summary refs log tree commit diff
diff options
context:
space:
mode:
authorgefeili <gli@keyfactor.com>2023-02-06 14:37:18 +1030
committergefeili <gli@keyfactor.com>2023-02-06 14:37:18 +1030
commit4e7ceed5e30cde7d8554bfa63285131c3762ed10 (patch)
tree83e5967c6db62d814d25282d29809a85684cd479
parentInitial push for Sparkle (diff)
downloadBouncyCastle.NET-ed25519-4e7ceed5e30cde7d8554bfa63285131c3762ed10.tar.xz
Complete Sparkle tests
-rw-r--r--crypto/src/crypto/digests/SparkleDigest.cs14
-rw-r--r--crypto/src/crypto/engines/SparkleEngine.cs294
-rw-r--r--crypto/test/src/crypto/test/SparkleTest.cs391
3 files changed, 601 insertions, 98 deletions
diff --git a/crypto/src/crypto/digests/SparkleDigest.cs b/crypto/src/crypto/digests/SparkleDigest.cs
index 33c6079c8..b8134dd91 100644
--- a/crypto/src/crypto/digests/SparkleDigest.cs
+++ b/crypto/src/crypto/digests/SparkleDigest.cs
@@ -18,7 +18,7 @@ namespace Org.BouncyCastle.Crypto.Digests
             ESCH256,
             ESCH384
         }
-
+        private string algorithmName;
         private readonly uint[] state;
         private MemoryStream message = new MemoryStream();
         private readonly int DIGEST_BYTES;
@@ -41,12 +41,14 @@ namespace Org.BouncyCastle.Crypto.Digests
                     SPARKLE_STATE = 384;
                     SPARKLE_STEPS_SLIM = 7;
                     SPARKLE_STEPS_BIG = 11;
+                    algorithmName = "ESCH-256";
                     break;
                 case SparkleParameters.ESCH384:
                     ESCH_DIGEST_LEN = 384;
                     SPARKLE_STATE = 512;
                     SPARKLE_STEPS_SLIM = 8;
                     SPARKLE_STEPS_BIG = 12;
+                    algorithmName = "ESCH-384";
                     break;
                 default:
                     throw new ArgumentException("Invalid definition of SCHWAEMM instance");
@@ -129,12 +131,20 @@ namespace Org.BouncyCastle.Crypto.Digests
 
         public void BlockUpdate(byte[] input, int inOff, int len)
         {
+            if (inOff + len > input.Length)
+            {
+                throw new DataLengthException(algorithmName + " input buffer too short");
+            }
             message.Write(input, inOff, len);
         }
 
 
         public int DoFinal(byte[] output, int outOff)
         {
+            if (outOff + DIGEST_BYTES > output.Length)
+            {
+                throw new OutputLengthException(algorithmName + " input buffer too short");
+            }
             byte[] input = message.GetBuffer();
             int inlen = (int)message.Length, i, inOff = 0;
             uint tmpx, tmpy;
@@ -214,7 +224,7 @@ namespace Org.BouncyCastle.Crypto.Digests
             return DIGEST_BYTES;
         }
 
-        public String AlgorithmName => "Sparkle Hash";
+        public string AlgorithmName => algorithmName;
 
 
         public void Update(byte input)
diff --git a/crypto/src/crypto/engines/SparkleEngine.cs b/crypto/src/crypto/engines/SparkleEngine.cs
index 5322ee464..bbdce7ef8 100644
--- a/crypto/src/crypto/engines/SparkleEngine.cs
+++ b/crypto/src/crypto/engines/SparkleEngine.cs
@@ -13,7 +13,7 @@ using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Crypto.Engines
 {
-    public class SparkleEngine : IAeadCipher
+    public class SparkleEngine : IAeadBlockCipher
     {
         public enum SparkleParameters
         {
@@ -22,17 +22,22 @@ namespace Org.BouncyCastle.Crypto.Engines
             SCHWAEMM192_192,
             SCHWAEMM256_256
         }
+        private string algorithmName;
+        private bool forEncryption;
         private readonly uint[] state;
         private readonly uint[] k;
         private readonly uint[] npub;
-        private readonly byte[] tag;
+        private byte[] tag;
+        private bool initialised;
         private bool encrypted;
         private bool aadFinished;
         private readonly MemoryStream aadData = new MemoryStream();
+        private readonly MemoryStream message = new MemoryStream();
         private readonly int SCHWAEMM_KEY_LEN;
         private readonly int SCHWAEMM_NONCE_LEN;
         private readonly int SPARKLE_STEPS_SLIM;
         private readonly int SPARKLE_STEPS_BIG;
+        private readonly int KEY_BYTES;
         private readonly int KEY_WORDS;
         private readonly int TAG_WORDS;
         private readonly int TAG_BYTES;
@@ -61,6 +66,7 @@ namespace Org.BouncyCastle.Crypto.Engines
                     SPARKLE_CAPACITY = 128;
                     SPARKLE_STEPS_SLIM = 7;
                     SPARKLE_STEPS_BIG = 10;
+                    algorithmName = "SCHWAEMM128-128";
                     break;
                 case SparkleParameters.SCHWAEMM256_128:
                     SCHWAEMM_KEY_LEN = 128;
@@ -70,6 +76,7 @@ namespace Org.BouncyCastle.Crypto.Engines
                     SPARKLE_CAPACITY = 128;
                     SPARKLE_STEPS_SLIM = 7;
                     SPARKLE_STEPS_BIG = 11;
+                    algorithmName = "SCHWAEMM256-128";
                     break;
                 case SparkleParameters.SCHWAEMM192_192:
                     SCHWAEMM_KEY_LEN = 192;
@@ -79,6 +86,7 @@ namespace Org.BouncyCastle.Crypto.Engines
                     SPARKLE_CAPACITY = 192;
                     SPARKLE_STEPS_SLIM = 7;
                     SPARKLE_STEPS_BIG = 11;
+                    algorithmName = "SCHWAEMM192-192";
                     break;
                 case SparkleParameters.SCHWAEMM256_256:
                     SCHWAEMM_KEY_LEN = 256;
@@ -88,11 +96,13 @@ namespace Org.BouncyCastle.Crypto.Engines
                     SPARKLE_CAPACITY = 256;
                     SPARKLE_STEPS_SLIM = 8;
                     SPARKLE_STEPS_BIG = 12;
+                    algorithmName = "SCHWAEMM256-256";
                     break;
                 default:
                     throw new ArgumentException("Invalid definition of SCHWAEMM instance");
             }
             KEY_WORDS = SCHWAEMM_KEY_LEN >> 5;
+            KEY_BYTES = SCHWAEMM_KEY_LEN >> 3;
             TAG_WORDS = SCHWAEMM_TAG_LEN >> 5;
             TAG_BYTES = SCHWAEMM_TAG_LEN >> 3;
             STATE_BRANS = SPARKLE_STATE >> 6;
@@ -109,6 +119,7 @@ namespace Org.BouncyCastle.Crypto.Engines
             tag = new byte[TAG_BYTES];
             k = new uint[KEY_WORDS];
             npub = new uint[RATE_WORDS];
+            initialised = false;
         }
 
