Add the BlaBla2000 stream cipher - will eventually become the default

2000 rounds variant of the BlaBla20 cipher
for Very Post Quantum (VPQ) security.

.gitignore

@@ -96,6 +96,7 @@ test/default/auth3
 test/default/auth5
 test/default/auth6
 test/default/auth7
+test/default/blabla2000
 test/default/box
 test/default/box2
 test/default/box7

src/libsodium/Makefile.am

@@ -74,6 +74,7 @@ libsodium_la_SOURCES = \
 	crypto_sign/ed25519/ref10/open.c \
 	crypto_sign/ed25519/ref10/sign.c \
 	crypto_sign/ed25519/ref10/sign_ed25519_ref10.h \
+	crypto_stream/blabla2000/stream_blabla2000.c \
 	crypto_stream/chacha20/stream_chacha20.c \
 	crypto_stream/chacha20/stream_chacha20.h \
 	crypto_stream/chacha20/ref/chacha20_ref.h \

src/libsodium/crypto_stream/blabla2000/stream_blabla2000.c

@@ -0,0 +1,148 @@
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "crypto_stream_blabla2000.h"
+#include "private/common.h"
+#include "randombytes.h"
+
+#define crypto_stream_blabla2000_ROUNDS 2000
+
+#define crypto_stream_blabla2000_BLOCKBYTES 128
+
+#define CRYPTO_STREAM_BLABLA2000_QUARTERROUND(a, b, c, d) \
+    a += b;                                               \
+    d = ROTR64(d ^ a, 32);                                \
+    c += d;                                               \
+    b = ROTR64(b ^ c, 24);                                \
+    a += b;                                               \
+    d = ROTR64(d ^ a, 16);                                \
+    c += d;                                               \
+    b = ROTR64(b ^ c, 63)
+
+static void
+crypto_stream_blabla2000_rounds(uint64_t st[16])
+{
+    int i;
+
+    for (i = 0; i < crypto_stream_blabla2000_ROUNDS; i += 2) {
+        CRYPTO_STREAM_BLABLA2000_QUARTERROUND(st[0], st[4], st[8], st[12]);
+        CRYPTO_STREAM_BLABLA2000_QUARTERROUND(st[1], st[5], st[9], st[13]);
+        CRYPTO_STREAM_BLABLA2000_QUARTERROUND(st[2], st[6], st[10], st[14]);
+        CRYPTO_STREAM_BLABLA2000_QUARTERROUND(st[3], st[7], st[11], st[15]);
+        CRYPTO_STREAM_BLABLA2000_QUARTERROUND(st[0], st[5], st[10], st[15]);
+        CRYPTO_STREAM_BLABLA2000_QUARTERROUND(st[1], st[6], st[11], st[12]);
+        CRYPTO_STREAM_BLABLA2000_QUARTERROUND(st[2], st[7], st[8], st[13]);
+        CRYPTO_STREAM_BLABLA2000_QUARTERROUND(st[3], st[4], st[9], st[14]);
+    }
+}
+
+static void
+crypto_stream_blabla2000_update(uint64_t ks[16], uint64_t st[16])
+{
+    int i;
+
+    memcpy(ks, st, 8 * 16);
+    crypto_stream_blabla2000_rounds(st);
+    for (i = 0; i < 16; i++) {
+        ks[i] += st[i];
+    }
+    ++st[13];
+}
+
+static void
+crypto_stream_blabla2000_init(uint64_t st[16],
+                              const unsigned char nonce[crypto_stream_blabla2000_NONCEBYTES],
