Use ChaCha20-Poly1305 instead of AES-GCM for shared key-based crypto

This is to get around the limitation where AES GCM can only produce
a maximum of 64 GiB of ciphertext for a particular <key, IV> pair before
its security properties break down. ChaCha20-Poly1305 does not have any
practical limitations here.

ChaCha20-Poly1305 uses a 256-bit key whereas the shared key is 128 bits.
A HKDF is used to internally expand the key material to 256 bits.

To let token based decryption be fully backwards compatible, introduce
a token version 2. V1 tokens will be decrypted with AES-GCM 128, while
V2 tokens use ChaCha20-Poly1305.

As a bonus, cryptographic operations will generally be _faster_ after
this cipher change, as we use BouncyCastle ciphers and these do not use
any native AES instructions. ChaCha20-Poly1305 is usually considerably
faster when running without specialized hardware support. An ad-hoc
experiment with a large ciphertext showed a near 70% performance increase
over AES-GCM 128.

4 files changed, 167 insertions, 17 deletions

diff --git a/security-utils/src/main/java/com/yahoo/security/ChaCha20Poly1305AeadBlockCipherAdapter.java b/security-utils/src/main/java/com/yahoo/security/ChaCha20Poly1305AeadBlockCipherAdapter.java
new file mode 100644
index 00000000000..5166e44e20c
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/ChaCha20Poly1305AeadBlockCipherAdapter.java
@@ -0,0 +1,84 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security;
+
+import org.bouncycastle.crypto.BlockCipher;
+import org.bouncycastle.crypto.CipherParameters;
+import org.bouncycastle.crypto.DataLengthException;
+import org.bouncycastle.crypto.InvalidCipherTextException;
+import org.bouncycastle.crypto.modes.AEADBlockCipher;
+import org.bouncycastle.crypto.modes.ChaCha20Poly1305;
+
+/**
+ * Minimal adapter to make ChaCha20Poly1305 usable as an AEADBlockCipher (it's technically
+ * an AEAD stream cipher, but this is not exposed in the BouncyCastle type system).
+ *
+ * @author vekterli
+ */
+class ChaCha20Poly1305AeadBlockCipherAdapter implements AEADBlockCipher {
+
+    private final ChaCha20Poly1305 cipher;
+
+    ChaCha20Poly1305AeadBlockCipherAdapter(ChaCha20Poly1305 cipher) {
+        this.cipher = cipher;
+    }
+
+    @Override
+    public BlockCipher getUnderlyingCipher() {
+        return null;
+    }
+
+    @Override
+    public void init(boolean forEncryption, CipherParameters params) throws IllegalArgumentException {
+        cipher.init(forEncryption, params);
+    }
+
+    @Override
+    public String getAlgorithmName() {
+        return cipher.getAlgorithmName();
+    }
+
+    @Override
+    public void processAADByte(byte in) {
+        cipher.processAADByte(in);
+    }
+
+    @Override
+    public void processAADBytes(byte[] in, int inOff, int len) {
+        cipher.processAADBytes(in, inOff, len);
+    }
+
+    @Override
+    public int processByte(byte in, byte[] out, int outOff) throws DataLengthException {
+        return cipher.processByte(in, out, outOff);
+    }
+
+    @Override
+    public int processBytes(byte[] in, int inOff, int len, byte[] out, int outOff) throws DataLengthException {
+        return cipher.processBytes(in, inOff, len, out, outOff);
+    }
+
+    @Override
+    public int doFinal(byte[] out, int outOff) throws IllegalStateException, InvalidCipherTextException {
+        return cipher.doFinal(out, outOff);
+    }
+
+    @Override
+    public byte[] getMac() {
+        return cipher.getMac();
+    }
+
+    @Override
+    public int getUpdateOutputSize(int len) {
+        return cipher.getUpdateOutputSize(len);
+    }
+
+    @Override
+    public int getOutputSize(int len) {
+        return cipher.getOutputSize(len);
+    }
+
+    @Override
+    public void reset() {
+        cipher.reset();
+    }
+}
diff --git a/security-utils/src/main/java/com/yahoo/security/SealedSharedKey.java b/security-utils/src/main/java/com/yahoo/security/SealedSharedKey.java
index 65f149579f4..d570cd799cc 100644
--- a/security-utils/src/main/java/com/yahoo/security/SealedSharedKey.java
+++ b/security-utils/src/main/java/com/yahoo/security/SealedSharedKey.java
@@ -14,11 +14,11 @@ import java.nio.ByteBuffer;
  * This token representation is expected to be used as a convenient serialization
  * form when communicating shared keys.
  */
-public record SealedSharedKey(KeyId keyId, byte[] enc, byte[] ciphertext) {
+public record SealedSharedKey(int version, KeyId keyId, byte[] enc, byte[] ciphertext) {
 