         private uint ROT(uint x, int n)
@@ -186,8 +197,15 @@ namespace Org.BouncyCastle.Crypto.Engines
         // only authenticated but not encrypted, into the state (in blocks of size
         // RATE_BYTES). Note that this function MUST NOT be called when the length of
         // the associated data is 0.
-        void ProcessAssocData(uint[] state, byte[] input, int inlen)
+        void ProcessAssocData(uint[] state)
         {
+            int inlen = (int)aadData.Length;
+            if (aadFinished || inlen == 0)
+            {
+                return;
+            }
+            aadFinished = true;
+            byte[] input = aadData.GetBuffer();
             // Main Authentication Loop
             int inOff = 0, i, j;
             uint tmp;
@@ -241,13 +259,14 @@ namespace Org.BouncyCastle.Crypto.Engines
         // ('input' and 'output' can be the same array, i.e. they can have the same start
         // address). Note that this function MUST NOT be called when the length of the
         // plaintext is 0.
-        void ProcessPlainText(uint[] state, byte[] output, byte[] input, int inOff, int inlen)
+        private int ProcessPlainText(uint[] state, byte[] output, byte[] input, int inOff, int inlen)
         {
             // Main Encryption Loop
             int outOff = 0, i, j;
             uint tmp1, tmp2;
             uint[] in32 = Pack.LE_To_UInt32(input, inOff, input.Length >> 2);
             uint[] out32 = new uint[output.Length >> 2];
+            int rv = 0;
             while (inlen > RATE_BYTES)
             {
                 // combined Rho and rate-whitening operation
@@ -259,8 +278,16 @@ namespace Org.BouncyCastle.Crypto.Engines
                 {
                     tmp1 = state[i];
                     tmp2 = state[j];
-                    state[i] = state[j] ^ in32[i + (inOff >> 2)] ^ state[RATE_WORDS + i];
-                    state[j] ^= tmp1 ^ in32[j + (inOff >> 2)] ^ state[RATE_WORDS + CAP_INDEX(j)];
+                    if (forEncryption)
+                    {
+                        state[i] = state[j] ^ in32[i + (inOff >> 2)] ^ state[RATE_WORDS + i];
+                        state[j] ^= tmp1 ^ in32[j + (inOff >> 2)] ^ state[RATE_WORDS + CAP_INDEX(j)];
+                    }
+                    else
+                    {
+                        state[i] ^= state[j] ^ in32[i + (inOff >> 2)] ^ state[RATE_WORDS + i];
+                        state[j] = tmp1 ^ in32[j + (inOff >> 2)] ^ state[RATE_WORDS + CAP_INDEX(j)];
+                    }
                     out32[i] = in32[i] ^ tmp1;
                     out32[j] = in32[j] ^ tmp2;
                 }
@@ -270,49 +297,18 @@ namespace Org.BouncyCastle.Crypto.Engines
                 inlen -= RATE_BYTES;
                 outOff += RATE_BYTES;
                 inOff += RATE_BYTES;
+                rv += RATE_BYTES;
+                encrypted = true;
             }
-            // Encryption of Last Block
-            // addition of ant M2 or M3 to the state
-            state[STATE_WORDS - 1] ^= ((inlen < RATE_BYTES) ? _M2 : _M3);
-            // combined Rho and rate-whitening (incl. padding)
-            // Rho and rate-whitening for the encryption of the last plaintext block. Since
-            // this last block may require padding, it is always copied to a buffer.
-            uint[] buffer = new uint[RATE_WORDS];
-            for (i = 0; i < inlen; ++i)
-            {
-                buffer[i >> 2] |= (input[inOff++] & 0xffu) << ((i & 3) << 3);
-            }
-            if (inlen < RATE_BYTES)
-            {  // padding
-                buffer[i >> 2] |= 0x80u << ((i & 3) << 3);
-            }
-            for (i = 0, j = RATE_WORDS / 2; i < RATE_WORDS / 2; i++, j++)
-            {
-                tmp1 = state[i];
-                tmp2 = state[j];
-                state[i] = state[j] ^ buffer[i] ^ state[RATE_WORDS + i];
-                state[j] ^= tmp1 ^ buffer[j] ^ state[RATE_WORDS + CAP_INDEX(j)];
-                buffer[i] ^= tmp1;
-                buffer[j] ^= tmp2;
-            }
-            for (i = 0; i < inlen; ++i)
-            {
-                output[outOff++] = (byte)(buffer[i >> 2] >> ((i & 3) << 3));
-            }
-            // execute SPARKLE with big number of steps
-            sparkle_opt(state, STATE_BRANS, SPARKLE_STEPS_BIG);
+            return rv;
         }
 
