Wikipedia: https://en.wikipedia.org/wiki/ChaCha20 + *
RFC 8439: https://tools.ietf.org/html/rfc8439 + * + * @author Mitrajit Ghorui(KeyKyrios) + */ +public final class ChaCha20 { + + private ChaCha20() { + } // Static class + + private static final int KEY_SIZE_BYTES = 32; // 256 bits + private static final int NONCE_SIZE_BYTES = 12; // 96 bits + private static final int BLOCK_SIZE_BYTES = 64; // 512 bits + + // ChaCha20 constants "expand 32-byte k" + private static final int[] CONSTANTS = {0x61707865, 0x3320646e, 0x79622d32, 0x6b206574}; + + /** + * Encrypts the given plaintext using ChaCha20. + * Since ChaCha20 is a stream cipher, encryption and decryption are the same + * operation (XOR with keystream). + * + * @param key The 256-bit (32-byte) secret key. + * @param nonce The 96-bit (12-byte) nonce. Must be unique for each + * encryption with the same key. + * @param plaintext The data to encrypt. + * @return The resulting ciphertext. + * @throws IllegalArgumentException if the key or nonce has an invalid length, + * or if any input is null. + */ + public static byte[] encrypt(final byte[] key, final byte[] nonce, final byte[] plaintext) { + validateInputs(key, nonce, plaintext); + return process(key, nonce, plaintext, 1); // Start with block counter 1 as per RFC 8439 + } + + /** + * Decrypts the given ciphertext using ChaCha20. + * Since ChaCha20 is a stream cipher, encryption and decryption are the same + * operation (XOR with keystream). + * + * @param key The 256-bit (32-byte) secret key. + * @param nonce The 96-bit (12-byte) nonce used during encryption. + * @param ciphertext The data to decrypt. + * @return The resulting plaintext. + * @throws IllegalArgumentException if the key or nonce has an invalid length, + * or if any input is null. + */ + public static byte[] decrypt(final byte[] key, final byte[] nonce, final byte[] ciphertext) { + validateInputs(key, nonce, ciphertext); + return process(key, nonce, ciphertext, 1); // Start with block counter 1 + } + + /** + * Performs the core ChaCha20 processing (XOR with keystream). + * + * @param key The 32-byte key. + * @param nonce The 12-byte nonce. + * @param data Plaintext or Ciphertext. + * @param counter The initial block counter. + * @return The result of XORing data with the generated keystream. + */ + private static byte[] process(final byte[] key, final byte[] nonce, final byte[] data, final int counter) { + byte[] output = new byte[data.length]; + ByteBuffer keyStreamBlock = ByteBuffer.allocate(BLOCK_SIZE_BYTES).order(ByteOrder.LITTLE_ENDIAN); + int offset = 0; + int blockCounter = counter; + + while (offset < data.length) { + keyStreamBlock.clear(); + generateChaCha20Block(key, nonce, blockCounter++, keyStreamBlock.array()); + + int length = Math.min(BLOCK_SIZE_BYTES, data.length - offset); + for (int i = 0; i < length; i++) { + output[offset + i] = (byte) (data[offset + i] ^ keyStreamBlock.get(i)); + } + offset += length; + } + return output; + } + + /** + * Generates a 64-byte ChaCha20 keystream block. + * + * @param key The 32-byte key. + * @param nonce The 12-byte nonce. + * @param counter The block counter. + * @param output The 64-byte array to store the generated block. + */ + private static void generateChaCha20Block(final byte[] key, final byte[] nonce, final int counter, final byte[] output) { + int[] state = initializeState(key, nonce, counter); + int[] workingState = Arrays.copyOf(state, state.length); + + // 20 rounds (10 double rounds) + for (int i = 0; i < 10; i++) { + // Column rounds + quarterRound(workingState, 0, 4, 8, 12); + quarterRound(workingState, 1, 5, 9, 13); + quarterRound(workingState, 2, 6, 10, 14); + quarterRound(workingState, 3, 7, 11, 15); + // Diagonal rounds + quarterRound(workingState, 0, 5, 10, 15); + quarterRound(workingState, 1, 6, 11, 12); + quarterRound(workingState, 2, 7, 8, 13); + quarterRound(workingState, 3, 4, 9, 14); + } + + // Add initial state to the final state + for (int i = 0; i < state.length; i++) { + workingState[i] += state[i]; + } + + // Serialize state to output bytes (Little Endian) + ByteBuffer buffer = ByteBuffer.wrap(output).order(ByteOrder.LITTLE_ENDIAN); + for (int val : workingState) { + buffer.putInt(val); + } + } + + /** + * Initializes the 16-word (512-bit) ChaCha20 state. + */ + private static int[] initializeState(final byte[] key, final byte[] nonce, final int counter) { + int[] state = new int[16]; + ByteBuffer keyBuffer = ByteBuffer.wrap(key).order(ByteOrder.LITTLE_ENDIAN); + ByteBuffer nonceBuffer = ByteBuffer.wrap(nonce).order(ByteOrder.LITTLE_ENDIAN); + + // Constants + state[0] = CONSTANTS[0]; + state[1] = CONSTANTS[1]; + state[2] = CONSTANTS[2]; + state[3] = CONSTANTS[3]; + + // Key (8 words) + for (int i = 0; i < 8; i++) { + state[4 + i] = keyBuffer.getInt(i * 4); + } + + // Counter (1 word) + state[12] = counter; + + // Nonce (3 words) + for (int i = 0; i < 3; i++) { + state[13 + i] = nonceBuffer.getInt(i * 4); + } + + return state; + } + + /** + * The ChaCha20 quarter round function. Modifies the state array in place. + */ + private static void quarterRound(final int[] state, final int a, final int b, final int c, final int d) { + state[a] += state[b]; + state[d] = rotl(state[d] ^ state[a], 16); + state[c] += state[d]; + state[b] = rotl(state[b] ^ state[c], 12); + state[a] += state[b]; + state[d] = rotl(state[d] ^ state[a], 8); + state[c] += state[d]; + state[b] = rotl(state[b] ^ state[c], 7); + } + + /** + * Rotates the bits of an integer to the left. + */ + private static int rotl(final int value, final int shift) { + return (value << shift) | (value >>> (32 - shift)); + } + + /** + * Validates key, nonce, and data inputs. + */ + private static void validateInputs(final byte[] key, final byte[] nonce, final byte[] data) { + if (key == null) { + throw new IllegalArgumentException("Key cannot be null."); + } + if (key.length != KEY_SIZE_BYTES) { + throw new IllegalArgumentException("Invalid key size. Key must be " + KEY_SIZE_BYTES + " bytes (256 bits)."); + } + if (nonce == null) { + throw new IllegalArgumentException("Nonce cannot be null."); + } + if (nonce.length != NONCE_SIZE_BYTES) { + throw new IllegalArgumentException("Invalid nonce size. Nonce must be " + NONCE_SIZE_BYTES + " bytes (96 bits)."); + } + if (data == null) { + throw new IllegalArgumentException("Plaintext/Ciphertext cannot be null."); + } + } +} diff --git a/src/test/java/com/thealgorithms/ciphers/ChaCha20Test.java b/src/test/java/com/thealgorithms/ciphers/ChaCha20Test.java new file mode 100644 index 000000000000..f6845d3d23c8 --- /dev/null +++ b/src/test/java/com/thealgorithms/ciphers/ChaCha20Test.java @@ -0,0 +1,132 @@ +package com.thealgorithms.ciphers; + +import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; + +import org.junit.jupiter.api.Test; + +public class ChaCha20Test { + + // Test vector from RFC 8439, Section 2.4.2. + private static final byte[] RFC8439_KEY = hexStringToByteArray("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"); + private static final byte[] RFC8439_NONCE = hexStringToByteArray("000000000000004a00000000"); // Counter = 1, Nonce = 00000000 0000004a 00000000 + private static final byte[] RFC8439_PLAINTEXT_64 = hexStringToByteArray( + "4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e" + ); + private static final byte[] RFC8439_CIPHERTEXT_64 = hexStringToByteArray( + "6e2e359a2568f98041ba0728dd0d6981e97e7aec1d4360c20a27afccfd9fae0bf91b65c5524733ab8f58375fcd4af034bd16adec164f7a2bda3dc0343a99a46c8b4172421b505877c570b1351d530635359a37e5f1797b596a78c149d5d9963e696f8c792374c4314c67d163f97205463f668f438a0c20a3a7187" + ); + + // Test vector from RFC 8439, Section 2.4.2 for 114 bytes + private static final byte[] RFC8439_PLAINTEXT_114 = Arrays.copyOf(RFC8439_PLAINTEXT_64, 114); + private static final byte[] RFC8439_CIPHERTEXT_114 = Arrays.copyOf(RFC8439_CIPHERTEXT_64, 114); + + @Test + public void testEncryptRFC8439Vector64Bytes() { + byte[] ciphertext = ChaCha20.encrypt(RFC8439_KEY, RFC8439_NONCE, RFC8439_PLAINTEXT_64); + assertArrayEquals(RFC8439_CIPHERTEXT_64, ciphertext); + } + + @Test + public void testDecryptRFC8439Vector64Bytes() { + byte[] plaintext = ChaCha20.decrypt(RFC8439_KEY, RFC8439_NONCE, RFC8439_CIPHERTEXT_64); + assertArrayEquals(RFC8439_PLAINTEXT_64, plaintext); + } + + @Test + public void testEncryptRFC8439Vector114Bytes() { + // Test encryption with plaintext length not a multiple of 64 + byte[] ciphertext = ChaCha20.encrypt(RFC8439_KEY, RFC8439_NONCE, RFC8439_PLAINTEXT_114); + assertArrayEquals(RFC8439_CIPHERTEXT_114, ciphertext); + } + + @Test + public void testDecryptRFC8439Vector114Bytes() { + // Test decryption with ciphertext length not a multiple of 64 + byte[] plaintext = ChaCha20.decrypt(RFC8439_KEY, RFC8439_NONCE, RFC8439_CIPHERTEXT_114); + assertArrayEquals(RFC8439_PLAINTEXT_114, plaintext); + } + + @Test + public void testEncryptDecryptSymmetry() { + byte[] key = new byte[32]; + for (int i = 0; i < 32; i++) { + key[i] = (byte) i; + } + byte[] nonce = new byte[12]; + for (int i = 0; i < 12; i++) { + nonce[i] = (byte) (i + 100); + } + String originalText = "This is a test message to verify encrypt/decrypt symmetry."; + byte[] plaintext = originalText.getBytes(); + + byte[] ciphertext = ChaCha20.encrypt(key, nonce, plaintext); + byte[] decryptedText = ChaCha20.decrypt(key, nonce, ciphertext); + + assertArrayEquals(plaintext, decryptedText); + assertEquals(originalText, new String(decryptedText)); + } + + @Test + public void testEmptyPlaintext() { + byte[] empty = new byte[0]; + byte[] ciphertext = ChaCha20.encrypt(RFC8439_KEY, RFC8439_NONCE, empty); + assertArrayEquals(empty, ciphertext); + byte[] plaintext = ChaCha20.decrypt(RFC8439_KEY, RFC8439_NONCE, empty); + assertArrayEquals(empty, plaintext); + } + + @Test + public void testInvalidKeySize() { + byte[] shortKey = new byte[31]; + byte[] longKey = new byte[33]; + byte[] nonce = new byte[12]; + byte[] data = {1, 2, 3}; + + assertThrows(IllegalArgumentException.class, () -> ChaCha20.encrypt(shortKey, nonce, data)); + assertThrows(IllegalArgumentException.class, () -> ChaCha20.encrypt(longKey, nonce, data)); + assertThrows(IllegalArgumentException.class, () -> ChaCha20.decrypt(shortKey, nonce, data)); + assertThrows(IllegalArgumentException.class, () -> ChaCha20.decrypt(longKey, nonce, data)); + } + + @Test + public void testInvalidNonceSize() { + byte[] key = new byte[32]; + byte[] shortNonce = new byte[11]; + byte[] longNonce = new byte[13]; + byte[] data = {1, 2, 3}; + + assertThrows(IllegalArgumentException.class, () -> ChaCha20.encrypt(key, shortNonce, data)); + assertThrows(IllegalArgumentException.class, () -> ChaCha20.encrypt(key, longNonce, data)); + assertThrows(IllegalArgumentException.class, () -> ChaCha20.decrypt(key, shortNonce, data)); + assertThrows(IllegalArgumentException.class, () -> ChaCha20.decrypt(key, longNonce, data)); + } + + @Test + public void testNullInputs() { + byte[] key = new byte[32]; + byte[] nonce = new byte[12]; + byte[] data = {1, 2, 3}; + + assertThrows(IllegalArgumentException.class, () -> ChaCha20.encrypt(null, nonce, data)); + assertThrows(IllegalArgumentException.class, () -> ChaCha20.encrypt(key, null, data)); + assertThrows(IllegalArgumentException.class, () -> ChaCha20.encrypt(key, nonce, null)); + assertThrows(IllegalArgumentException.class, () -> ChaCha20.decrypt(null, nonce, data)); + assertThrows(IllegalArgumentException.class, () -> ChaCha20.decrypt(key, null, data)); + assertThrows(IllegalArgumentException.class, () -> ChaCha20.decrypt(key, nonce, null)); + } + + // Helper to convert hex string to byte array for test vectors + private static byte[] hexStringToByteArray(String s) { + int len = s.length(); + if (len % 2 != 0) { + throw new IllegalArgumentException("Hex string must have even length"); + } + byte[] data = new byte[len / 2]; + for (int i = 0; i < len; i += 2) { + data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16)); + } + return data; + } +}