wip: set chacha20black3 as default cipher mode

Author: mikesposito

benches/src/chacha20.rs

@@ -37,8 +37,8 @@ fn bench(c: &mut Criterion) {
     chacha20.init(&key, &iv);
 
     group.bench_with_input(BenchmarkId::new("process", size), size, |b, &_size| {
-      let mut bytes = vec![0u8; *size];
-      b.iter(|| chacha20.process(&mut bytes));
+      let bytes = vec![0u8; *size];
+      b.iter(|| chacha20.process(bytes.clone()));
     });
   }
 

benches/src/cipher-signed-vs-unsigned.rs

@@ -1,5 +1,5 @@
 use criterion::{
-  criterion_group, criterion_main, BenchmarkId, Criterion, PlotConfiguration, Throughput,
+  black_box, criterion_group, criterion_main, BenchmarkId, Criterion, PlotConfiguration, Throughput,
 };
 use secured_cipher::{
   algorithm::{chacha20::CHACHA20_NONCE_SIZE, Blake3Mac},
@@ -14,7 +14,7 @@ fn bench(c: &mut Criterion) {
   let plot_config = PlotConfiguration::default().summary_scale(criterion::AxisScale::Logarithmic);
   group.plot_config(plot_config);
 
-  let data_size = 100 * MB;
+  let data_size = 1024 * MB;
   let blocks_per_thread_options = [1000];
 
   for &blocks_per_thread in &blocks_per_thread_options {
@@ -71,7 +71,7 @@ fn bench(c: &mut Criterion) {
       &data_size,
       |b, &data_size| {
         let mut bytes = vec![0u8; data_size];
-        b.iter(|| unsigned_cipher.encrypt_in_place(&mut bytes));
+        b.iter(|| unsigned_cipher.encrypt_in_place(black_box(&mut bytes)));
       },
     );
   }

cipher/src/algorithm/blake3/mod.rs

@@ -22,9 +22,9 @@ impl AlgorithmKeyInit for Blake3Mac {
 }
 
 impl AlgorithmProcess for Blake3Mac {
-  fn process(&mut self, data: &[u8]) -> Vec<u8> {
+  fn process(&mut self, data: Vec<u8>) -> Vec<u8> {
     let mut hasher = Hasher::new_keyed(&self.key);
-    hasher.update_rayon(data);
+    hasher.update_rayon(&data);
     hasher.finalize().as_bytes().to_vec()
   }
 }

cipher/src/algorithm/chacha20/mod.rs

@@ -164,7 +164,7 @@ impl AlgorithmProcess for ChaCha20 {
   /// for both encryption and decryption due to the reversible nature of the XOR operation.
   ///
   /// # Arguments
-  /// * `bytes_in` - A slice of bytes representing the input data to be processed (either plaintext for encryption
+  /// * `bytes_in` - A mutable vector of bytes representing the input data to be processed (either plaintext for encryption
   ///   or ciphertext for decryption).
   ///
   /// # Returns
@@ -185,12 +185,9 @@ impl AlgorithmProcess for ChaCha20 {
   /// # Notes
   /// It's important to use the same nonce and key for decrypting the data that were used for encryption.
   /// The output size will be equal to the input size, as ChaCha20 is a stream cipher.
-  fn process(&mut self, bytes_in: &[u8]) -> Vec<u8> {
-    // Clone the input bytes to prepare the output vector
-    let mut out = bytes_in.to_owned();
-
+  fn process(&mut self, mut bytes_in: Vec<u8>) -> Vec<u8> {
     // Process each 64-byte block of the input data
-    out
+    bytes_in
       .par_chunks_mut(CHACHA20_BLOCK_SIZE * 100)
       .enumerate()
       .for_each(|(i, par_chunk)| {
@@ -203,7 +200,7 @@ impl AlgorithmProcess for ChaCha20 {
       });
 
