            /// <summary>
            /// Generate a key.
            /// </summary>
            /// <returns>A Poly1305 key.</returns>
            public Key GenerateKey()
                Poly1305KeyGenerator cipherKeyGenerator = new Poly1305KeyGenerator();

                cipherKeyGenerator.Init(new Internal.KeyGenerationParameters(random, keySizeInBits));
                return(new Key(cipherKeyGenerator.GenerateKey()));
 public TestCase(string key, string nonce, string message, string expectedMac)
     this.key = Hex.Decode(key);
     // nacl test case keys are not pre-Clamped
     this.nonce       = (nonce == null) ? null : Hex.Decode(nonce);
     this.message     = Hex.Decode(message);
     this.expectedMac = Hex.Decode(expectedMac);
        private void testReset()
            CipherKeyGenerator gen = new Poly1305KeyGenerator();

            gen.Init(new KeyGenerationParameters(new SecureRandom(), 256));
            byte[] k = gen.GenerateKey();

            byte[] m      = new byte[10000];
            byte[] check  = new byte[16];
            byte[] output = new byte[16];

            // Generate baseline
            IMac poly = new Poly1305(new AesFastEngine());

            poly.Init(new ParametersWithIV(new KeyParameter(k), new byte[16]));

            poly.BlockUpdate(m, 0, m.Length);
            poly.DoFinal(check, 0);

            // Check reset after doFinal
            poly.BlockUpdate(m, 0, m.Length);
            poly.DoFinal(output, 0);

            if (!Arrays.AreEqual(check, output))
                Fail("Mac not reset after doFinal");

            // Check reset
            poly.BlockUpdate(m, 0, m.Length);
            poly.DoFinal(output, 0);

            if (!Arrays.AreEqual(check, output))
                Fail("Mac not reset after doFinal");

            // Check init resets
            poly.Init(new ParametersWithIV(new KeyParameter(k), new byte[16]));
            poly.BlockUpdate(m, 0, m.Length);
            poly.DoFinal(output, 0);

            if (!Arrays.AreEqual(check, output))
                Fail("Mac not reset after doFinal");
        protected virtual KeyParameter InitRecordMac(ChaChaEngine cipher, bool forEncryption, long seqNo)
            byte[] array = new byte[8];
            TlsUtilities.WriteUint64(seqNo, array, 0);
            cipher.Init(forEncryption, new ParametersWithIV(null, array));
            byte[] array2 = new byte[64];
            cipher.ProcessBytes(array2, 0, array2.Length, array2, 0);
            Array.Copy(array2, 0, array2, 32, 16);
            KeyParameter keyParameter = new KeyParameter(array2, 16, 32);

        protected virtual KeyParameter GenerateRecordMacKey(IStreamCipher cipher)
            byte[] firstBlock = new byte[64];
            cipher.ProcessBytes(firstBlock, 0, firstBlock.Length, firstBlock, 0);

            // NOTE: The BC implementation puts 'r' after 'k'
            Array.Copy(firstBlock, 0, firstBlock, 32, 16);
            Poly1305KeyGenerator.Clamp(firstBlock, 16);
            KeyParameter macKey = new KeyParameter(firstBlock, 16, 32);

            Arrays.Fill(firstBlock, (byte)0);
        protected virtual KeyParameter InitRecordMac(ChaChaEngine cipher, bool forEncryption, long seqNo)
            byte[] nonce = new byte[8];
            TlsUtilities.WriteUint64(seqNo, nonce, 0);

            cipher.Init(forEncryption, new ParametersWithIV(null, nonce));

            byte[] firstBlock = new byte[64];
            cipher.ProcessBytes(firstBlock, 0, firstBlock.Length, firstBlock, 0);

            // NOTE: The BC implementation puts 'r' after 'k'
            Array.Copy(firstBlock, 0, firstBlock, 32, 16);
            KeyParameter macKey = new KeyParameter(firstBlock, 16, 32);

        private void testInit()
            CipherKeyGenerator gen = new Poly1305KeyGenerator();

            gen.Init(new KeyGenerationParameters(new SecureRandom(), 256));
            byte[] k = gen.GenerateKey();

            IMac poly = new Poly1305(new AesFastEngine());

            poly.Init(new ParametersWithIV(new KeyParameter(k), new byte[16]));

                poly.Init(new ParametersWithIV(new KeyParameter(k), new byte[15]));
                Fail("16 byte nonce required");
            catch (ArgumentException)
                // Expected

                byte[] k2 = new byte[k.Length - 1];
                Array.Copy(k, 0, k2, 0, k2.Length);
                poly.Init(new ParametersWithIV(new KeyParameter(k2), new byte[16]));
                Fail("32 byte key required");
            catch (ArgumentException)
                // Expected