     /** Current encoding version of opaque sealed key tokens. Must be less than 256. */
-    public static final int CURRENT_TOKEN_VERSION = 1;
-    /** Encryption context for v1 tokens is always a 32-byte X25519 public key */
+    public static final int CURRENT_TOKEN_VERSION = 2;
+    /** Encryption context for v{1,2} tokens is always a 32-byte X25519 public key */
     public static final int MAX_ENC_CONTEXT_LENGTH = 255;
 
     public SealedSharedKey {
@@ -36,7 +36,7 @@ public record SealedSharedKey(KeyId keyId, byte[] enc, byte[] ciphertext) {
         byte[] keyIdBytes = keyId.asBytes();
         // u8 token version || u8 length(key id) || key id || u8 length(enc) || enc || ciphertext
         ByteBuffer encoded = ByteBuffer.allocate(1 + 1 + keyIdBytes.length + 1 + enc.length + ciphertext.length);
-        encoded.put((byte)CURRENT_TOKEN_VERSION);
+        encoded.put((byte)version);
         encoded.put((byte)keyIdBytes.length);
         encoded.put(keyIdBytes);
         encoded.put((byte)enc.length);
@@ -62,8 +62,8 @@ public record SealedSharedKey(KeyId keyId, byte[] enc, byte[] ciphertext) {
         ByteBuffer decoded = ByteBuffer.wrap(rawTokenBytes);
         // u8 token version || u8 length(key id) || key id || u8 length(enc) || enc || ciphertext
         int version = Byte.toUnsignedInt(decoded.get());
-        if (version != CURRENT_TOKEN_VERSION) {
-            throw new IllegalArgumentException("Token had unexpected version. Expected %d, was %d"
+        if (version < 1 || version > CURRENT_TOKEN_VERSION) {
+            throw new IllegalArgumentException("Token had unexpected version. Expected value in [1, %d], was %d"
                                                .formatted(CURRENT_TOKEN_VERSION, version));
         }
         int keyIdLen = Byte.toUnsignedInt(decoded.get());
@@ -75,10 +75,10 @@ public record SealedSharedKey(KeyId keyId, byte[] enc, byte[] ciphertext) {
         byte[] ciphertext = new byte[decoded.remaining()];
         decoded.get(ciphertext);
 
-        return new SealedSharedKey(KeyId.ofBytes(keyIdBytes), enc, ciphertext);
+        return new SealedSharedKey(version, KeyId.ofBytes(keyIdBytes), enc, ciphertext);
     }
 
-    public int tokenVersion() { return CURRENT_TOKEN_VERSION; }
+    public int tokenVersion() { return version; }
 
     private static void verifyInputTokenStringNotTooLarge(String tokenString) {
         // Expected max decoded size for v1 is 3 + 255 + 32 + 32 = 322. For simplicity, round this
diff --git a/security-utils/src/main/java/com/yahoo/security/SecretSharedKey.java b/security-utils/src/main/java/com/yahoo/security/SecretSharedKey.java
index 3e90711d57f..da582eae92c 100644
--- a/security-utils/src/main/java/com/yahoo/security/SecretSharedKey.java
+++ b/security-utils/src/main/java/com/yahoo/security/SecretSharedKey.java
@@ -21,4 +21,31 @@ public record SecretSharedKey(SecretKey secretKey, SealedSharedKey sealedSharedK
         return "SharedSecretKey(sealed: %s)".formatted(sealedSharedKey.toTokenString());
     }
 
