threadLocalCipher.get().getBlockSize() != 16) {
 			throw new IllegalArgumentException("cipherFactory must create BlockCipher objects with a 16-byte block size");
 		}
 
-		this.threadLocalCipher = new ThreadLocal<BlockCipher>() {
-
-			@Override
-			protected BlockCipher initialValue() {
-				return cipherFactory.create();
-			}
-
-		};
+		this.threadLocalCipher = threadLocalCipher;
+		this.ctrComputer = ctrComputer;
 	}
 
 	/**
 	 * Creates {@link BlockCipher}s.
 	 */
+	@FunctionalInterface
 	public interface BlockCipherFactory {
 		BlockCipher create();
 	}
 
+	/**
+	 * Performs CTR computations. 
+	 */
+	@FunctionalInterface
+	interface CtrComputer {
+		byte[] computeCtr(byte[] input, byte[] key, final byte[] iv);
+	}
+
 	/**
 	 * Convenience method, if you are using the javax.crypto API. This is just a wrapper for {@link #encrypt(byte[], byte[], byte[], byte[]...)}.
 	 *
@@ -131,10 +143,8 @@ public byte[] encrypt(byte[] ctrKey, byte[] macKey, byte[] plaintext, byte[]...
 		}
 
 		assert plaintext.length + 15 < Integer.MAX_VALUE;
-		final int numBlocks = (plaintext.length + 15) / 16;
 		final byte[] iv = s2v(macKey, plaintext, associatedData);
-		final byte[] keystream = generateKeyStream(ctrKey, iv, numBlocks);
-		final byte[] ciphertext = xor(plaintext, keystream);
+		final byte[] ciphertext = computeCtr(plaintext, ctrKey, iv);
 
 		// concat IV + ciphertext:
 		final byte[] result = new byte[iv.length + ciphertext.length];
@@ -191,9 +201,7 @@ public byte[] decrypt(byte[] ctrKey, byte[] macKey, byte[] ciphertext, byte[]...
 
 		assert actualCiphertext.length == ciphertext.length - 16;
 		assert actualCiphertext.length + 15 < Integer.MAX_VALUE;
-		final int numBlocks = (actualCiphertext.length + 15) / 16;
-		final byte[] keystream = generateKeyStream(ctrKey, iv, numBlocks);
-		final byte[] plaintext = xor(actualCiphertext, keystream);
+		final byte[] plaintext = computeCtr(actualCiphertext, ctrKey, iv);
 		final byte[] control = s2v(macKey, plaintext, associatedData);
 
 		// time-constant comparison (taken from MessageDigest.isEqual in JDK8)
@@ -209,26 +217,14 @@ public byte[] decrypt(byte[] ctrKey, byte[] macKey, byte[] ciphertext, byte[]...
 			throw new UnauthenticCiphertextException("authentication in SIV decryption failed");
 		}
 	}
-
-	byte[] generateKeyStream(byte[] ctrKey, byte[] iv, int numBlocks) {
-		final byte[] keystream = new byte[numBlocks * 16];
-
+	
+	byte[] computeCtr(byte[] input, byte[] key, final byte[] iv) {
 		// clear out the 31st and 63rd (rightmost) bit:
-		final byte[] ctr = Arrays.copyOf(iv, 16);
-		ctr[8] = (byte) (ctr[8] & 0x7F);
-		ctr[12] = (byte) (ctr[12] & 0x7F);
-		final ByteBuffer ctrBuf = ByteBuffer.wrap(ctr);
-		final long initialCtrVal = ctrBuf.getLong(8);
-
-		final BlockCipher cipher = threadLocalCipher.get();
-		cipher.init(true, new KeyParameter(ctrKey));
-		for (int i = 0; i < numBlocks; i++) {
-			ctrBuf.putLong(8, initialCtrVal + i);
-			cipher.processBlock(ctr, 0, keystream, i * 16);
-			cipher.reset();
-		}
-
-		return keystream;
+		final byte[] adjustedIv = Arrays.copyOf(iv, 16);
+		adjustedIv[8] = (byte) (adjustedIv[8] & 0x7F);
+		adjustedIv[12] = (byte) (adjustedIv[12] & 0x7F);
+		
+		return ctrComputer.computeCtr(input, key, adjustedIv);
 	}
 