             *          try
             *          {
             *                  k[19] = (byte)0xFF;
             *                  poly.Init(new ParametersWithIV(new KeyParameter(k), new byte[16]));
             *                  Fail("UnClamped key should not be accepted.");
             *          }
             * catch (ArgumentException)
             *          {
             *                  // Expected
             *          }
        private void SetKey(byte[] key, byte[] nonce)
            if (cipher != null && (nonce == null || nonce.Length != BLOCK_SIZE))
                throw new ArgumentException("Poly1305 requires a 128 bit IV.");


            // Extract r portion of key
            uint t0 = Pack.LE_To_UInt32(key, BLOCK_SIZE + 0);
            uint t1 = Pack.LE_To_UInt32(key, BLOCK_SIZE + 4);
            uint t2 = Pack.LE_To_UInt32(key, BLOCK_SIZE + 8);
            uint t3 = Pack.LE_To_UInt32(key, BLOCK_SIZE + 12);

            r0 = t0 & 0x3ffffff; t0 >>= 26; t0 |= t1 << 6;
            r1 = t0 & 0x3ffff03; t1 >>= 20; t1 |= t2 << 12;
            r2 = t1 & 0x3ffc0ff; t2 >>= 14; t2 |= t3 << 18;
            r3 = t2 & 0x3f03fff; t3 >>= 8;
            r4 = t3 & 0x00fffff;

            // Precompute multipliers
            s1 = r1 * 5;
            s2 = r2 * 5;
            s3 = r3 * 5;
            s4 = r4 * 5;

            byte[] kBytes;
            if (cipher == null)
                kBytes = key;
                // Compute encrypted nonce
                kBytes = new byte[BLOCK_SIZE];
                cipher.Init(true, new KeyParameter(key, 0, BLOCK_SIZE));
                cipher.ProcessBlock(nonce, 0, kBytes, 0);

            k0 = Pack.LE_To_UInt32(kBytes, 0);
            k1 = Pack.LE_To_UInt32(kBytes, 4);
            k2 = Pack.LE_To_UInt32(kBytes, 8);
            k3 = Pack.LE_To_UInt32(kBytes, 12);
        private void SetKey(byte[] key, byte[] nonce)
            //IL_0017: Unknown result type (might be due to invalid IL or missing references)
            if (cipher != null && (nonce == null || nonce.Length != 16))
                throw new ArgumentException("Poly1305 requires a 128 bit IV.");
            uint num  = Pack.LE_To_UInt32(key, 16);
            uint num2 = Pack.LE_To_UInt32(key, 20);
            uint num3 = Pack.LE_To_UInt32(key, 24);
            uint num4 = Pack.LE_To_UInt32(key, 28);

            r0     = num & 0x3FFFFFFu;
            num  >>= 26;
            num   |= num2 << 6;
            r1     = num & 0x3FFFF03u;
            num2 >>= 20;
            num2  |= num3 << 12;
            r2     = num2 & 0x3FFC0FFu;
            num3 >>= 14;
            num3  |= num4 << 18;
            r3     = num3 & 0x3F03FFFu;
            num4 >>= 8;
            r4     = num4 & 0xFFFFFu;
            s1     = r1 * 5;
            s2     = r2 * 5;
            s3     = r3 * 5;
            s4     = r4 * 5;
            byte[] array;
            if (cipher == null)
                array = key;
                array = new byte[16];
                cipher.Init(forEncryption: true, new KeyParameter(key, 0, 16));
                cipher.ProcessBlock(nonce, 0, array, 0);
            k0 = Pack.LE_To_UInt32(array, 0);
            k1 = Pack.LE_To_UInt32(array, 4);
            k2 = Pack.LE_To_UInt32(array, 8);
            k3 = Pack.LE_To_UInt32(array, 12);
        private void SetKey(byte[] key, byte[] nonce)
            if (this.cipher != null && (nonce == null || nonce.Length != 16))
                throw new ArgumentException("Poly1305 requires a 128 bit IV.");
            uint num  = Pack.LE_To_UInt32(key, 16);
            uint num2 = Pack.LE_To_UInt32(key, 20);
            uint num3 = Pack.LE_To_UInt32(key, 24);
            uint num4 = Pack.LE_To_UInt32(key, 28);

            this.r0 = (num & 67108863u);
            num   >>= 26;
            num    |= num2 << 6;
            this.r1 = (num & 67108611u);
            num2  >>= 20;
            num2   |= num3 << 12;
            this.r2 = (num2 & 67092735u);
            num3  >>= 14;
            num3   |= num4 << 18;
            this.r3 = (num3 & 66076671u);
            num4  >>= 8;
            this.r4 = (num4 & 1048575u);
            this.s1 = this.r1 * 5u;
            this.s2 = this.r2 * 5u;
            this.s3 = this.r3 * 5u;
            this.s4 = this.r4 * 5u;
            byte[] array;
            if (this.cipher == null)
                array = key;
                array = new byte[16];
                this.cipher.Init(true, new KeyParameter(key, 0, 16));
                this.cipher.ProcessBlock(nonce, 0, array, 0);
            this.k0 = Pack.LE_To_UInt32(array, 0);
            this.k1 = Pack.LE_To_UInt32(array, 4);
            this.k2 = Pack.LE_To_UInt32(array, 8);
            this.k3 = Pack.LE_To_UInt32(array, 12);
        private void testKeyGenerator()
            CipherKeyGenerator gen = new Poly1305KeyGenerator();

