ChaCha20-Poly1305: Difference between revisions

ChaCha20-Poly1305 is an Authenticated encryption with additional data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. Its usage in IETF protocols is standardized in RFC 8439.^[1] It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.^[2]

History

The two building blocks of the construction, the algorithms Poly1305 and ChaCha20, were both independently designed, in 2005 and 2008, by Daniel J. Bernstein.^[3][4]

In 2013–2014, a variant of the original ChaCha20 algorithm (using 32-bit counter and 96-bit nonce) and a variant of the original Poly1305 (authenticating 2 strings) were combined in an IETF draft^[5][6] to be used in TLS and DTLS,^[7] and chosen by Google, for security and performance reasons, as a newly supported cipher.^[8] Shortly after Google's adoption for TLS, ChaCha20, Poly1305 and the combined AEAD mode are added to OpenSSH via thechacha20-poly1305@openssh.com authenticated encryption cipher^[9][10] but kept the original 64-bit counter and 64-bit nonce for the ChaCha20 algorithm.

In 2015, the AEAD algorithm is standardized in RFC 7539^[11] and RFC 7905^[12] to be used in TLS 1.2 and DTLS 1.2 and in RFC 7634^[13] to be used in IPsec. The same year, it is integrated in Cloudflare as an alternative ciphersuite.^[14]

In June 2018, the RFC 7539 is updated and replaced by RFC 8439.^[15]

ChaCha20-Poly1305 is currently being standardized for use in QUIC.^[16]

Description

The ChaCha20-Poly1305 algorithm as described in RFC 8439^[1] take as input a 256-bit key and a 96-bit nonce to encrypt a plaintext, with a ciphertext expansion of 128-bit (the tag size). In the ChaCha20-Poly1305 construction, ChaCha20 is used in counter mode to derive a key stream that is XORed with the plaintext. The ciphertext and the associated data is then authenticated using a variant of Poly1305 that first encodes the two strings into one.

ChaCha20-Poly1305 Encryption

Variants

XChaCha20-Poly1305 - Extended Nonce Variant

The XChaCha20-Poly1305 construction is an extended 192-bit nonce variant of the ChaCha20-Poly1305 construction, using XChaCha20 instead of ChaCha20. When choosing nonces at random, the XChaCha20-Poly1305 construction allows for better security than the original construction. The draft attempt to standardize the construction expired in July 2020.^[17]

Salsa20-Poly1305 and XSalsa20-Poly1305

Salsa20-Poly1305 and XSalsa20-Poly1305 are variants of the ChaCha20-Poly1305 and XChaCha20-Poly1305 algorithms, using Salsa20 and XSalsa20 in place of ChaCha20 and XChaCha20. They are implemented in NaCl^[18] and libsodium^[19] but not standardized. The variants using ChaCha is preferred in practice as it provides better diffusion per round than Salsa.^[3]

Use

ChaCha20-Poly1305 is used in IPsec,^[13] SSH,^[9] TLS 1.2, DTLS 1.2, TLS 1.3,^[12] QUIC,^[16] WireGuard,^[20] S/MIME 4.0,^[21] OTRv4^[22] and multiple other protocols. Among others, it is implemented in OpenSSL, OpenSSH and libsodium.

Performance

ChaCha20-Poly1305 usually offers better performance than the more prevalent AES-GCM algorithm on systems where the CPU(s) does not feature the AES-NI instruction set extension.^[2] As a result, ChaCha20-Poly1305 is sometimes preferred over AES-GCM due to it's similar levels of security and in certain use cases involving mobile devices, which mostly use ARM-based CPUs.

Security

The ChaCha20-Poly1305 construction is proven secure in the standard model and the ideal permutation model, for the single- and multi-user setting.^[23] However, similarly to GCM, the security relies on choosing a unique nonce for every message encrypted. Compared to AES-GCM, implementations of ChaCha20-Poly1305 are less vulnerable to timing attacks.

