< draft-irtf-cfrg-chacha20-poly1305-09.txt   draft-irtf-cfrg-chacha20-poly1305-10.txt >
Network Working Group Y. Nir Network Working Group Y. Nir
Internet-Draft Check Point Internet-Draft Check Point
Intended status: Informational A. Langley Intended status: Informational A. Langley
Expires: August 6, 2015 Google Inc Expires: August 24, 2015 Google Inc
February 2, 2015 February 20, 2015
ChaCha20 and Poly1305 for IETF protocols ChaCha20 and Poly1305 for IETF protocols
draft-irtf-cfrg-chacha20-poly1305-09 draft-irtf-cfrg-chacha20-poly1305-10
Abstract Abstract
This document defines the ChaCha20 stream cipher, as well as the use This document defines the ChaCha20 stream cipher, as well as the use
of the Poly1305 authenticator, both as stand-alone algorithms, and as of the Poly1305 authenticator, both as stand-alone algorithms, and as
a "combined mode", or Authenticated Encryption with Additional Data a "combined mode", or Authenticated Encryption with Additional Data
(AEAD) algorithm. (AEAD) algorithm.
This document does not introduce any new crypto, but is meant to This document does not introduce any new crypto, but is meant to
serve as a stable reference and an implementation guide. It is a serve as a stable reference and an implementation guide. It is a
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 6, 2015. This Internet-Draft will expire on August 24, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 32 skipping to change at page 2, line 32
2.5. The Poly1305 algorithm . . . . . . . . . . . . . . . . . 12 2.5. The Poly1305 algorithm . . . . . . . . . . . . . . . . . 12
2.5.1. The Poly1305 Algorithms in Pseudo-Code . . . . . . . 14 2.5.1. The Poly1305 Algorithms in Pseudo-Code . . . . . . . 14
2.5.2. Poly1305 Example and Test Vector . . . . . . . . . . 14 2.5.2. Poly1305 Example and Test Vector . . . . . . . . . . 14
2.6. Generating the Poly1305 key using ChaCha20 . . . . . . . 16 2.6. Generating the Poly1305 key using ChaCha20 . . . . . . . 16
2.6.1. Poly1305 Key Generation in Pseudo-Code . . . . . . . 17 2.6.1. Poly1305 Key Generation in Pseudo-Code . . . . . . . 17
2.6.2. Poly1305 Key Generation Test Vector . . . . . . . . . 17 2.6.2. Poly1305 Key Generation Test Vector . . . . . . . . . 17
2.7. A Pseudo-Random Function for ChaCha/Poly-1305 based 2.7. A Pseudo-Random Function for ChaCha/Poly-1305 based
Crypto Suites . . . . . . . . . . . . . . . . . . . . . . 17 Crypto Suites . . . . . . . . . . . . . . . . . . . . . . 17
2.8. AEAD Construction . . . . . . . . . . . . . . . . . . . . 18 2.8. AEAD Construction . . . . . . . . . . . . . . . . . . . . 18
2.8.1. Pseudo-Code for the AEAD Construction . . . . . . . . 20 2.8.1. Pseudo-Code for the AEAD Construction . . . . . . . . 20
2.8.2. Example and Test Vector for AEAD_CHACHA20-POLY1305 . 20 2.8.2. Example and Test Vector for AEAD_CHACHA20_POLY1305 . 20
3. Implementation Advice . . . . . . . . . . . . . . . . . . . . 22 3. Implementation Advice . . . . . . . . . . . . . . . . . . . . 22
4. Security Considerations . . . . . . . . . . . . . . . . . . . 23 4. Security Considerations . . . . . . . . . . . . . . . . . . . 23
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24
7. Changes from Previous Versions . . . . . . . . . . . . . . . 25 7. Changes from Previous Versions . . . . . . . . . . . . . . . 25
7.1. Changes from version -01 to version -02 . . . . . . . . . 25 7.1. Changes from version -01 to version -02 . . . . . . . . . 25
7.2. Changes from version -00 to version -01 . . . . . . . . . 25 7.2. Changes from version -00 to version -01 . . . . . . . . . 25
7.3. Changes from draft-nir-cfrg to draft-irtf-cfrg . . . . . 25 7.3. Changes from draft-nir-cfrg to draft-irtf-cfrg . . . . . 25
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 25
8.1. Normative References . . . . . . . . . . . . . . . . . . 25 8.1. Normative References . . . . . . . . . . . . . . . . . . 25
skipping to change at page 18, line 21 skipping to change at page 18, line 21
Chacha20 could be used as a key-derivation function, by generating an Chacha20 could be used as a key-derivation function, by generating an
arbitrarily long keystream. However, that is not what protocols such arbitrarily long keystream. However, that is not what protocols such
as IKEv2 require. as IKEv2 require.