 	// Visible for testing, throws IllegalArgumentException if key is not accepted by CMac#init(CipherParameters)

src/test/java/org/cryptomator/siv/CustomCtrComputerTest.java

@@ -0,0 +1,66 @@
+package org.cryptomator.siv;
+
+import org.bouncycastle.crypto.BlockCipher;
+import org.bouncycastle.crypto.engines.AESLightEngine;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+public class CustomCtrComputerTest {
+	
+	private BlockCipher supplyBlockCipher() {
+		return new AESLightEngine();
+	}
+
+	// CTR-AES https://tools.ietf.org/html/rfc5297#appendix-A.1
+	@Test
+	public void testComputeCtr1() {
+		byte[] ctrKey = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, //
+				(byte) 0xf4, (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, //
+				(byte) 0xf8, (byte) 0xf9, (byte) 0xfa, (byte) 0xfb, //
+				(byte) 0xfc, (byte) 0xfd, (byte) 0xfe, (byte) 0xff};
+
+		byte[] ctr = {(byte) 0x85, (byte) 0x63, (byte) 0x2d, (byte) 0x07, //
+				(byte) 0xc6, (byte) 0xe8, (byte) 0xf3, (byte) 0x7f, //
+				(byte) 0x15, (byte) 0x0a, (byte) 0xcd, (byte) 0x32, //
+				(byte) 0x0a, (byte) 0x2e, (byte) 0xcc, (byte) 0x93};
+
+		byte[] expected = {(byte) 0x51, (byte) 0xe2, (byte) 0x18, (byte) 0xd2, //
+				(byte) 0xc5, (byte) 0xa2, (byte) 0xab, (byte) 0x8c, //
+				(byte) 0x43, (byte) 0x45, (byte) 0xc4, (byte) 0xa6, //
+				(byte) 0x23, (byte) 0xb2, (byte) 0xf0, (byte) 0x8f};
+
+		byte[] result = new CustomCtrComputer(this::supplyBlockCipher).computeCtr(new byte[16], ctrKey, ctr);
+		Assertions.assertArrayEquals(expected, result);
+	}
+
+	// CTR-AES https://tools.ietf.org/html/rfc5297#appendix-A.2
+	@Test
+	public void testComputeCtr2() {
+		final byte[] ctrKey = {(byte) 0x40, (byte) 0x41, (byte) 0x42, (byte) 0x43, //
+				(byte) 0x44, (byte) 0x45, (byte) 0x46, (byte) 0x47, //
+				(byte) 0x48, (byte) 0x49, (byte) 0x4a, (byte) 0x4b, //
+				(byte) 0x4c, (byte) 0x4d, (byte) 0x4e, (byte) 0x4f};
+
+		final byte[] ctr = {(byte) 0x7b, (byte) 0xdb, (byte) 0x6e, (byte) 0x3b, //
+				(byte) 0x43, (byte) 0x26, (byte) 0x67, (byte) 0xeb, //
+				(byte) 0x06, (byte) 0xf4, (byte) 0xd1, (byte) 0x4b, //
+				(byte) 0x7f, (byte) 0x2f, (byte) 0xbd, (byte) 0x0f};
+
+		final byte[] expected = {(byte) 0xbf, (byte) 0xf8, (byte) 0x66, (byte) 0x5c, //
+				(byte) 0xfd, (byte) 0xd7, (byte) 0x33, (byte) 0x63, //
+				(byte) 0x55, (byte) 0x0f, (byte) 0x74, (byte) 0x00, //
+				(byte) 0xe8, (byte) 0xf9, (byte) 0xd3, (byte) 0x76, //
+				(byte) 0xb2, (byte) 0xc9, (byte) 0x08, (byte) 0x8e, //
+				(byte) 0x71, (byte) 0x3b, (byte) 0x86, (byte) 0x17, //
+				(byte) 0xd8, (byte) 0x83, (byte) 0x92, (byte) 0x26, //
+				(byte) 0xd9, (byte) 0xf8, (byte) 0x81, (byte) 0x59, //
+				(byte) 0x9e, (byte) 0x44, (byte) 0xd8, (byte) 0x27, //
+				(byte) 0x23, (byte) 0x49, (byte) 0x49, (byte) 0xbc, //
+				(byte) 0x1b, (byte) 0x12, (byte) 0x34, (byte) 0x8e, //
+				(byte) 0xbc, (byte) 0x19, (byte) 0x5e, (byte) 0xc7};
+
+		byte[] result = new CustomCtrComputer(this::supplyBlockCipher).computeCtr(new byte[48], ctrKey, ctr);
+		Assertions.assertArrayEquals(expected, result);
+	}
+	
+}