See also

• Authenticated encryption
• Galois/Counter Mode
• Salsa20
• Poly1305

External links

• RFC 8439: ChaCha20 and Poly1305 for IETF Protocols
• RFC 7634: ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec
• RFC 7905: ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
• RFC 8103: Using ChaCha20-Poly1305 Authenticated Encryption in the Cryptographic Message Syntax (CMS)

References

1. Nir, Yoav; Langley, Adam (June 2018). ChaCha20 and Poly1305 for IETF Protocols. doi:10.17487/RFC8439. RFC 8439.
2. Nir, Yoav; Langley, Adam (June 2018). "Performance Measurements of ChaCha20". ChaCha20 and Poly1305 for IETF Protocols. sec. B. doi:10.17487/RFC8439. RFC 8439.
3. Bernstein, D. J. (January 2008). ChaCha, a variant of Salsa20 (PDF). The State of the Art of Stream Ciphers. Vol. 8. pp. 3–5.
4. Bernstein, Daniel J. (2005), "The Poly1305-AES Message-Authentication Code", Fast Software Encryption, Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 32–49, doi:10.1007/11502760_3, ISBN 978-3-540-26541-2
5. Langley, Adam (September 2013). ChaCha20 and Poly1305 based Cipher Suites for TLS. I-D draft-agl-tls-chacha20poly1305-00.
6. Nir, Yoav (27 January 2014). ChaCha20 and Poly1305 for IETF protocols. I-D draft-nir-cfrg-chacha20-poly1305-00.
7. Langley, Adam; Chang, Wan-Teh; Mavrogiannopoulos, Nikos; Strombergson, Joachim; Josefsson, Simon (24 January 2014). The ChaCha Stream Cipher for Transport Layer Security. I-D draft-mavrogiannopoulos-chacha-tls-01.
8. Bursztein, Elie (24 April 2014). "Speeding up and strengthening HTTPS connections for Chrome on Android". Google Online Security Blog. Archived from the original on 2016-09-28. Retrieved 2021-12-27.
9. Miller, Damien. "Super User's BSD Cross Reference: /OpenBSD/usr.bin/ssh/PROTOCOL.chacha20poly1305". bxr.su. Archived from the original on 2013-12-13. Retrieved 2021-12-28.
10. Miller, Damien (29 November 2013). "ChaCha20 and Poly1305 in OpenSSH". Archived from the original on 2013-12-13. Retrieved 2021-12-28.
11. Nir, Yoav; Langley, Adam (May 2015). ChaCha20 and Poly1305 for IETF Protocols. doi:10.17487/RFC7539. RFC 7539.
12. Langley, Adam; Chang, Wan-Teh; Mavrogiannopoulos, Nikos; Strombergson, Joachim; Josefsson, Simon (June 2016). ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS). doi:10.17487/RFC7905. RFC 7905.
13. Nir, Yoav (August 2015). ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec. doi:10.17487/RFC7634. RFC 7634.
14. "Do the ChaCha: better mobile performance with cryptography". The Cloudflare Blog. 2015-02-23. Retrieved 2021-12-28.
15. Nir, Yoav; Langley, Adam (June 2018). ChaCha20 and Poly1305 for IETF Protocols. doi:10.17487/RFC8439. RFC 8439.
16. Thomson, Martin; Turner, Sean (May 2021). Using TLS to Secure QUIC. doi:10.17487/RFC9001. RFC 9001.
17. Arciszewski, Scott (10 January 2020). XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305. I-D draft-irtf-cfrg-xchacha.
18. "NaCl: Networking and Cryptography library - Secret-key authenticated encryption". Archived from the original on 2009-06-30.
19. "libsodium - Authenticated encryption". Archived from the original on 2020-08-04.
20. Donenfeld, Jason A. "Protocol & Cryptography - WireGuard". www.wireguard.com. Retrieved 2021-12-28.
21. Housley, Russ (February 2017). Using ChaCha20-Poly1305 Authenticated Encryption in the Cryptographic Message Syntax (CMS). doi:10.17487/RFC8103. RFC 8103.
22. OTRv4, OTRv4, 2021-12-25, retrieved 2021-12-28
23. Degabriele, Jean Paul; Govinden, Jérôme; Günther, Felix; Paterson, Kenneth G. (2021-11-12), "The Security of ChaCha20-Poly1305 in the Multi-User Setting", Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA: Association for Computing Machinery, pp. 1981–2003, doi:10.1145/3460120.3484814, ISBN 978-1-4503-8454-4, retrieved 2021-12-27