     // Return the processed data
-    out.to_vec()
+    bytes_in
   }
 }
 
@@ -310,7 +307,7 @@ mod tests {
       ],
     );
 
-    let encrypted_data = chacha20.process(&PLAINTEXT);
+    let encrypted_data = chacha20.process(PLAINTEXT.to_vec());
 
     assert_eq!(encrypted_data, CIPHERTEXT);
   }
@@ -319,10 +316,10 @@ mod tests {
   fn it_can_reverse_encryption() {
     let mut chacha20 = ChaCha20::default();
     chacha20.init(&[1u8; 32], &[2u8; CHACHA20_NONCE_SIZE]);
-    let data = [0u8; 64];
+    let data = vec![0u8; 64];
 
-    let encrypted_data = chacha20.process(&data);
-    let decrypted_data = chacha20.process(&encrypted_data);
+    let encrypted_data = chacha20.process(data.clone());
+    let decrypted_data = chacha20.process(encrypted_data);
 
     assert_eq!(decrypted_data, data);
   }
@@ -331,10 +328,10 @@ mod tests {
   fn it_can_reverse_encryption_for_data_smaller_than_a_chunk() {
     let mut chacha20 = ChaCha20::default();
     chacha20.init(&[1u8; 32], &[2u8; CHACHA20_NONCE_SIZE]);
-    let data = [0u8; 1];
+    let data = vec![0u8; 1];
 
-    let encrypted_data = chacha20.process(&data);
-    let decrypted_data = chacha20.process(&encrypted_data);
+    let encrypted_data = chacha20.process(data.clone());
+    let decrypted_data = chacha20.process(encrypted_data);
 
     assert_eq!(decrypted_data, data);
   }
@@ -345,11 +342,11 @@ mod tests {
     chacha20_1.init(&[0u8; 32], &[0u8; CHACHA20_NONCE_SIZE]);
     let mut chacha20_2 = ChaCha20::default();
     chacha20_2.init(&[0u8; 32], &[0u8; CHACHA20_NONCE_SIZE]);
-    let mut data = [0u8; 64 * 1000];
+    let mut data = vec![0u8; 64 * 1000];
     let data2 = data.clone();
 
     chacha20_1.process_in_place(&mut data);
-    let encrypted_sync = chacha20_2.process(&data2);
+    let encrypted_sync = chacha20_2.process(data2);
 
     assert_eq!(data.to_vec(), encrypted_sync);
   }

cipher/src/algorithm/mod.rs

@@ -50,7 +50,7 @@ pub trait AlgorithmProcess {
   ///
   /// # Returns
   /// A vector of bytes representing the processed data.
-  fn process(&mut self, data: &[u8]) -> Vec<u8>;
+  fn process(&mut self, data: Vec<u8>) -> Vec<u8>;
 }
 
 pub trait AlgorithmProcessInPlace {

cipher/src/algorithm/poly1305/mod.rs

@@ -118,11 +118,11 @@ impl AlgorithmProcess for Poly1305 {
   /// 16-byte blocks, the final block is padded as necessary.
   ///
   /// # Arguments
-  /// * `data` - A byte slice representing the data to be processed.
+  /// * `data` - A byte vector representing the data to be processed.
   ///
   /// # Returns
   /// A vector of bytes (`Vec<u8>`) containing the computed MAC.
-  fn process(&mut self, data: &[u8]) -> Vec<u8> {
+  fn process(&mut self, data: Vec<u8>) -> Vec<u8> {
     let blocks = data.chunks_exact(16);
     let partial = blocks.remainder();
 

cipher/src/lib.rs

@@ -125,7 +125,7 @@ impl Cipher {
     // The Poly1305 authenticator uses a subkey derived from the cipher's key.
     // This subkey is generated by running the ChaCha20 permutation on a block of zeros.
     if let Some(aead) = &mut self.aead {
-      aead.init(&self.encryption.process(&[0; 64]));
+      aead.init(&self.encryption.process(vec![0; 64]));
     }
 