         public void Init(bool forEncryption, ICipherParameters param)
         {
-            /**
-             * Sparkle encryption and decryption is completely symmetrical, so the
-             * 'forEncryption' is irrelevant.
-             */
+            this.forEncryption = forEncryption;
             if (!(param is ParametersWithIV))
             {
-                throw new ArgumentException(
-                    "Sparkle init parameters must include an IV");
+                throw new ArgumentException(algorithmName + " init parameters must include an IV");
             }
 
             ParametersWithIV ivParams = (ParametersWithIV)param;
@@ -320,36 +316,48 @@ namespace Org.BouncyCastle.Crypto.Engines
 
             if (iv == null || iv.Length != SCHWAEMM_NONCE_LEN >> 3)
             {
-                throw new ArgumentException(
-                    "Sparkle requires exactly 16 bytes of IV");
+                throw new ArgumentException(algorithmName + " requires exactly 16 bytes of IV");
             }
             Pack.LE_To_UInt32(iv, 0, npub, 0, RATE_WORDS);
 
             if (!(ivParams.Parameters is KeyParameter))
             {
-                throw new ArgumentException(
-                    "Sparkle init parameters must include a key");
+                throw new ArgumentException(algorithmName + " init parameters must include a key");
             }
 
             KeyParameter key = (KeyParameter)ivParams.Parameters;
             byte[] key8 = key.GetKey();
             if (key8.Length != SCHWAEMM_KEY_LEN >> 3)
             {
-                throw new ArgumentException("Sparkle key must be 128 bits long");
+                throw new ArgumentException(algorithmName + " key must be 128 bits long");
             }
             Pack.LE_To_UInt32(key8, 0, k, 0, KEY_WORDS);
-
+            initialised = true;
             reset(false);
         }
 
         public void ProcessAadByte(byte input)
         {
+            if (encrypted)
+            {
+                throw new ArgumentException(algorithmName + ": AAD cannot be added after reading a full block(" +
+                    GetBlockSize() + " bytes) of input for " + (forEncryption ? "encryption" : "decryption"));
+            }
             aadData.Write(new byte[] { input }, 0, 1);
         }
 
 
         public void ProcessAadBytes(byte[] input, int inOff, int len)
         {
+            if (encrypted)
+            {
+                throw new ArgumentException(algorithmName + ": AAD cannot be added after reading a full block(" +
+                    GetBlockSize() + " bytes) of input for " + (forEncryption ? "encryption" : "decryption"));
+            }
+            if (inOff + len > input.Length)
+            {
+                throw new DataLengthException(algorithmName + " input buffer too short");
+            }
             aadData.Write(input, inOff, len);
         }
 
@@ -362,19 +370,33 @@ namespace Org.BouncyCastle.Crypto.Engines
 
         public int ProcessBytes(byte[] input, int inOff, int len, byte[] output, int outOff)
         {
-            if (encrypted)
+            if (!initialised)
             {
-                throw new ArgumentException("Sparkle has processed encryption/decryption");
+                throw new ArgumentException(algorithmName + " Need call init function before encryption/decryption");
             }
-            byte[] ad = aadData.GetBuffer();
-            int adsize = (int)aadData.Length;
-            if (adsize != 0)
+            if (inOff + len > input.Length)
             {
-                ProcessAssocData(state, ad, adsize);
+                throw new DataLengthException(algorithmName + " input buffer too short");
             }
-            if (len != 0)
+            message.Write(input, inOff, len);
+            len = 0;
+            if ((forEncryption && (int)message.Length > GetBlockSize()) ||
+                (!forEncryption && (int)message.Length - TAG_BYTES > GetBlockSize()))
             {
-                ProcessPlainText(state, output, input, inOff, len);
+                len = ((int)message.Length - (forEncryption ? 0 : TAG_BYTES));
+                if (len / RATE_BYTES * RATE_BYTES + outOff > output.Length)
+                {
+                    throw new OutputLengthException(algorithmName + " output buffer is too short");
+                }
+                byte[] m = message.GetBuffer();
+                ProcessAssocData(state);
+                if (len != 0)
+                {
+                    len = ProcessPlainText(state, output, m, 0, len);
+                }
+                int mlen = (int)message.Length;
+                message.SetLength(0);
+                message.Write(m, len, mlen - len);
             }
             return len;
         }
@@ -382,29 +404,97 @@ namespace Org.BouncyCastle.Crypto.Engines
 