For this reason, this document does not specify a PRF, and recommends For this reason, this document does not specify a PRF, and recommends
that crypto suites use some other PRF such as PRF_HMAC_SHA2_256 that crypto suites use some other PRF such as PRF_HMAC_SHA2_256
(section 2.1.2 of [RFC4868]) (section 2.1.2 of [RFC4868])
2.8. AEAD Construction 2.8. AEAD Construction
AEAD_CHACHA20-POLY1305 is an authenticated encryption with additional AEAD_CHACHA20_POLY1305 is an authenticated encryption with additional
data algorithm. The inputs to AEAD_CHACHA20-POLY1305 are: data algorithm. The inputs to AEAD_CHACHA20_POLY1305 are:
o A 256-bit key o A 256-bit key
o A 96-bit nonce - different for each invocation with the same key. o A 96-bit nonce - different for each invocation with the same key.
o An arbitrary length plaintext o An arbitrary length plaintext
o Arbitrary length additional authenticated data (AAD) o Arbitrary length additional authenticated data (AAD)
Some protocols may have unique per-invocation inputs that are not Some protocols may have unique per-invocation inputs that are not
96-bit in length. For example, IPsec may specify a 64-bit nonce. In 96-bit in length. For example, IPsec may specify a 64-bit nonce. In
such a case, it is up to the protocol document to define how to such a case, it is up to the protocol document to define how to
transform the protocol nonce into a 96-bit nonce, for example by transform the protocol nonce into a 96-bit nonce, for example by
skipping to change at page 20, line 17 skipping to change at page 20, line 17
o K_LEN (key length) is 32 octets. o K_LEN (key length) is 32 octets.
o P_MAX (maximum size of the plaintext) is 247,877,906,880 bytes, or o P_MAX (maximum size of the plaintext) is 247,877,906,880 bytes, or
nearly 256 GB. nearly 256 GB.
o A_MAX (maximum size of the associated data) is set to 2^64-1 o A_MAX (maximum size of the associated data) is set to 2^64-1
octets by the length field for associated data. octets by the length field for associated data.
o N_MIN = N_MAX = 12 octets. o N_MIN = N_MAX = 12 octets.
o C_MAX = P_MAX + tag length = 247,877,906,896 octets. o C_MAX = P_MAX + tag length = 247,877,906,896 octets.
Distinct AAD inputs (as described in section 3.3 of RFC 5116) shall Distinct AAD inputs (as described in section 3.3 of RFC 5116) shall
be concatenated into a single input to AEAD_CHACHA20-POLY1305. It is be concatenated into a single input to AEAD_CHACHA20_POLY1305. It is
up to the application to create a structure in the AAD input if it is up to the application to create a structure in the AAD input if it is
needed. needed.