            gen.Init(new KeyGenerationParameters(new SecureRandom(), 256));
            byte[] k = gen.GenerateKey();

            if (k.Length != 32)
                Fail("Poly1305 key should be 256 bits.");

            catch (ArgumentException)
                Fail("Poly1305 key should be Clamped on generation.");

            byte[] k2 = new byte[k.Length];
            Array.Copy(k, 0, k2, 0, k2.Length);
            if (!Arrays.AreEqual(k, k2))
                Fail("Poly1305 key should be Clamped on generation.");

             *          try
             *          {
             *                  k2[19] = (byte)0xff;
             *                  Poly1305KeyGenerator.CheckKey(k2);
             *                  Fail("UnClamped key should fail check.");
             *          }
             * catch (ArgumentException)
             *          {
             *                  // Expected
             *          }
        private KeyParameter InitRecordMAC(ChaChaEngine cipher)
            byte[] zeroes = StringToByteArray(
                + "00000000000000000000000000000000"
                + "00000000000000000000000000000000"
                + "00000000000000000000000000000000");

            byte[] firstBlock = new byte[64];
            cipher.ProcessBytes(zeroes, 0, firstBlock.Length, firstBlock, 0);

            Console.WriteLine("ChaCha OutBytes");

            // NOTE: The BC implementation puts 'r' after 'k'
            //Array.Copy(firstBlock, 0, firstBlock, 32, 16);
            //KeyParameter macKey = new KeyParameter(firstBlock, 16, 32);

            // 8th January, 2018 21:05
            // The above code is from the github HAP-Java implementation. The problem was that the clamp() operator
            // wasn't having any effect! I'm guessing it's because the getKey() returns a new instance each time.
            // To work around this, I create a buffer, clamp it and then create a KeyParameter with the new byte[]
            // How the f**k I spotted this I'll never know.

            KeyParameter macKey = new KeyParameter(firstBlock, 0, 32);

            var key = macKey.GetKey();





            return(new KeyParameter(key));
        private void testSequential()
            // Sequential test, adapted from test-poly1305aes
            int len;

            byte[] kr     = new byte[32];
            byte[] m      = new byte[MAXLEN];
            byte[] n      = new byte[16];
            byte[] output = new byte[16];

            int  c   = 0;
            IMac mac = new Poly1305(new AesFastEngine());

            for (int loop = 0; loop < 13; loop++)
                len = 0;
                for (;;)
                    mac.Init(new ParametersWithIV(new KeyParameter(kr), n));
                    mac.BlockUpdate(m, 0, len);
                    mac.DoFinal(output, 0);

                    // if (c == 678)
                    // {
                    // TestCase tc = CASES[0];
                    // if (!Arrays.AreEqual(tc.key, kr))
                    // {
                    // System.err.println("Key bad");
                    // System.err.println(Hex.ToHexString(tc.key)));
                    // System.err.println(Hex.ToHexString(kr)));
                    // System.exit(1);
                    // }
                    // if (!Arrays.AreEqual(tc.nonce, n))
                    // {
                    // System.err.println("Nonce bad");
                    // System.exit(1);
                    // }
                    // System.out.printf("[%d] m: %s\n", c, Hex.ToHexString(m, 0, len)));
                    // System.out.printf("[%d] K: %s\n", c, new string(Hex.encodje(kr)));
                    // System.out.printf("[%d] N: %s\n", c, Hex.ToHexString(n)));
                    // System.out.printf("[%d] M: ", c);
                    // }
                    // System.out.printf("%d/%s\n", c, Hex.ToHexString(out)));

                    if (len >= MAXLEN)
                    n[0] = (byte)(n[0] ^ loop);
                    for (int i = 0; i < 16; ++i)
                        n[i] ^= output[i];
                    if (len % 2 != 0)
                        for (int i = 0; i < 16; ++i)
                            kr[i] ^= output[i];
                    if (len % 3 != 0)
                        for (int i = 0; i < 16; ++i)
                            kr[i + 16] ^= output[i];
                    m[len++] ^= output[0];
            // Output after 13 loops as generated by poly1305 ref
            if (c != 13013 || !Arrays.AreEqual(output, Hex.Decode("c96f60a23701a5b0fd2016f58cbe4f7e")))
                Fail("Sequential Poly1305 " + c, "c96f60a23701a5b0fd2016f58cbe4f7e", Hex.ToHexString(output));