src/test/java/org/cryptomator/siv/JceAesCtrComputerTest.java

@@ -0,0 +1,60 @@
+package org.cryptomator.siv;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+public class JceAesCtrComputerTest {
+
+	// CTR-AES https://tools.ietf.org/html/rfc5297#appendix-A.1
+	@Test
+	public void testComputeCtr1() {
+		byte[] ctrKey = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, //
+				(byte) 0xf4, (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, //
+				(byte) 0xf8, (byte) 0xf9, (byte) 0xfa, (byte) 0xfb, //
+				(byte) 0xfc, (byte) 0xfd, (byte) 0xfe, (byte) 0xff};
+
+		byte[] ctr = {(byte) 0x85, (byte) 0x63, (byte) 0x2d, (byte) 0x07, //
+				(byte) 0xc6, (byte) 0xe8, (byte) 0xf3, (byte) 0x7f, //
+				(byte) 0x15, (byte) 0x0a, (byte) 0xcd, (byte) 0x32, //
+				(byte) 0x0a, (byte) 0x2e, (byte) 0xcc, (byte) 0x93};
+
+		byte[] expected = {(byte) 0x51, (byte) 0xe2, (byte) 0x18, (byte) 0xd2, //
+				(byte) 0xc5, (byte) 0xa2, (byte) 0xab, (byte) 0x8c, //
+				(byte) 0x43, (byte) 0x45, (byte) 0xc4, (byte) 0xa6, //
+				(byte) 0x23, (byte) 0xb2, (byte) 0xf0, (byte) 0x8f};
+
+		byte[] result = new JceAesCtrComputer(null).computeCtr(new byte[16], ctrKey, ctr);
+		Assertions.assertArrayEquals(expected, result);
+	}
+
+	// CTR-AES https://tools.ietf.org/html/rfc5297#appendix-A.2
+	@Test
+	public void testComputeCtr2() {
+		final byte[] ctrKey = {(byte) 0x40, (byte) 0x41, (byte) 0x42, (byte) 0x43, //
+				(byte) 0x44, (byte) 0x45, (byte) 0x46, (byte) 0x47, //
+				(byte) 0x48, (byte) 0x49, (byte) 0x4a, (byte) 0x4b, //
+				(byte) 0x4c, (byte) 0x4d, (byte) 0x4e, (byte) 0x4f};
+
+		final byte[] ctr = {(byte) 0x7b, (byte) 0xdb, (byte) 0x6e, (byte) 0x3b, //
+				(byte) 0x43, (byte) 0x26, (byte) 0x67, (byte) 0xeb, //
+				(byte) 0x06, (byte) 0xf4, (byte) 0xd1, (byte) 0x4b, //
+				(byte) 0x7f, (byte) 0x2f, (byte) 0xbd, (byte) 0x0f};
+
+		final byte[] expected = {(byte) 0xbf, (byte) 0xf8, (byte) 0x66, (byte) 0x5c, //
+				(byte) 0xfd, (byte) 0xd7, (byte) 0x33, (byte) 0x63, //
+				(byte) 0x55, (byte) 0x0f, (byte) 0x74, (byte) 0x00, //
+				(byte) 0xe8, (byte) 0xf9, (byte) 0xd3, (byte) 0x76, //
+				(byte) 0xb2, (byte) 0xc9, (byte) 0x08, (byte) 0x8e, //
+				(byte) 0x71, (byte) 0x3b, (byte) 0x86, (byte) 0x17, //
+				(byte) 0xd8, (byte) 0x83, (byte) 0x92, (byte) 0x26, //
+				(byte) 0xd9, (byte) 0xf8, (byte) 0x81, (byte) 0x59, //
+				(byte) 0x9e, (byte) 0x44, (byte) 0xd8, (byte) 0x27, //
+				(byte) 0x23, (byte) 0x49, (byte) 0x49, (byte) 0xbc, //
+				(byte) 0x1b, (byte) 0x12, (byte) 0x34, (byte) 0x8e, //
+				(byte) 0xbc, (byte) 0x19, (byte) 0x5e, (byte) 0xc7};
+
+		byte[] result = new JceAesCtrComputer(null).computeCtr(new byte[48], ctrKey, ctr);
+		Assertions.assertArrayEquals(expected, result);
+	}
+	
+}