2.8.1. Pseudo-Code for the AEAD Construction 2.8.1. Pseudo-Code for the AEAD Construction
pad16(x): pad16(x):
if (len(x) % 16)==0 if (len(x) % 16)==0
then return NULL then return NULL
else return copies(0, 16-(len(x)%16)) else return copies(0, 16-(len(x)%16))
end end
skipping to change at page 20, line 40 skipping to change at page 20, line 40
otk = poly1305_key_gen(key, iv, constant) otk = poly1305_key_gen(key, iv, constant)
nonce = constant | iv nonce = constant | iv
ciphertext = chacha_encrypt(key, 1, nonce, plaintext) ciphertext = chacha_encrypt(key, 1, nonce, plaintext)
mac_data = aad | pad16(aad) mac_data = aad | pad16(aad)
mac_data |= ciphertext | pad16(ciphertext) mac_data |= ciphertext | pad16(ciphertext)
mac_data |= num_to_4_le_bytes(aad.length) mac_data |= num_to_4_le_bytes(aad.length)
mac_data |= num_to_4_le_bytes(ciphertext.length) mac_data |= num_to_4_le_bytes(ciphertext.length)
tag = poly1305_mac(mac_data, otk) tag = poly1305_mac(mac_data, otk)
return (ciphertext, tag) return (ciphertext, tag)
2.8.2. Example and Test Vector for AEAD_CHACHA20-POLY1305 2.8.2. Example and Test Vector for AEAD_CHACHA20_POLY1305
For a test vector, we will use the following inputs to the For a test vector, we will use the following inputs to the
AEAD_CHACHA20-POLY1305 function: AEAD_CHACHA20_POLY1305 function:
Plaintext: Plaintext:
000 4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c Ladies and Gentl 000 4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c Ladies and Gentl
016 65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73 emen of the clas 016 65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73 emen of the clas
032 73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63 s of '99: If I c 032 73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63 s of '99: If I c
048 6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f ould offer you o 048 6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f ould offer you o
064 6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20 nly one tip for 064 6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20 nly one tip for
080 74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73 the future, suns 080 74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73 the future, suns
096 63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69 creen would be i 096 63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69 creen would be i
112 74 2e t. 112 74 2e t.
skipping to change at page 24, line 42 skipping to change at page 24, line 42
reveals how long a prefix of the calculated and received tags is reveals how long a prefix of the calculated and received tags is
identical, the number of messages can be reduced significantly. For identical, the number of messages can be reduced significantly. For
this reason, with online protocols, implementation MUST use a this reason, with online protocols, implementation MUST use a
constant-time comparison function rather than relying on optimized constant-time comparison function rather than relying on optimized
but insecure library functions such as the C language's memcmp(). but insecure library functions such as the C language's memcmp().
5. IANA Considerations 5. IANA Considerations
IANA is requested to assign an entry in the "Authenticated Encryption IANA is requested to assign an entry in the "Authenticated Encryption
with Associated Data (AEAD) Parameters" registry with with Associated Data (AEAD) Parameters" registry with
"AEAD_CHACHA20-POLY1305" as the name and this document as reference. "AEAD_CHACHA20_POLY1305" as the name and this document as reference.
6. Acknowledgements 6. Acknowledgements
ChaCha20 and Poly1305 were invented by Daniel J. Bernstein. The ChaCha20 and Poly1305 were invented by Daniel J. Bernstein. The
AEAD construction and the method of creating the one-time Poly1305 AEAD construction and the method of creating the one-time Poly1305
key were invented by Adam Langley. key were invented by Adam Langley.
Thanks to Robert Ransom, Watson Ladd, Stefan Buhler, Dan Harkins, and Thanks to Robert Ransom, Watson Ladd, Stefan Buhler, Dan Harkins, and
Kenny Paterson for their helpful comments and explanations. Thanks Kenny Paterson for their helpful comments and explanations. Thanks
to Niels Moeller for suggesting the more efficient AEAD construction to Niels Moeller for suggesting the more efficient AEAD construction
 End of changes. 9 change blocks. 
11 lines changed or deleted 11 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/