| < draft-irtf-cfrg-chacha20-poly1305-09.txt | draft-irtf-cfrg-chacha20-poly1305-10.txt > | |||
|---|---|---|---|---|
| Network Working Group Y. Nir | Network Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Intended status: Informational A. Langley | Intended status: Informational A. Langley | |||
| Expires: August 6, 2015 Google Inc | Expires: August 24, 2015 Google Inc | |||
| February 2, 2015 | February 20, 2015 | |||
| ChaCha20 and Poly1305 for IETF protocols | ChaCha20 and Poly1305 for IETF protocols | |||
| draft-irtf-cfrg-chacha20-poly1305-09 | draft-irtf-cfrg-chacha20-poly1305-10 | |||
| Abstract | Abstract | |||
| This document defines the ChaCha20 stream cipher, as well as the use | This document defines the ChaCha20 stream cipher, as well as the use | |||
| of the Poly1305 authenticator, both as stand-alone algorithms, and as | of the Poly1305 authenticator, both as stand-alone algorithms, and as | |||
| a "combined mode", or Authenticated Encryption with Additional Data | a "combined mode", or Authenticated Encryption with Additional Data | |||
| (AEAD) algorithm. | (AEAD) algorithm. | |||
| This document does not introduce any new crypto, but is meant to | This document does not introduce any new crypto, but is meant to | |||
| serve as a stable reference and an implementation guide. It is a | serve as a stable reference and an implementation guide. It is a | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 6, 2015. | This Internet-Draft will expire on August 24, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 32 ¶ | skipping to change at page 2, line 32 ¶ | |||
| 2.5. The Poly1305 algorithm . . . . . . . . . . . . . . . . . 12 | 2.5. The Poly1305 algorithm . . . . . . . . . . . . . . . . . 12 | |||
| 2.5.1. The Poly1305 Algorithms in Pseudo-Code . . . . . . . 14 | 2.5.1. The Poly1305 Algorithms in Pseudo-Code . . . . . . . 14 | |||
| 2.5.2. Poly1305 Example and Test Vector . . . . . . . . . . 14 | 2.5.2. Poly1305 Example and Test Vector . . . . . . . . . . 14 | |||
| 2.6. Generating the Poly1305 key using ChaCha20 . . . . . . . 16 | 2.6. Generating the Poly1305 key using ChaCha20 . . . . . . . 16 | |||
| 2.6.1. Poly1305 Key Generation in Pseudo-Code . . . . . . . 17 | 2.6.1. Poly1305 Key Generation in Pseudo-Code . . . . . . . 17 | |||
| 2.6.2. Poly1305 Key Generation Test Vector . . . . . . . . . 17 | 2.6.2. Poly1305 Key Generation Test Vector . . . . . . . . . 17 | |||
| 2.7. A Pseudo-Random Function for ChaCha/Poly-1305 based | 2.7. A Pseudo-Random Function for ChaCha/Poly-1305 based | |||
| Crypto Suites . . . . . . . . . . . . . . . . . . . . . . 17 | Crypto Suites . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 2.8. AEAD Construction . . . . . . . . . . . . . . . . . . . . 18 | 2.8. AEAD Construction . . . . . . . . . . . . . . . . . . . . 18 | |||
| 2.8.1. Pseudo-Code for the AEAD Construction . . . . . . . . 20 | 2.8.1. Pseudo-Code for the AEAD Construction . . . . . . . . 20 | |||
| 2.8.2. Example and Test Vector for AEAD_CHACHA20-POLY1305 . 20 | 2.8.2. Example and Test Vector for AEAD_CHACHA20_POLY1305 . 20 | |||
| 3. Implementation Advice . . . . . . . . . . . . . . . . . . . . 22 | 3. Implementation Advice . . . . . . . . . . . . . . . . . . . . 22 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 23 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 23 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 7. Changes from Previous Versions . . . . . . . . . . . . . . . 25 | 7. Changes from Previous Versions . . . . . . . . . . . . . . . 25 | |||