+    /**
+     * @return an encryption cipher that matches the version of the SealedSharedKey bound to
+     *         the secret shared key
+     */
+    public AeadCipher makeEncryptionCipher() {
+        var version = sealedSharedKey.tokenVersion();
+        return switch (version) {
+            case 1  -> SharedKeyGenerator.makeAesGcmEncryptionCipher(this);
+            case 2  -> SharedKeyGenerator.makeChaCha20Poly1305EncryptionCipher(this);
+            default -> throw new IllegalStateException("Unsupported token version: " + version);
+        };
+    }
+
+    /**
+     * @return a decryption cipher that matches the version of the SealedSharedKey bound to
+     *         the secret shared key. In other words, the cipher shall match the cipher algorithm
+     *         used to perform the encryption this key was used for.
+     */
+    public AeadCipher makeDecryptionCipher() {
+        var version = sealedSharedKey.tokenVersion();
+        return switch (version) {
+            case 1  -> SharedKeyGenerator.makeAesGcmDecryptionCipher(this);
+            case 2  -> SharedKeyGenerator.makeChaCha20Poly1305DecryptionCipher(this);
+            default -> throw new IllegalStateException("Unsupported token version: " + version);
+        };
+    }
+
 }
diff --git a/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java b/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java
index b59e7cff6b4..22503292413 100644
--- a/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java
+++ b/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java
@@ -7,6 +7,7 @@ import com.yahoo.security.hpke.Hpke;
 import com.yahoo.security.hpke.Kdf;
 import com.yahoo.security.hpke.Kem;
 import org.bouncycastle.crypto.engines.AESEngine;
+import org.bouncycastle.crypto.modes.ChaCha20Poly1305;
 import org.bouncycastle.crypto.modes.GCMBlockCipher;
 import org.bouncycastle.crypto.params.AEADParameters;
 import org.bouncycastle.crypto.params.KeyParameter;
@@ -21,6 +22,8 @@ import java.security.SecureRandom;
 import java.security.interfaces.XECPrivateKey;
 import java.security.interfaces.XECPublicKey;
 
+import static com.yahoo.security.ArrayUtils.toUtf8Bytes;
+
 /**
  * Implements both the sender and receiver sides of a secure, anonymous one-way
  * key generation and exchange protocol implemented using HPKE; a hybrid crypto
@@ -40,9 +43,13 @@ import java.security.interfaces.XECPublicKey;
  */
 public class SharedKeyGenerator {
 
-    private static final int    AES_GCM_KEY_BITS      = 128;
-    private static final int    AES_GCM_AUTH_TAG_BITS = 128;
-    private static final String AES_GCM_ALGO_SPEC     = "AES/GCM/NoPadding";
+    private static final int AES_GCM_KEY_BITS      = 128;
+    private static final int AES_GCM_AUTH_TAG_BITS = 128;
+
+    private static final int CHACHA20_POLY1305_KEY_BITS       = 256;
+    private static final int CHACHA20_POLY1305_AUTH_TAG_BITS  = 128;
+    private static final byte[] CHACHA20_POLY1305_KDF_CONTEXT = toUtf8Bytes("ChaCha20Poly1305 key expansion");
+
     private static final byte[] EMPTY_BYTES           = new byte[0];
     private static final SecureRandom SHARED_CSPRNG   = new SecureRandom();
     // Since the HPKE ciphersuite is not provided in the token, we must be very explicit about what it always is
@@ -61,7 +68,7 @@ public class SharedKeyGenerator {
 
     public static SecretSharedKey generateForReceiverPublicKey(PublicKey receiverPublicKey, KeyId keyId) {
         var secretKey = generateRandomSecretAesKey();
-        return internalSealSecretKeyForReceiver(secretKey, receiverPublicKey, keyId);
+        return internalSealSecretKeyForReceiver(SealedSharedKey.CURRENT_TOKEN_VERSION, secretKey, receiverPublicKey, keyId);
     }
 
     public static SecretSharedKey fromSealedKey(SealedSharedKey sealedKey, PrivateKey receiverPrivateKey) {
@@ -71,13 +78,15 @@ public class SharedKeyGenerator {
     }
 
     public static SecretSharedKey reseal(SecretSharedKey secret, PublicKey receiverPublicKey, KeyId keyId) {
-        return internalSealSecretKeyForReceiver(secret.secretKey(), receiverPublicKey, keyId);
+        // The resealed token must inherit the token version of the original token, or the receiver will
+        // end up trying to decrypt with the wrong parameters and/or cipher.
+        return internalSealSecretKeyForReceiver(secret.sealedSharedKey().tokenVersion(), secret.secretKey(), receiverPublicKey, keyId);
     }
 