         public int DoFinal(byte[] output, int outOff)
         {
-            GetMac();
-            Array.Copy(tag, 0, output, outOff, TAG_BYTES);
-            reset(false);
-            return TAG_BYTES;
-        }
-
-        public byte[] GetMac()
-        {
-            if (!aadFinished)
+            if (!initialised)
             {
-                // the key to the capacity part of the state.
-                uint[] buffer = new uint[TAG_WORDS];
-                // to prevent (potentially) unaligned memory accesses
-                Array.Copy(k, 0, buffer, 0, KEY_WORDS);
-                // add key to the capacity-part of the state
-                for (int i = 0; i < KEY_WORDS; i++)
+                throw new ArgumentException(algorithmName + " needs call init function before dofinal");
+            }
+            int inlen = (int)message.Length - (forEncryption ? 0 : TAG_BYTES);
+            if ((forEncryption && inlen + TAG_BYTES + outOff > output.Length) ||
+                (!forEncryption && inlen + outOff > output.Length))
+            {
+                throw new OutputLengthException("output buffer is too short");
+            }
+            ProcessAssocData(state);
+            int i, j;
+            uint tmp1, tmp2;
+            byte[] input = message.GetBuffer();
+            int inOff = 0;
+            if (encrypted || inlen != 0)
+            {
+                // Encryption of Last Block
+                // addition of ant M2 or M3 to the state
+                state[STATE_WORDS - 1] ^= ((inlen < RATE_BYTES) ? _M2 : _M3);
+                // combined Rho and rate-whitening (incl. padding)
+                // Rho and rate-whitening for the encryption of the last plaintext block. Since
+                // this last block may require padding, it is always copied to a buffer.
+                uint[] buffer = new uint[RATE_WORDS];
+                for (i = 0; i < inlen; ++i)
                 {
-                    state[RATE_WORDS + i] ^= buffer[i];
+                    buffer[i >> 2] |= (input[inOff++] & 0xffu) << ((i & 3) << 3);
                 }
-                aadFinished = true;
+                if (inlen < RATE_BYTES)
+                {
+                    if (!forEncryption)
+                    {
+                        int tmp = (i & 3) << 3;
+                        buffer[i >> 2] |= (state[i >> 2] >> tmp) << tmp;
+                        tmp = (i >> 2) + 1;
+                        Array.Copy(state, tmp, buffer, tmp, RATE_WORDS - tmp);
+                    }
+                    buffer[i >> 2] ^= 0x80u << ((i & 3) << 3);
+                }
+                for (i = 0, j = RATE_WORDS / 2; i < RATE_WORDS / 2; i++, j++)
+                {
+                    tmp1 = state[i];
+                    tmp2 = state[j];
+                    if (forEncryption)
+                    {
+                        state[i] = state[j] ^ buffer[i] ^ state[RATE_WORDS + i];
+                        state[j] ^= tmp1 ^ buffer[j] ^ state[RATE_WORDS + CAP_INDEX(j)];
+                    }
+                    else
+                    {
+                        state[i] ^= state[j] ^ buffer[i] ^ state[RATE_WORDS + i];
+                        state[j] = tmp1 ^ buffer[j] ^ state[RATE_WORDS + CAP_INDEX(j)];
+                    }
+                    buffer[i] ^= tmp1;
+                    buffer[j] ^= tmp2;
+                }
+                for (i = 0; i < inlen; ++i)
+                {
+                    output[outOff++] = (byte)(buffer[i >> 2] >> ((i & 3) << 3));
+                }
+                // execute SPARKLE with big number of steps
+                sparkle_opt(state, STATE_BRANS, SPARKLE_STEPS_BIG);
+            }
+            // add key to the capacity-part of the state
+            for (i = 0; i < KEY_WORDS; i++)
+            {
+                state[RATE_WORDS + i] ^= k[i];
             }
-            encrypted = true;
+            tag = new byte[TAG_BYTES];
             Pack.UInt32_To_LE(state, RATE_WORDS, TAG_WORDS, tag, 0);
+            if (forEncryption)
+            {
+                Array.Copy(tag, 0, output, outOff, TAG_BYTES);
+                inlen += TAG_BYTES;
+            }
+            else
+            {
+                for (i = 0; i < TAG_BYTES; ++i)
+                {
+                    if (tag[i] != input[inlen + i])
+                    {
+                        throw new ArgumentException(algorithmName + " mac does not match");
+                    }
+                }
+            }
+            reset(false);
+            return inlen;
+        }
+
+        public byte[] GetMac()
+        {
             return tag;
         }
 
@@ -423,6 +513,10 @@ namespace Org.BouncyCastle.Crypto.Engines
 
         public void Reset()
         {
+            if (!initialised)
+            {
+                throw new ArgumentException(algorithmName + " needs call init function before reset");
+            }
             reset(true);
         }
 
@@ -430,7 +524,7 @@ namespace Org.BouncyCastle.Crypto.Engines
         {
             if (clearMac)
             {
-                Arrays.Fill(tag, (byte)0);
+                tag = null;
             }
             // The Initialize function loads nonce and key into the state and executes the
             // SPARKLE permutation with the big number of steps.
@@ -441,10 +535,18 @@ namespace Org.BouncyCastle.Crypto.Engines
             // execute SPARKLE with big number of steps
             sparkle_opt(state, STATE_BRANS, SPARKLE_STEPS_BIG);
             aadData.SetLength(0);
+            message.SetLength(0);
             encrypted = false;
             aadFinished = false;
         }
-        public string AlgorithmName => "Sparkle AEAD";
+        public string AlgorithmName => algorithmName;
+
+        public IBlockCipher UnderlyingCipher => throw new NotImplementedException();
+
+        public int GetBlockSize()
+        {
+            return RATE_BYTES;
+        }
 
 
 
