Refactor: use clean util

README.md

@@ -518,7 +518,7 @@ encrypt (8KB)
 ├─chacha20poly1305 x 22,691 ops/sec @ 44μs/op
 ├─xchacha20poly1305 x 22,463 ops/sec @ 44μs/op
 ├─aes-256-gcm x 8,082 ops/sec @ 123μs/op
-└─aes-256-gcm-siv x 2,376 ops/sec @ 420μs/op
+└─aes-256-gcm-siv x 7,907 ops/sec @ 126μs/op
 encrypt (1MB)
 ├─xsalsa20poly1305 x 171 ops/sec @ 5ms/op
 ├─chacha20poly1305 x 186 ops/sec @ 5ms/op

src/_arx.ts

@@ -1,6 +1,6 @@
 // Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers.
-import { number as anumber, bytes as abytes, bool as abool } from './_assert.js';
-import { XorStream, checkOpts, u32, copyBytes } from './utils.js';
+import { bool as abool, bytes as abytes, number as anumber } from './_assert.js';
+import { XorStream, checkOpts, clean, copyBytes, u32 } from './utils.js';
 
 /*
 RFC8439 requires multi-step cipher stream, where
@@ -207,7 +207,7 @@ export function createCipher(core: CipherCoreFn, opts: CipherOpts): XorStream {
     }
     const n32 = u32(nonce);
     runCipher(core, sigma, k32, n32, data, output, counter, rounds);
-    for (const i of toClean) i.fill(0);
+    clean(...toClean)
     return output;
   };
 }

src/_micro.ts

@@ -1,11 +1,14 @@
 /*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */
 // prettier-ignore
-import {
-  Cipher, XorStream, createView, setBigUint64, wrapCipher,
-  bytesToHex, concatBytes, equalBytes, hexToNumber, numberToBytesBE,
-} from './utils.js';
 import { createCipher, rotl } from './_arx.js';
 import { bytes as abytes } from './_assert.js';
+import {
+  Cipher, XorStream,
+  bytesToHex, concatBytes,
+  createView,
+  equalBytes, hexToNumber, numberToBytesBE,
+  setBigUint64, wrapCipher,
+} from './utils.js';
 
 /*
 noble-ciphers-micro: more auditable, but slower version of salsa20, chacha & poly1305.
@@ -73,7 +76,7 @@ function salsaCore(
   const y = new Uint32Array([
     s[0], k[0], k[1], k[2], // "expa" Key     Key     Key
     k[3], s[1], n[0], n[1], // Key    "nd 3"  Nonce   Nonce
-    cnt,  0   , s[2], k[4], // Pos.   Pos.    "2-by"  Key
+    cnt, 0, s[2], k[4], // Pos.   Pos.    "2-by"  Key
     k[5], k[6], k[7], s[3], // Key    Key     Key     "te k"
   ]);
   const x = y.slice();
@@ -91,10 +94,10 @@ export function hsalsa(s: Uint32Array, k: Uint32Array, i: Uint32Array, o32: Uint
   ]);
   salsaRound(x, 20);
   let oi = 0;
-  o32[oi++] = x[0];  o32[oi++] = x[5];
+  o32[oi++] = x[0]; o32[oi++] = x[5];
   o32[oi++] = x[10]; o32[oi++] = x[15];
-  o32[oi++] = x[6];  o32[oi++] = x[7];
-  o32[oi++] = x[8];  o32[oi++] = x[9];
+  o32[oi++] = x[6]; o32[oi++] = x[7];
+  o32[oi++] = x[8]; o32[oi++] = x[9];
 }
 
 function chachaCore(
@@ -110,7 +113,7 @@ function chachaCore(
     s[0], s[1], s[2], s[3], // "expa"   "nd 3"  "2-by"  "te k"
     k[0], k[1], k[2], k[3], // Key      Key     Key     Key
     k[4], k[5], k[6], k[7], // Key      Key     Key     Key
-    cnt,  n[0], n[1], n[2], // Counter  Counter Nonce   Nonce
+    cnt, n[0], n[1], n[2], // Counter  Counter Nonce   Nonce
   ]);
   const x = y.slice();
   chachaRound(x, rounds);
@@ -127,8 +130,8 @@ export function hchacha(s: Uint32Array, k: Uint32Array, i: Uint32Array, o32: Uin
   ]);
   chachaRound(x, 20);
   let oi = 0;
-  o32[oi++] = x[0];  o32[oi++] = x[1];
-  o32[oi++] = x[2];  o32[oi++] = x[3];
+  o32[oi++] = x[0]; o32[oi++] = x[1];
+  o32[oi++] = x[2]; o32[oi++] = x[3];
   o32[oi++] = x[12]; o32[oi++] = x[13];
   o32[oi++] = x[14]; o32[oi++] = x[15];
 }
@@ -282,30 +285,30 @@ export function secretbox(key: Uint8Array, nonce: Uint8Array) {
 