-    private static SecretSharedKey internalSealSecretKeyForReceiver(SecretKey secretKey, PublicKey receiverPublicKey, KeyId keyId) {
+    private static SecretSharedKey internalSealSecretKeyForReceiver(int tokenVersion, SecretKey secretKey, PublicKey receiverPublicKey, KeyId keyId) {
         // We protect the integrity of the key ID by passing it as AAD.
         var sealed = HPKE.sealBase((XECPublicKey) receiverPublicKey, EMPTY_BYTES, keyId.asBytes(), secretKey.getEncoded());
-        var sealedSharedKey = new SealedSharedKey(keyId, sealed.enc(), sealed.ciphertext());
+        var sealedSharedKey = new SealedSharedKey(tokenVersion, keyId, sealed.enc(), sealed.ciphertext());
         return new SecretSharedKey(secretKey, sealedSharedKey);
     }
 
@@ -88,6 +97,7 @@ public class SharedKeyGenerator {
     // token recipient (which would be the case if the IV were deterministically derived
     // from the recipient key and ephemeral ECDH public key), as that would preclude
     // support for delegated key forwarding.
+    // Both AES GCM and ChaCha20Poly1305 use a 96-bit user-supplied IV.
     private static final byte[] FIXED_96BIT_IV_FOR_SINGLE_USE_KEY = new byte[] {
             'h','e','r','e','B','d','r','a','g','o','n','s' // Nothing up my sleeve!
     };
@@ -100,12 +110,24 @@ public class SharedKeyGenerator {
         return AeadCipher.of(cipher);
     }
 
+    private static AeadCipher makeChaCha20Poly1305Cipher(SecretSharedKey secretSharedKey, boolean forEncryption) {
+        // ChaCha20Poly1305 uses 256-bit keys, but our shared secret keys are 128 bit.
+        // Deterministically derive a longer key from the existing key using a KDF.
+        var expandedKey = HKDF.unsaltedExtractedFrom(secretSharedKey.secretKey().getEncoded())
+                .expand(CHACHA20_POLY1305_KEY_BITS / 8, CHACHA20_POLY1305_KDF_CONTEXT);
+        var aeadParams = new AEADParameters(new KeyParameter(expandedKey), CHACHA20_POLY1305_AUTH_TAG_BITS,
+                                            FIXED_96BIT_IV_FOR_SINGLE_USE_KEY);
+        var cipher = new ChaCha20Poly1305();
+        cipher.init(forEncryption, aeadParams);
+        return AeadCipher.of(new ChaCha20Poly1305AeadBlockCipherAdapter(cipher));
+    }
+
     /**
      * Creates an AES-GCM cipher that can be used to encrypt arbitrary plaintext.
      *
      * The given secret key MUST NOT be used to encrypt more than one plaintext.
      */
-    public static AeadCipher makeAesGcmEncryptionCipher(SecretSharedKey secretSharedKey) {
+    static AeadCipher makeAesGcmEncryptionCipher(SecretSharedKey secretSharedKey) {
         return makeAesGcmCipher(secretSharedKey, true);
     }
 
@@ -113,8 +135,25 @@ public class SharedKeyGenerator {
      * Creates an AES-GCM cipher that can be used to decrypt ciphertext that was previously
      * encrypted with the given secret key.
      */
-    public static AeadCipher makeAesGcmDecryptionCipher(SecretSharedKey secretSharedKey) {
+    static AeadCipher makeAesGcmDecryptionCipher(SecretSharedKey secretSharedKey) {
         return makeAesGcmCipher(secretSharedKey, false);
     }
 
+    /**
+     * Creates a ChaCha20-Poly1305 cipher that can be used to encrypt arbitrary plaintext.
+     *
+     * The given secret key MUST NOT be used to encrypt more than one plaintext.
+     */
+    static AeadCipher makeChaCha20Poly1305EncryptionCipher(SecretSharedKey secretSharedKey) {
+        return makeChaCha20Poly1305Cipher(secretSharedKey, true);
+    }
+
+    /**
+     * Creates a ChaCha20-Poly1305 cipher that can be used to decrypt ciphertext that was previously
+     * encrypted with the given secret key.
+     */
+    static AeadCipher makeChaCha20Poly1305DecryptionCipher(SecretSharedKey secretSharedKey) {
+        return makeChaCha20Poly1305Cipher(secretSharedKey, false);
+    }
+
 }