@@ -457,27 +559,47 @@ namespace Org.BouncyCastle.Crypto.Engines
         public int ProcessByte(byte input, Span<byte> output)
         {
             byte[] rv = new byte[1];
-            ProcessBytes(new byte[] { input }, 0, 1, rv, 0);
-            rv.AsSpan(0, 1).CopyTo(output);
-            return 1;
+            int len = ProcessBytes(new byte[] { input }, 0, 1, rv, 0);
+            rv.AsSpan(0, len).CopyTo(output);
+            return len;
+
         }
 
         public int ProcessBytes(ReadOnlySpan<byte> input, Span<byte> output)
         {
             byte[] rv = new byte[input.Length];
-            ProcessBytes(input.ToArray(), 0, rv.Length, rv, 0);
-            rv.AsSpan(0, rv.Length).CopyTo(output);
-            return rv.Length;
+            int len = ProcessBytes(input.ToArray(), 0, rv.Length, rv, 0);
+            rv.AsSpan(0, len).CopyTo(output);
+            return len;
         }
 
         public int DoFinal(Span<byte> output)
         {
-            byte[] tag = GetMac();
-            tag.AsSpan(0, tag.Length).CopyTo(output);
-            reset(false);
-            return tag.Length;
+            byte[] rv;
+            if (forEncryption)
+            {
+                rv = new byte[message.Length + TAG_BYTES];
+            }
+            else
+            {
+                rv = new byte[message.Length - TAG_BYTES];
+            }
+            int len = DoFinal(rv, 0);
+            rv.AsSpan(0, len).CopyTo(output);
+            return rv.Length;
+
         }
 #endif
+
+        public int GetKeyBytesSize()
+        {
+            return KEY_BYTES;
+        }
+
+        public int GetIVBytesSize()
+        {
+            return RATE_BYTES;
+        }
     }
 }
 
diff --git a/crypto/test/src/crypto/test/SparkleTest.cs b/crypto/test/src/crypto/test/SparkleTest.cs
index 5028a1b15..ae7e5b3e7 100644
--- a/crypto/test/src/crypto/test/SparkleTest.cs
+++ b/crypto/test/src/crypto/test/SparkleTest.cs
@@ -9,6 +9,7 @@ using System.Collections.Generic;
 using System.IO;
 using Org.BouncyCastle.Crypto.Engines;
 using Org.BouncyCastle.Crypto.Digests;
+using Org.BouncyCastle.Crypto.Modes;
 
 namespace BouncyCastle.Crypto.Tests
 {
@@ -23,6 +24,20 @@ namespace BouncyCastle.Crypto.Tests
         [Test]
         public override void PerformTest()
         {
+            SparkleEngine sparkle = new SparkleEngine(SparkleEngine.SparkleParameters.SCHWAEMM128_128);
+            testExceptions(sparkle, sparkle.GetKeyBytesSize(), sparkle.GetIVBytesSize(), sparkle.GetBlockSize());
+            testParameters(sparkle, 16, 16, 16, 16);
+            sparkle = new SparkleEngine(SparkleEngine.SparkleParameters.SCHWAEMM192_192);
+            testExceptions(sparkle, sparkle.GetKeyBytesSize(), sparkle.GetIVBytesSize(), sparkle.GetBlockSize());
+            testParameters(sparkle, 24, 24, 24, 24);
+            sparkle = new SparkleEngine(SparkleEngine.SparkleParameters.SCHWAEMM256_128);
+            testExceptions(sparkle, sparkle.GetKeyBytesSize(), sparkle.GetIVBytesSize(), sparkle.GetBlockSize());
+            testParameters(sparkle, 16, 32, 16, 32);
+            sparkle = new SparkleEngine(SparkleEngine.SparkleParameters.SCHWAEMM256_256);
+            testExceptions(sparkle, sparkle.GetKeyBytesSize(), sparkle.GetIVBytesSize(), sparkle.GetBlockSize());
+            testParameters(sparkle, 32, 32, 32, 32);
+            testExceptions(new SparkleDigest(SparkleDigest.SparkleParameters.ESCH256), 32);
+            testExceptions(new SparkleDigest(SparkleDigest.SparkleParameters.ESCH384), 48);
             testVectors("128_128", SparkleEngine.SparkleParameters.SCHWAEMM128_128);
             testVectors("192_192", SparkleEngine.SparkleParameters.SCHWAEMM192_192);
             testVectors("128_256", SparkleEngine.SparkleParameters.SCHWAEMM256_128);
@@ -31,7 +46,7 @@ namespace BouncyCastle.Crypto.Tests
             testVectors("384", SparkleDigest.SparkleParameters.ESCH384);
         }
 
