Merge bitcoin/bitcoin#23271: crypto: Fix K1/K2 use in the comments in ChaCha20-Poly1305 AEAD

laanwj · laanwj · commit f41aa81c996f · 2021-10-21T19:30:09.000+02:00
be7f413 Fix K1/K2 use in the comments in ChaCha20-Poly1305 AEAD (=) Pull request description: As per [#22331](bitcoin/bitcoin#22331) and the [Detailed Construction of the ChaCha20Forward4064-Poly1305@Bitcoin cipher suite](https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#detailed-construction) mentioned in BIP 324, K1 is used for encrypting the associated data(message length) and instantiating the Poly1305 MAC while K2 is used for encrypting the payload. This PR fixes the comments which need to be updated in: 1. The test vector in `src/test/crypto_tests.cpp` 2. In `src/crypto/chacha_poly_aead.h`, `m_chacha_main` is a K2 ChaCha20 cipher instance and should be used for encrypting the payload. Also, `m_chacha_header` is a K1 ChaCha20 cipher instance and is used for encrypting the length and instantiating the Poly1305 MAC. ACKs for top commit: siv2r: ACK be7f413 jonatack: ACK be7f413 Zero-1729: ACK be7f413 shaavan: reACK be7f413 Tree-SHA512: 9d3d0f45cf95d0a87b9f04c26f04b9ea78b2f2fa578d3722146a79dd0d377b9867532fc62e02b8e1487420df7702a1f033d15db562327535940c2049cbde401f
diff --git a/src/crypto/chacha_poly_aead.h b/src/crypto/chacha_poly_aead.h
@@ -117,8 +117,8 @@ static constexpr int AAD_PACKAGES_PER_ROUND = 21;        /* 64 / 3 round down*/
 class ChaCha20Poly1305AEAD
 {
 private:
-    ChaCha20 m_chacha_main;                                      // payload and poly1305 key-derivation cipher instance
-    ChaCha20 m_chacha_header;                                    // AAD cipher instance (encrypted length)
+    ChaCha20 m_chacha_header;                                    // AAD cipher instance (encrypted length) and poly1305 key-derivation cipher instance
+    ChaCha20 m_chacha_main;                                      // payload
     unsigned char m_aad_keystream_buffer[CHACHA20_ROUND_OUTPUT]; // aad keystream cache
     uint64_t m_cached_aad_seqnr;                                 // aad keystream cache hint
 
diff --git a/src/test/crypto_tests.cpp b/src/test/crypto_tests.cpp
@@ -694,8 +694,8 @@ BOOST_AUTO_TEST_CASE(chacha20_poly1305_aead_testvector)
 
     TestChaCha20Poly1305AEAD(true, 0,
         /* m  */ "0000000000000000000000000000000000000000000000000000000000000000",
-        /* k1 (payload) */ "0000000000000000000000000000000000000000000000000000000000000000",
-        /* k2 (AAD) */ "0000000000000000000000000000000000000000000000000000000000000000",
+        /* k1 (AAD) */ "0000000000000000000000000000000000000000000000000000000000000000",
+        /* k2 (payload) */ "0000000000000000000000000000000000000000000000000000000000000000",
         /* AAD keystream */ "76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586",
         /* encrypted message & MAC */ "76b8e09f07e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32d2fc11829c1b6c1df1f551cd6131ff08",
         /* encrypted message & MAC at sequence 999 */ "b0a03d5bd2855d60699e7d3a3133fa47be740fe4e4c1f967555e2d9271f31c3aaa7aa16ec62c5e24f040c08bb20c3598");