 export const _poly1305_aead =
   (fn: XorStream) =>
-  (key: Uint8Array, nonce: Uint8Array, AAD?: Uint8Array): Cipher => {
-    const tagLength = 16;
-    const keyLength = 32;
-    abytes(key, keyLength);
-    abytes(nonce);
-    return {
-      encrypt(plaintext: Uint8Array) {
-        abytes(plaintext);
-        const res = fn(key, nonce, plaintext, undefined, 1);
-        const tag = computeTag(fn, key, nonce, res, AAD);
-        return concatBytes(res, tag);
-      },
-      decrypt(ciphertext: Uint8Array) {
-        abytes(ciphertext);
-        if (ciphertext.length < tagLength)
-          throw new Error(`encrypted data must be at least ${tagLength} bytes`);
-        const passedTag = ciphertext.subarray(-tagLength);
-        const data = ciphertext.subarray(0, -tagLength);
-        const tag = computeTag(fn, key, nonce, data, AAD);
-        if (!equalBytes(passedTag, tag)) throw new Error('invalid poly1305 tag');
-        return fn(key, nonce, data, undefined, 1);
-      },
+    (key: Uint8Array, nonce: Uint8Array, AAD?: Uint8Array): Cipher => {
+      const tagLength = 16;
+      const keyLength = 32;
+      abytes(key, keyLength);
+      abytes(nonce);
+      return {
+        encrypt(plaintext: Uint8Array) {
+          abytes(plaintext);
+          const res = fn(key, nonce, plaintext, undefined, 1);
+          const tag = computeTag(fn, key, nonce, res, AAD);
+          return concatBytes(res, tag);
+        },
+        decrypt(ciphertext: Uint8Array) {
+          abytes(ciphertext);
+          if (ciphertext.length < tagLength)
+            throw new Error(`encrypted data must be at least ${tagLength} bytes`);
+          const passedTag = ciphertext.subarray(-tagLength);
+          const data = ciphertext.subarray(0, -tagLength);
+          const tag = computeTag(fn, key, nonce, data, AAD);
+          if (!equalBytes(passedTag, tag)) throw new Error('invalid poly1305 tag');
+          return fn(key, nonce, data, undefined, 1);
+        },
+      };
     };
-  };
 
 /**
  * chacha20-poly1305 12-byte-nonce chacha.

src/_poly1305.ts

@@ -1,5 +1,5 @@
-import { exists as aexists, bytes as abytes, output as aoutput } from './_assert.js';
-import { Input, toBytes, Hash } from './utils.js';
+import { bytes as abytes, exists as aexists, output as aoutput } from './_assert.js';
+import { Hash, Input, clean, toBytes } from './utils.js';
 
 // Poly1305 is a fast and parallel secret-key message-authentication code.
 // https://cr.yp.to/mac.html, https://cr.yp.to/mac/poly1305-20050329.pdf
@@ -214,15 +214,15 @@ class Poly1305 implements Hash<Poly1305> {
       f = (((h[i] + pad[i]) | 0) + (f >>> 16)) | 0;
       h[i] = f & 0xffff;
     }
-    g.fill(0);
+    clean(g);
   }
   update(data: Input): this {
     aexists(this);
     const { buffer, blockLen } = this;
     data = toBytes(data);
     const len = data.length;
 
-    for (let pos = 0; pos < len; ) {
+    for (let pos = 0; pos < len;) {
       const take = Math.min(blockLen - this.pos, len - pos);
       // Fast path: we have at least one block in input
       if (take === blockLen) {
@@ -240,10 +240,7 @@ class Poly1305 implements Hash<Poly1305> {
     return this;
   }
   destroy() {
-    this.h.fill(0);
-    this.r.fill(0);
-    this.buffer.fill(0);
-    this.pad.fill(0);
+    clean(this.h, this.r, this.buffer, this.pad);
   }
   digestInto(out: Uint8Array) {
     aexists(this);
@@ -253,7 +250,6 @@ class Poly1305 implements Hash<Poly1305> {
     let { pos } = this;
     if (pos) {
       buffer[pos++] = 1;
-      // buffer.subarray(pos).fill(0);
       for (; pos < 16; pos++) buffer[pos] = 0;
       this.process(buffer, 0, true);
     }

src/_polyval.ts

@@ -1,5 +1,5 @@
-import { createView, toBytes, Input, Hash, u32, copyBytes } from './utils.js';
 import { bytes as abytes, exists as aexists, output as aoutput } from './_assert.js';
+import { clean, copyBytes, createView, Hash, Input, toBytes, u32 } from './utils.js';
 
 // GHash from AES-GCM and its little-endian "mirror image" Polyval from AES-SIV.
 // Implemented in terms of GHash with conversion function for keys
@@ -148,7 +148,7 @@ class GHASH implements Hash<GHASH> {
     if (left) {
       ZEROS16.set(data.subarray(blocks * BLOCK_SIZE));
       this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]);
-      ZEROS32.fill(0); // clean tmp buffer
+      clean(ZEROS32); // clean tmp buffer
     }
     return this;
   }
@@ -184,7 +184,7 @@ class Polyval extends GHASH {
     key = toBytes(key);
     const ghKey = _toGHASHKey(copyBytes(key));
     super(ghKey, expectedLength);
-    ghKey.fill(0);
+    clean(ghKey);
   }
   update(data: Input): this {
     data = toBytes(data);
@@ -208,7 +208,7 @@ class Polyval extends GHASH {
         swapLE(ZEROS32[1]),
         swapLE(ZEROS32[0])
       );
-      ZEROS32.fill(0); // clean tmp buffer
+      clean(ZEROS32);
     }
     return this;
   }