-        private void testVectors(String filename, SparkleEngine.SparkleParameters SparkleType)
+        private void testVectors(string filename, SparkleEngine.SparkleParameters SparkleType)
         {
             SparkleEngine Sparkle = new SparkleEngine(SparkleType);
             ICipherParameters param;
@@ -49,19 +64,22 @@ namespace BouncyCastle.Crypto.Tests
                     data = line.Split(' ');
                     if (data.Length == 1)
                     {
-                        //if (!map["Count"].Equals("2"))
+                        //if (!map["Count"].Equals("562"))
                         //{
                         //    continue;
                         //}
-                        param = new ParametersWithIV(new KeyParameter(Hex.Decode(map["Key"])), Hex.Decode(map["Nonce"]));
+                        byte[] key = Hex.Decode(map["Key"]);
+                        byte[] nonce = Hex.Decode(map["Nonce"]);
+                        byte[] ad = Hex.Decode(map["AD"]);
+                        byte[] pt = Hex.Decode(map["PT"]);
+                        byte[] ct = Hex.Decode(map["CT"]);
+                        param = new ParametersWithIV(new KeyParameter(key), nonce);
                         Sparkle.Init(true, param);
-                        adByte = Hex.Decode(map["AD"]);
-                        Sparkle.ProcessAadBytes(adByte, 0, adByte.Length);
-                        ptByte = Hex.Decode(map["PT"]);
-                        rv = new byte[Sparkle.GetOutputSize(ptByte.Length)];
-                        Sparkle.ProcessBytes(ptByte, 0, ptByte.Length, rv, 0);
+                        Sparkle.ProcessAadBytes(ad, 0, ad.Length);
+                        rv = new byte[Sparkle.GetOutputSize(pt.Length)];
+                        int len = Sparkle.ProcessBytes(pt, 0, pt.Length, rv, 0);
                         //byte[] mac = new byte[16];
-                        Sparkle.DoFinal(rv, ptByte.Length);
+                        Sparkle.DoFinal(rv, len);
                         //foreach(byte b in Hex.Decode(map["CT"]))
                         //{
                         //    Console.Write(b.ToString("X2"));
@@ -72,10 +90,21 @@ namespace BouncyCastle.Crypto.Tests
                         //    Console.Write(b.ToString("X2"));
                         //}
                         //Console.WriteLine();
-                        Assert.True(Arrays.AreEqual(rv, Hex.Decode(map["CT"])));
+                        Assert.True(Arrays.AreEqual(rv, ct));
+                        Sparkle.Reset();
+                        Sparkle.Init(false, param);
+                        //Decrypt
+                        Sparkle.ProcessAadBytes(ad, 0, ad.Length);
+                        rv = new byte[pt.Length + 16];
+                        len = Sparkle.ProcessBytes(ct, 0, ct.Length, rv, 0);
+                        Sparkle.DoFinal(rv, len);
+                        byte[] pt_recovered = new byte[pt.Length];
+                        Array.Copy(rv, 0, pt_recovered, 0, pt.Length);
+                        Assert.True(Arrays.AreEqual(pt, pt_recovered));
                         //Console.WriteLine(map["Count"] + " pass");
                         map.Clear();
                         Sparkle.Reset();
+
                     }
                     else
                     {
@@ -136,5 +165,347 @@ namespace BouncyCastle.Crypto.Tests
             }
             Console.WriteLine("Sparkle Hash pass");
         }
+
+        private void testExceptions(IAeadBlockCipher aeadBlockCipher, int keysize, int ivsize, int blocksize)
+        {
+            ICipherParameters param;
+            byte[] k = new byte[keysize];
+            byte[] iv = new byte[ivsize];
+            byte[] m = new byte[0];
+            byte[] c1 = new byte[aeadBlockCipher.GetOutputSize(m.Length)];
+            param = new ParametersWithIV(new KeyParameter(k), iv);
+            try
+            {
+                aeadBlockCipher.ProcessBytes(m, 0, m.Length, c1, 0);
+                Assert.Fail(aeadBlockCipher.AlgorithmName + " need to be initialed before ProcessBytes");
+            }
+            catch (ArgumentException e)
+            {
+                //expected
+            }
+
+            try
+            {
+                aeadBlockCipher.ProcessByte((byte)0, c1, 0);
+                Assert.Fail(aeadBlockCipher.AlgorithmName + " need to be initialed before ProcessByte");
+            }
+            catch (ArgumentException e)
+            {
+                //expected
+            }
+
+            try
+            {
+                aeadBlockCipher.Reset();
+                Assert.Fail(aeadBlockCipher.AlgorithmName + " need to be initialed before reset");
+            }
+            catch (ArgumentException e)
+            {
+                //expected
+            }
+
+            try
+            {
+                aeadBlockCipher.DoFinal(c1, m.Length);
+                Assert.Fail(aeadBlockCipher.AlgorithmName + " need to be initialed before dofinal");
+            }
+            catch (ArgumentException e)
+            {
+                //expected
+            }
+
+            try
+            {
+                aeadBlockCipher.GetMac();
+                aeadBlockCipher.GetOutputSize(0);
+                aeadBlockCipher.GetUpdateOutputSize(0);
+            }
+            catch (ArgumentException e)
+            {
+                //expected
+                Assert.Fail(aeadBlockCipher.AlgorithmName + " functions can be called before initialisation");
+            }
+            Random rand = new Random();
+            int randomNum;
+            while ((randomNum = rand.Next(100)) == keysize) ;
+            byte[] k1 = new byte[randomNum];
+            while ((randomNum = rand.Next(100)) == ivsize) ;
+            byte[] iv1 = new byte[randomNum];
+            try
