GitHub - vidur89/bc-java: Bouncy Castle Java Distribution (Mirror)

GitHub - vidur89/bc-java: Bouncy Castle Java Distribution (Mirror)

TimW Bouncy Castle contributions

This is a fork of the official Bouncy Castle GitHub mirror used to track my contributions.

Pending contributions are in feature branches, accepted contributions live on only as tags.

Proposed

In Progress

Faster AESFastEngine. (May 9 2014)

Eliminate some array range checking in AESFastEngine to make it actually faster than AESEngine

AESFastEngine is slower than AESEngine despite pre-computing more, due to the additional array range checking incurred by having 4 table lookup arrays (vs only one in AESEngine). This change compacts all of the tables into a single table, trading off an offset addition on the lookup for removing the range checking. Registerisation of the state variables on encrypt is also done for an additional speed bump.

JavaDoc and parameter validation for Scrypt. (March 12 2014)

JavaDoc, parameter validation and tests covering parameter validation for Scrypt.

Experimental Stuff

Simon and Speck Ciphers (24 July 2013)

Implementation of the Simon and Speck families of lightweight block ciphers.
All block/key size variants are implemented, with JCE registrations and tests against published test vectors.

Speck in 32/64 bit word variants performs well in Java, although slower than Threefish due to the smaller block sizes. Community cryptanalysis of Simon/Speck is at a very early stage, so not proposing this for BC at present.

Accepted

SipHash KeyGenerator regs in JCE and spec docs (March 12 2014)

Add KeyGenerator registrations for SipHash in JCE API and add JCE SipHash algorithms to specs..

Support IDEA as a PGP block cipher (March 12 2014)

Support IDEA as a PGP block cipher and update IDEA patent verbiage now patent has expired.

Throw AEADBadTagException (March 12 2014)

Throw AEADBadTagException if available from AEAD ciphers in JCE provider when authentication fails.

Fixes for AEAD output size calculations and use in cipher streams (March 12 2014)

More testing and buffer underflow fixes for lightweight and JCE CipherInputStream/CipherOutputStream
Consistent input/output range checking and improved documentation for AEAD implementations

Include ChaCha in regression tests (October 20 2013)

Include ChaChaTest in cipher RegressionTest, plus a minor typo in ChaChaTest.

Reduce data copying in CCM mode (September 7 2013)

Remove unnecessary data copying in the CCM mode implementation:

ByteArrayOutputStream buffers for AD and data are accessed directly to avoid extra allocate+copy of each
The output buffer is used directly by processPacket output without allocate+copy of a temporary buffer

CipherInputStream Improvements (28 July 2013)

Two parts to this:

rewrites of JCE javax.crypto.CipherInputStream and CipherOutputStream that don't silently eat invalid ciphertext exceptions and don't call doFinal() twice (i.e. can be used and used safely with AEAD ciphers). See links below for issues with javax.crypto versions.
improvement to LW API CipherInputStream and CipherOutputStream to support AEADBlockCiphers and simplify internal logic.

Full testing of JCE and LW Cipher streams with common ciphers is included, including tampering of AEAD ciphertexts.

Oracle bug refs for broken Cipher stream behaviour:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8016171 (CipherInputStream masks ciphertext tampering with AEAD ciphers in decrypt mode)
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8016249 (CipherInputStream in decrypt mode fails on close with AEAD ciphers)
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8012900 (CICO ignores AAD in GCM mode)

Stream Cipher Reset Testing (28 July 2013)

Tests for reset of stream ciphers on encrypt/decrypt, init and reset operations.
Minor fixes for Grain* and HC* ciphers to make them reset properly on subsequent inits.

Missing algorithms in specifications (July 24 2013)

Document various algorithms that have been missed/misrepresented in the specs.

Fast Poly1305 Mac Implementation (July 17 2013)

Fast implementation of Poly1305 message authentication code, with tests and JCE registrations.
The fast polynomial calculation in this implementation is adapted from the public domain 'poly1305-donna-unrolled' C implementation by Andrew M (@floodyberry) (https://github.com/floodyberry/poly1305-donna) - primarily adapting to Java signed integer arithmetic.
JCE registrations are provided for Poly1305-* for 128 bit AES era block ciphers (AES, Serpent, Twofish etc.)

Exception testing for CTS mode (July 17 2013)

Add exception testing (as already exist for other modes) for CTS mode.
Fix a couple of minor issues arising from those tests.

XSalsa20, ChaCha, Reduced Round Salsa20 (July 9 2013)

XSalsa20 implementation, based on the existing Salsa20 engine with a couple of tweaks to allow the key setup and nonce size to vary

XSalsa20 is a version of the Salsa20 stream cipher with an extended (192 vs 64 bit) nonce.

Test vectors are copied from the cryptopp implementation, which were generated using the nacl XSalsa20. There don't appear to be any official test vectors.

ChaCha implementation, based on the existing Salsa20 engine with the key setup, block permutation and block counter increment overridden.

This is basically an implementation of the 'regs' reference implementation found in the eStream benchmark suite and at http://cr.yp.to/chacha.html.

Speed is slightly (~10% faster) than the Salsa20 engine (due to the registerization).

Reduced round Salsa20

Parameterisation of Salsa20Engine to allow arbitrary rounds. Test vectors from estreambench-20080905.

Registerization of Salsa20Engine

Registerize the state variables in salsa20Core to allow Hotspot etc. to optimise the loads/stores (as much as can be done with 16 variables and no SIMD). Boosts performance by about 10% on common x86 hardware, possibly more on setups with more registers. Should have no affect on systems with small numbers of registers.

Correct length of JCE automatic IV for OCB (July 4 2013)

Generate 120 bit nonces for OCB in JCE API.

Correct length of JCE automatic IV for CCM (July 4 2013)

Generate 13 byte nonces for CCM in JCE API.

CAST6/Noekeon with OCB mode in JCE (July 4 2013)

When used via JCE, OCB mode requires a BlockCipherProvider (since it uses two instances of a block cipher), so implement this for CAST6/Noekeon.

Prevent CMAC from accepting IV (July 4 2013)

CMAC is defined with an all zero IV (Page 9 of NIST SP 800-38B), so block any init parameters other than KeyParameter being passed to underlying CBC mode..

JCE AAD API support (July 3 2013)

Add Java 7 JCE AAD support to BouncyCastle JCE provider (Cipher.updateAAD() and GCMParameterSpec).
Residual of previous contribution (in CVS days) to add online/incremental AAD processing to AEADBlockCipher.

Reset and Tamper Testing for AEAD (July 3 2013)

Unit tests that exercise state resets for encrypt/decrypt, init and reset operations, and for various ways of tampering with AEAD ciphertexts.
Fixes for CCM and EAX mode issues revealed by testing.

Threefish and Skein (July 3 2013)

Threefish, Skein, Skein-MAC + HMAC-Skein in 256, 512, 1024 bit block sizes.
JCE registrations for all of these algos with standard output sizes (for digest + MAC).

Not Accepted

Align behaviour of CTR and SIC modes in the JCE API (July 4 2013)

CTR and SIC are implemented with the same underlying engine, so make their behaviour in the JCE API consistent (previously SIC would fail on 64 bit block ciphers, while CTR would not).