src/test/java/org/cryptomator/siv/SivModeTest.java

@@ -8,6 +8,7 @@
  *     Sebastian Stenzel - initial API and implementation
  ******************************************************************************/
 
+import org.bouncycastle.crypto.engines.AESLightEngine;
 import org.bouncycastle.crypto.engines.DESEngine;
 import org.cryptomator.siv.SivMode.BlockCipherFactory;
 import org.hamcrest.CoreMatchers;
@@ -148,7 +149,7 @@ public void testDecryptAssociatedDataLimit() {
 
 	// CTR-AES https://tools.ietf.org/html/rfc5297#appendix-A.1
 	@Test
-	public void testGenerateKeyStream1() {
+	public void testComputeCtr1() {
 		final byte[] ctrKey = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, //
 				(byte) 0xf4, (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, //
 				(byte) 0xf8, (byte) 0xf9, (byte) 0xfa, (byte) 0xfb, //
@@ -164,16 +165,19 @@ public void testGenerateKeyStream1() {
 				(byte) 0x43, (byte) 0x45, (byte) 0xc4, (byte) 0xa6, //
 				(byte) 0x23, (byte) 0xb2, (byte) 0xf0, (byte) 0x8f};
 
-		final byte[] result = new SivMode().generateKeyStream(ctrKey, ctr, 1);
+		final byte[] result = new SivMode().computeCtr(new byte[16], ctrKey, ctr);
 		Assertions.assertArrayEquals(expected, result);
 
-		final byte[] resultProvider = new SivMode(getSunJceProvider()).generateKeyStream(ctrKey, ctr, 1);
-		Assertions.assertArrayEquals(expected, resultProvider);
+		final byte[] sunJceResult = new SivMode(getSunJceProvider()).computeCtr(new byte[16], ctrKey, ctr);
+		Assertions.assertArrayEquals(expected, sunJceResult);
+
+		final byte[] bcResult = new SivMode(AESLightEngine::new).computeCtr(new byte[16], ctrKey, ctr);
+		Assertions.assertArrayEquals(expected, bcResult);
 	}
 
 	// CTR-AES https://tools.ietf.org/html/rfc5297#appendix-A.2
 	@Test
-	public void testGenerateKeyStream2() {
+	public void testComputeCtr2() {
 		final byte[] ctrKey = {(byte) 0x40, (byte) 0x41, (byte) 0x42, (byte) 0x43, //
 				(byte) 0x44, (byte) 0x45, (byte) 0x46, (byte) 0x47, //
 				(byte) 0x48, (byte) 0x49, (byte) 0x4a, (byte) 0x4b, //
@@ -197,7 +201,7 @@ public void testGenerateKeyStream2() {
 				(byte) 0x1b, (byte) 0x12, (byte) 0x34, (byte) 0x8e, //
 				(byte) 0xbc, (byte) 0x19, (byte) 0x5e, (byte) 0xc7};
 
-		final byte[] result = new SivMode().generateKeyStream(ctrKey, ctr, 3);
+		final byte[] result = new SivMode().computeCtr(new byte[48], ctrKey, ctr);
 		Assertions.assertArrayEquals(expected, result);
 	}