+            {
+                aeadBlockCipher.Init(true, new ParametersWithIV(new KeyParameter(k1), iv));
+                Assert.Fail(aeadBlockCipher.AlgorithmName + " k size does not match");
+            }
+            catch (ArgumentException e)
+            {
+                //expected
+            }
+            try
+            {
+                aeadBlockCipher.Init(true, new ParametersWithIV(new KeyParameter(k), iv1));
+                Assert.Fail(aeadBlockCipher.AlgorithmName + "iv size does not match");
+            }
+            catch (ArgumentException e)
+            {
+                //expected
+            }
+
+
+            aeadBlockCipher.Init(true, param);
+            try
+            {
+                aeadBlockCipher.DoFinal(c1, m.Length);
+            }
+            catch (Exception e)
+            {
+                Assert.Fail(aeadBlockCipher.AlgorithmName + " allows no input for AAD and plaintext");
+            }
+            byte[] mac2 = aeadBlockCipher.GetMac();
+            if (mac2 == null)
+            {
+                Assert.Fail("mac should not be empty after dofinal");
+            }
+            if (!Arrays.AreEqual(mac2, c1))
+            {
+                Assert.Fail("mac should be equal when calling dofinal and getMac");
+            }
+            aeadBlockCipher.ProcessAadByte((byte)0);
+            byte[] mac1 = new byte[aeadBlockCipher.GetOutputSize(0)];
+            aeadBlockCipher.DoFinal(mac1, 0);
+            if (Arrays.AreEqual(mac1, mac2))
+            {
+                Assert.Fail("mac should not match");
+            }
+            aeadBlockCipher.Reset();
+            aeadBlockCipher.ProcessBytes(new byte[blocksize+1], 0, blocksize+1, new byte[blocksize+1], 0);
+            try
+            {
+                aeadBlockCipher.ProcessAadByte((byte)0);
+                Assert.Fail("ProcessAadByte(s) cannot be called after encryption/decryption");
+            }
+            catch (ArgumentException e)
+            {
+                //expected
+            }
+            try
+            {
+                aeadBlockCipher.ProcessAadBytes(new byte[] { 0 }, 0, 1);
+                Assert.Fail("ProcessAadByte(s) cannot be called once only");
+            }
+            catch (ArgumentException e)
+            {
+                //expected
+            }
+
+            aeadBlockCipher.Reset();
+            try
+            {
+                aeadBlockCipher.ProcessAadBytes(new byte[] { 0 }, 1, 1);
+                Assert.Fail("input for ProcessAadBytes is too short");
+            }
+            catch (DataLengthException e)
+            {
+                //expected
+            }
+            try
+            {
+                aeadBlockCipher.ProcessBytes(new byte[] { 0 }, 1, 1, c1, 0);
+                Assert.Fail("input for ProcessBytes is too short");
+            }
+            catch (DataLengthException e)
+            {
+                //expected
+            }
+            try
+            {
+                aeadBlockCipher.ProcessBytes(new byte[blocksize+1], 0, blocksize+1, new byte[blocksize+1], blocksize >> 1);
+                Assert.Fail("output for ProcessBytes is too short");
+            }
+            catch (OutputLengthException e)
+            {
+                //expected
+            }
+            try
+            {
+                aeadBlockCipher.DoFinal(new byte[2], 2);
+                Assert.Fail("output for dofinal is too short");
+            }
+            catch (DataLengthException e)
+            {
+                //expected
+            }
+
+            mac1 = new byte[aeadBlockCipher.GetOutputSize(0)];
+            mac2 = new byte[aeadBlockCipher.GetOutputSize(0)];
+            aeadBlockCipher.Reset();
+            aeadBlockCipher.ProcessAadBytes(new byte[] { 0, 0 }, 0, 2);
+            aeadBlockCipher.DoFinal(mac1, 0);
+            aeadBlockCipher.Reset();
+            aeadBlockCipher.ProcessAadByte((byte)0);
+            aeadBlockCipher.ProcessAadByte((byte)0);
+            aeadBlockCipher.DoFinal(mac2, 0);
+            if (!Arrays.AreEqual(mac1, mac2))
+            {
+                Assert.Fail("mac should match for the same AAD with different ways of inputing");
+            }
+
+            byte[] c2 = new byte[aeadBlockCipher.GetOutputSize(10)];
+            byte[] c3 = new byte[aeadBlockCipher.GetOutputSize(10) + 2];
+            byte[] aad2 = { 0, 1, 2, 3, 4 };
+            byte[] aad3 = { 0, 0, 1, 2, 3, 4, 5 };
+            byte[] m2 = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 };
+            byte[] m3 = { 0, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 };
+            byte[] m4 = new byte[m2.Length];
+            aeadBlockCipher.Reset();
+            aeadBlockCipher.ProcessAadBytes(aad2, 0, aad2.Length);
+            int offset = aeadBlockCipher.ProcessBytes(m2, 0, m2.Length, c2, 0);
+            aeadBlockCipher.DoFinal(c2, offset);
+            aeadBlockCipher.Reset();
+            aeadBlockCipher.ProcessAadBytes(aad3, 1, aad2.Length);
+            offset = aeadBlockCipher.ProcessBytes(m3, 1, m2.Length, c3, 1);
+            aeadBlockCipher.DoFinal(c3, offset + 1);
+            byte[] c3_partial = new byte[c2.Length];
+            Array.Copy(c3, 1, c3_partial, 0, c2.Length);
+            if (!Arrays.AreEqual(c2, c3_partial))
+            {
+                Assert.Fail("mac should match for the same AAD and message with different offset for both input and output");
+            }
+            aeadBlockCipher.Reset();
+            aeadBlockCipher.Init(false, param);
+            aeadBlockCipher.ProcessAadBytes(aad2, 0, aad2.Length);
+            offset = aeadBlockCipher.ProcessBytes(c2, 0, c2.Length, m4, 0);
+            aeadBlockCipher.DoFinal(m4, offset);
+            if (!Arrays.AreEqual(m2, m4))
+            {