     self
@@ -134,11 +134,11 @@ impl Cipher {
   /// Encrypts the provided data.
   ///
   /// # Arguments
-  /// * `data` - A slice of data to be encrypted.
+  /// * `data` - A vector of bytes to be encrypted.
   ///
   /// # Returns
   /// Encrypted data as a vector of bytes (`Bytes`).
-  pub fn encrypt(&mut self, data: &[u8]) -> Vec<u8> {
+  pub fn encrypt(&mut self, data: Vec<u8>) -> Vec<u8> {
     self.encryption.process(data)
   }
 
@@ -173,7 +173,7 @@ impl Cipher {
     payload.extend_from_slice(&header);
     payload.extend_from_slice(&data);
 
-    let mac = aead.process(&payload);
+    let mac = aead.process(payload);
 
     SignedEnvelope { header, data, mac }
   }
@@ -183,11 +183,11 @@ impl Cipher {
   /// use cases should be covered by `decrypt_and_verify()` instead.
   ///
   /// # Arguments
-  /// * `data` - A slice of data to be decrypted.
+  /// * `data` - A vector of bytes to be decrypted.
   ///
   /// # Returns
   /// Decrypted data as a vector of bytes (`Bytes`).
-  pub fn decrypt(&mut self, data: &[u8]) -> Vec<u8> {
+  pub fn decrypt(&mut self, data: Vec<u8>) -> Vec<u8> {
     // Decrypt the data using the ChaCha20 permutation
     self.encryption.process(data)
   }
@@ -199,20 +199,24 @@ impl Cipher {
   ///
   /// # Returns
   /// Decrypted data as a vector of bytes (`Bytes`), or an error in case of decryption failure.
-  pub fn decrypt_and_verify(&mut self, envelope: &SignedEnvelope) -> Result<Vec<u8>, CipherError> {
+  pub fn decrypt_and_verify(&mut self, envelope: SignedEnvelope) -> Result<Vec<u8>, CipherError> {
     // Ensure the AEAD algorithm is available
     let aead = self
       .aead
       .as_mut()
       .expect("AEAD algorithm is not initialized");
 
     // Check the MAC (message authentication code) to ensure the integrity of the data
-    if envelope.mac != aead.process(&[envelope.header.clone(), envelope.data.clone()].concat()) {
+    let mut payload = Vec::with_capacity(envelope.header.len() + envelope.data.len());
+    payload.extend_from_slice(&envelope.header);
+    payload.extend_from_slice(&envelope.data);
+    let expected_mac = aead.process(payload);
+    if envelope.mac != expected_mac {
       return Err(CipherError::AuthenticationFailed);
     }
 
     // Decrypt the data using the ChaCha20 permutation
-    Ok(self.encryption.process(&envelope.data))
+    Ok(self.encryption.process(envelope.data))
   }
 }
 
@@ -222,7 +226,7 @@ impl Default for Cipher {
   /// # Returns
   /// A new instance of `Cipher` with XChaCha20 mode.
   fn default() -> Self {
-    Self::new(CipherMode::ChaCha20Poly1305)
+    Self::new(CipherMode::ChaCha20Blake3)
   }
 }
 

enclave/src/lib.rs

@@ -53,7 +53,7 @@ where
     let mut cipher = Cipher::default();
     cipher.init(&key, &nonce);
 
-    let encrypted_bytes = cipher.encrypt(&plain_bytes);
+    let encrypted_bytes = cipher.encrypt(plain_bytes);
     let envelope: Vec<u8> = cipher.sign(metadata.clone().into(), encrypted_bytes).into();
 
     Ok(Enclave {
@@ -76,7 +76,7 @@ where
     Ok(
       Cipher::default()
         .init(&key, &self.nonce)
-        .decrypt_and_verify(&envelope)?,
+        .decrypt_and_verify(envelope)?,
     )
   }