+                              const unsigned char key[crypto_stream_blabla2000_KEYBYTES])
+{
+    int i;
+
+    st[0] = 0x6170786593810fab;
+    st[1] = 0x3320646ec7398aee;
+    st[2] = 0x79622d3217318274;
+    st[3] = 0x6b206574babadada;
+    for (i = 0; i < 4; i++) {
+        st[4 + i] = LOAD64_LE(&key[8 * i]);
+    }
+    st[8]  = 0x2ae36e593e46ad5f;
+    st[9]  = 0xb68f143029225fc9;
+    st[10] = 0x8da1e08468303aa6;
+    st[11] = 0xa48a209acd50a4a7;
+    st[12] = 0x7fdc12f23f90778c;
+    st[13] = 1;
+    st[14] = LOAD64_LE(&nonce[8 * 0]);
+    st[15] = LOAD64_LE(&nonce[8 * 1]);
+}
+
+int
+crypto_stream_blabla2000_xor(unsigned char *c, const unsigned char *m,
+                             unsigned long long len,
+                             const unsigned char nonce[crypto_stream_blabla2000_NONCEBYTES],
+                             const unsigned char key[crypto_stream_blabla2000_KEYBYTES])
+{
+    unsigned char tmp[crypto_stream_blabla2000_BLOCKBYTES];
+    uint64_t      ks[16];
+    uint64_t      st[16];
+    uint64_t      x;
+    int           i;
+
+    crypto_stream_blabla2000_init(st, nonce, key);
+    while (len >= crypto_stream_blabla2000_BLOCKBYTES) {
+        crypto_stream_blabla2000_update(ks, st);
+        for (i = 0; i < 16; i++) {
+            x = ks[i] ^ LOAD64_LE(m + 8 * i);
+            STORE64_LE(c + 8 * i, x);
+        }
+        c += crypto_stream_blabla2000_BLOCKBYTES;
+        m += crypto_stream_blabla2000_BLOCKBYTES;
+        len -= crypto_stream_blabla2000_BLOCKBYTES;
+    }
+    if (len > 0) {
+        crypto_stream_blabla2000_update(ks, st);
+        memset(tmp, 0, crypto_stream_blabla2000_BLOCKBYTES);
+        for (i = 0; i < (int) len; i++) {
+            tmp[i] = m[i];
+        }
+        for (i = 0; i < 16; i++) {
+            x = ks[i] ^ LOAD64_LE(tmp + 8 * i);
+            STORE64_LE(tmp + 8 * i, x);
+        }
+        for (i = 0; i < (int) len; i++) {
+            c[i] = tmp[i];
+        }
+    }
+    return 0;
+}
+
+int
+crypto_stream_blabla2000(unsigned char *c, unsigned long long len,
+                         const unsigned char nonce[crypto_stream_blabla2000_NONCEBYTES],
+                         const unsigned char key[crypto_stream_blabla2000_KEYBYTES])
+{
+    memset(c, 0, len);
+    return crypto_stream_blabla2000_xor(c, c, len, nonce, key);
+}
+
+void
+crypto_stream_blabla2000_keygen(unsigned char k[crypto_stream_blabla2000_KEYBYTES])
+{
+    randombytes_buf(k, crypto_stream_blabla2000_KEYBYTES);
+}
+
+size_t
+crypto_stream_blabla2000_keybytes(void)
+{
+    return crypto_stream_blabla2000_KEYBYTES;
+}
+
+size_t
+crypto_stream_blabla2000_noncebytes(void)
+{
+    return crypto_stream_blabla2000_NONCEBYTES;
+}
+
+size_t
+crypto_stream_blabla2000_messagebytes_max(void)
+{
+    return crypto_stream_blabla2000_MESSAGEBYTES_MAX;
+}