+                Assert.Fail("The encryption and decryption does not recover the plaintext");
+            }
+            Console.WriteLine(aeadBlockCipher.AlgorithmName + " test Exceptions pass");
+            c2[c2.Length - 1] ^= 1;
+            aeadBlockCipher.Reset();
+            aeadBlockCipher.Init(false, param);
+            aeadBlockCipher.ProcessAadBytes(aad2, 0, aad2.Length);
+            offset = aeadBlockCipher.ProcessBytes(c2, 0, c2.Length, m4, 0);
+            try
+            {
+                aeadBlockCipher.DoFinal(m4, offset);
+                Assert.Fail("The decryption should fail");
+            }
+            catch (ArgumentException e)
+            {
+                //expected;
+            }
+            c2[c2.Length - 1] ^= 1;
+
+            byte[] m7 = new byte[blocksize * 2];
+            for (int i = 0; i < m7.Length; ++i)
+            {
+                m7[i] = (byte)rand.Next();
+            }
+            byte[] c7 = new byte[aeadBlockCipher.GetOutputSize(m7.Length)];
+            byte[] c8 = new byte[c7.Length];
+            byte[] c9 = new byte[c7.Length];
+            aeadBlockCipher.Init(true, param);
+            aeadBlockCipher.ProcessAadBytes(aad2, 0, aad2.Length);
+            offset = aeadBlockCipher.ProcessBytes(m7, 0, m7.Length, c7, 0);
+            aeadBlockCipher.DoFinal(c7, offset);
+            aeadBlockCipher.Reset();
+            aeadBlockCipher.ProcessAadBytes(aad2, 0, aad2.Length);
+            offset = aeadBlockCipher.ProcessBytes(m7, 0, blocksize, c8, 0);
+            offset += aeadBlockCipher.ProcessBytes(m7, blocksize, m7.Length - blocksize, c8, offset);
+            aeadBlockCipher.DoFinal(c8, offset);
+            aeadBlockCipher.Reset();
+            int split = rand.Next(blocksize * 2);
+            aeadBlockCipher.ProcessAadBytes(aad2, 0, aad2.Length);
+            offset = aeadBlockCipher.ProcessBytes(m7, 0, split, c9, 0);
+            offset += aeadBlockCipher.ProcessBytes(m7, split, m7.Length - split, c9, offset);
+            aeadBlockCipher.DoFinal(c9, offset);
+            if (!Arrays.AreEqual(c7, c8) || !Arrays.AreEqual(c7, c9))
+            {
+                Assert.Fail("Splitting input of plaintext should output the same ciphertext");
+            }
+#if NET6_0_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            Span<byte> c4_1 = new byte[c2.Length];
+            Span<byte> c4_2 = new byte[c2.Length];
+            ReadOnlySpan<byte> m5 = new ReadOnlySpan<byte>(m2);
+            ReadOnlySpan<byte> aad4 = new ReadOnlySpan<byte>(aad2);
+            aeadBlockCipher.Init(true, param);
+            aeadBlockCipher.ProcessAadBytes(aad4);
+            offset = aeadBlockCipher.ProcessBytes(m5, c4_1);
+            aeadBlockCipher.DoFinal(c4_2);
+            byte[] c5 = new byte[c2.Length];
+            Array.Copy(c4_1.ToArray(), 0, c5, 0, offset);
+            Array.Copy(c4_2.ToArray(), 0, c5, offset, c5.Length - offset);
+            if (!Arrays.AreEqual(c2, c5))
+            {
+                Assert.Fail("mac should match for the same AAD and message with different offset for both input and output");
+            }
+            aeadBlockCipher.Reset();
+            aeadBlockCipher.Init(false, param);
+            Span<byte> m6_1 = new byte[m2.Length];
+            Span<byte> m6_2 = new byte[m2.Length];
+            ReadOnlySpan<byte> c6 = new ReadOnlySpan<byte>(c2);
+            aeadBlockCipher.ProcessAadBytes(aad4);
+            offset = aeadBlockCipher.ProcessBytes(c6, m6_1);
+            aeadBlockCipher.DoFinal(m6_2);
+            byte[] m6 = new byte[m2.Length];
+            Array.Copy(m6_1.ToArray(), 0, m6, 0, offset);
+            Array.Copy(m6_2.ToArray(), 0, m6, offset, m6.Length - offset);
+            if (!Arrays.AreEqual(m2, m6))
+            {
+                Assert.Fail("mac should match for the same AAD and message with different offset for both input and output");
+            }
+#endif
+
+        }
+
+        private void testParameters(SparkleEngine Sparkle, int keySize, int ivSize, int macSize, int blockSize)
+        {
+            if (Sparkle.GetKeyBytesSize() != keySize)
+            {
+                Assert.Fail("key bytes of " + Sparkle.AlgorithmName + " is not correct");
+            }
+            if (Sparkle.GetIVBytesSize() != ivSize)
+            {
+                Assert.Fail("iv bytes of " + Sparkle.AlgorithmName + " is not correct");
+            }
+            if (Sparkle.GetOutputSize(0) != macSize)
+            {
+                Assert.Fail("mac bytes of " + Sparkle.AlgorithmName + " is not correct");
+            }
+            if (Sparkle.GetBlockSize() != blockSize)
+            {
+                Assert.Fail("block size of " + Sparkle.AlgorithmName + " is not correct");
+            }
+            Console.WriteLine(Sparkle.AlgorithmName + " test Parameters pass");
+        }
+
+        private void testExceptions(IDigest digest, int digestsize)
+        {
+            if (digest.GetDigestSize() != digestsize)
+            {
+                Assert.Fail(digest.AlgorithmName + ": digest size is not correct");
+            }
+
+            try
+            {
+                digest.BlockUpdate(new byte[1], 1, 1);
+                Assert.Fail(digest.AlgorithmName + ": input for update is too short");
+            }
+            catch (DataLengthException e)
+            {
+                //expected
+            }
+            try
+            {
+                digest.DoFinal(new byte[digest.GetDigestSize() - 1], 2);
+                Assert.Fail(digest.AlgorithmName + ": output for dofinal is too short");
+            }
+            catch (DataLengthException e)
+            {
+                //expected
+            }
+            Console.WriteLine(digest.AlgorithmName + " test Exceptions pass");
+        }
+
     }
 }