src/libsodium/include/Makefile.am

@@ -49,6 +49,7 @@ SODIUM_EXPORT = \
 	sodium/crypto_sign.h \
 	sodium/crypto_sign_ed25519.h \
 	sodium/crypto_stream.h \
+	sodium/crypto_stream_blabla2000.h \
 	sodium/crypto_stream_chacha20.h \
 	sodium/crypto_stream_salsa20.h \
 	sodium/crypto_stream_salsa2012.h \

src/libsodium/include/sodium.h

@@ -42,6 +42,7 @@
 #include "sodium/crypto_sign.h"
 #include "sodium/crypto_sign_ed25519.h"
 #include "sodium/crypto_stream.h"
+#include "sodium/crypto_stream_blabla2000.h"
 #include "sodium/crypto_stream_chacha20.h"
 #include "sodium/crypto_stream_salsa20.h"
 #include "sodium/crypto_stream_xsalsa20.h"

src/libsodium/include/sodium/crypto_stream_blabla2000.h

@@ -0,0 +1,46 @@
+#ifndef crypto_stream_blabla2000_H
+#define crypto_stream_blabla2000_H
+
+#include <stddef.h>
+#include <stdint.h>
+#include "export.h"
+
+#ifdef __cplusplus
+# ifdef __GNUC__
+#  pragma GCC diagnostic ignored "-Wlong-long"
+# endif
+extern "C" {
+#endif
+
+#define crypto_stream_blabla2000_KEYBYTES 32U
+SODIUM_EXPORT
+size_t crypto_stream_blabla2000_keybytes(void);
+
+#define crypto_stream_blabla2000_NONCEBYTES 16U
+SODIUM_EXPORT
+size_t crypto_stream_blabla2000_noncebytes(void);
+
+#define crypto_stream_blabla2000_MESSAGEBYTES_MAX SODIUM_SIZE_MAX
+SODIUM_EXPORT
+size_t crypto_stream_blabla2000_messagebytes_max(void);
+
+SODIUM_EXPORT
+int crypto_stream_blabla2000(unsigned char *c, unsigned long long len,
+                             const unsigned char *n, const unsigned char *k)
+            __attribute__ ((nonnull));
+
+SODIUM_EXPORT
+int crypto_stream_blabla2000_xor(unsigned char *c, const unsigned char *m,
+                                 unsigned long long mlen, const unsigned char *n,
+                                 const unsigned char *k)
+            __attribute__ ((nonnull));
+
+SODIUM_EXPORT
+void crypto_stream_blabla2000_keygen(unsigned char k[crypto_stream_blabla2000_KEYBYTES])
+            __attribute__ ((nonnull));
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

test/default/Makefile.am

@@ -16,6 +16,7 @@ EXTRA_DIST = \
 	auth5.exp \
 	auth6.exp \
 	auth7.exp \
+	blabla2000.exp \
 	box.exp \
 	box2.exp \
 	box7.exp \
@@ -99,6 +100,7 @@ DISTCLEANFILES = \
 	auth5.res \
 	auth6.res \
 	auth7.res \
+	blabla2000.res \
 	box.res \
 	box2.res \
 	box7.res \
@@ -192,6 +194,7 @@ TESTS_TARGETS = \
 	auth5 \
 	auth6 \
 	auth7 \
+	blabla2000 \
 	box \
 	box2 \
 	box7 \
@@ -298,6 +301,9 @@ auth6_LDADD               = $(TESTS_LDADD)
 auth7_SOURCE              = cmptest.h auth7.c quirks.h
 auth7_LDADD               = $(TESTS_LDADD)
 
+blabla2000_SOURCE         = cmptest.h blabla2000.c
+blabla2000_LDADD          = $(TESTS_LDADD)
+
 box_SOURCE                = cmptest.h box.c
 box_LDADD                 = $(TESTS_LDADD)
 

test/default/blabla2000.c

@@ -0,0 +1,45 @@
+
+#define TEST_NAME "blabla2000"
+#include "cmptest.h"
+
+static const unsigned char key[32] = {
+    0x1b, 0x27, 0x55, 0x64, 0x73, 0xe9, 0x85,
+    0xd4, 0x62, 0xcd, 0x51, 0x19, 0x7a, 0x9a,
+    0x46, 0xc7, 0x60, 0x09, 0x54, 0x9e, 0xac,
+    0x64, 0x74, 0xf2, 0x06, 0xc4, 0xee, 0x08,
+    0x44, 0xf6, 0x83, 0x89
+};
+
+static const unsigned char nonce[16] = {
+    0x69, 0x69, 0x6e, 0xe9, 0x55, 0xb6,
+    0x2b, 0x73, 0xcd, 0x62, 0xbd, 0xa8,
+    0x75, 0xfc, 0x73, 0xd6
+};
+
+int
+main(void)
+{
+    unsigned char  h[32];
+    char          *hex;
+    unsigned char *output;
+    size_t         sizeof_hex = 17 * 64 * 2 + 1;
+    size_t         sizeof_output = 4194304;
+    int            i;
+
+    output = (unsigned char *) sodium_malloc(sizeof_output);
+    hex = (char *) sodium_malloc(sizeof_hex);
+
+    crypto_stream_blabla2000(output, sizeof_output, nonce, key);
+    crypto_generichash(h, sizeof h, output, sizeof_output, NULL, 0U);
+    sodium_bin2hex(hex, sizeof_hex, h, sizeof h);
+    printf("%s\n", hex);
+
+    assert(crypto_stream_blabla2000_keybytes() > 0U);
+    assert(crypto_stream_blabla2000_keybytes() == crypto_stream_blabla2000_KEYBYTES);
+    assert(crypto_stream_blabla2000_noncebytes() > 0U);
+    assert(crypto_stream_blabla2000_noncebytes() == crypto_stream_blabla2000_NONCEBYTES);
+    assert(crypto_stream_blabla2000_messagebytes_max() > 0U);
+    assert(crypto_stream_blabla2000_messagebytes_max() == crypto_stream_blabla2000_MESSAGEBYTES_MAX);
+
+    return 0;
+}

test/default/blabla2000.exp

@@ -0,0 +1 @@
+d08a868b2c55c3dde05cd245ea39d668603e4b10a9cfb3be04639458178d9caf