| 7.1. Changes from version -01 to version -02 . . . . . . . . . 25 | 7.1. Changes from version -01 to version -02 . . . . . . . . . 25 | |||
| 7.2. Changes from version -00 to version -01 . . . . . . . . . 25 | 7.2. Changes from version -00 to version -01 . . . . . . . . . 25 | |||
| 7.3. Changes from draft-nir-cfrg to draft-irtf-cfrg . . . . . 25 | 7.3. Changes from draft-nir-cfrg to draft-irtf-cfrg . . . . . 25 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 25 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 25 | |||
| skipping to change at page 18, line 21 ¶ | skipping to change at page 18, line 21 ¶ | |||
| Chacha20 could be used as a key-derivation function, by generating an | Chacha20 could be used as a key-derivation function, by generating an | |||
| arbitrarily long keystream. However, that is not what protocols such | arbitrarily long keystream. However, that is not what protocols such | |||
| as IKEv2 require. | as IKEv2 require. | |||
| For this reason, this document does not specify a PRF, and recommends | For this reason, this document does not specify a PRF, and recommends | |||
| that crypto suites use some other PRF such as PRF_HMAC_SHA2_256 | that crypto suites use some other PRF such as PRF_HMAC_SHA2_256 | |||
| (section 2.1.2 of [RFC4868]) | (section 2.1.2 of [RFC4868]) | |||
| 2.8. AEAD Construction | 2.8. AEAD Construction | |||
| AEAD_CHACHA20-POLY1305 is an authenticated encryption with additional | AEAD_CHACHA20_POLY1305 is an authenticated encryption with additional | |||
| data algorithm. The inputs to AEAD_CHACHA20-POLY1305 are: | data algorithm. The inputs to AEAD_CHACHA20_POLY1305 are: | |||
| o A 256-bit key | o A 256-bit key | |||
| o A 96-bit nonce - different for each invocation with the same key. | o A 96-bit nonce - different for each invocation with the same key. | |||
| o An arbitrary length plaintext | o An arbitrary length plaintext | |||
| o Arbitrary length additional authenticated data (AAD) | o Arbitrary length additional authenticated data (AAD) | |||
| Some protocols may have unique per-invocation inputs that are not | Some protocols may have unique per-invocation inputs that are not | |||
| 96-bit in length. For example, IPsec may specify a 64-bit nonce. In | 96-bit in length. For example, IPsec may specify a 64-bit nonce. In | |||
| such a case, it is up to the protocol document to define how to | such a case, it is up to the protocol document to define how to | |||
| transform the protocol nonce into a 96-bit nonce, for example by | transform the protocol nonce into a 96-bit nonce, for example by | |||
| skipping to change at page 20, line 17 ¶ | skipping to change at page 20, line 17 ¶ | |||
| o K_LEN (key length) is 32 octets. | o K_LEN (key length) is 32 octets. | |||
| o P_MAX (maximum size of the plaintext) is 247,877,906,880 bytes, or | o P_MAX (maximum size of the plaintext) is 247,877,906,880 bytes, or | |||
| nearly 256 GB. | nearly 256 GB. | |||
| o A_MAX (maximum size of the associated data) is set to 2^64-1 | o A_MAX (maximum size of the associated data) is set to 2^64-1 | |||
| octets by the length field for associated data. | octets by the length field for associated data. | |||
| o N_MIN = N_MAX = 12 octets. | o N_MIN = N_MAX = 12 octets. | |||
| o C_MAX = P_MAX + tag length = 247,877,906,896 octets. | o C_MAX = P_MAX + tag length = 247,877,906,896 octets. | |||
| Distinct AAD inputs (as described in section 3.3 of RFC 5116) shall | Distinct AAD inputs (as described in section 3.3 of RFC 5116) shall | |||
| be concatenated into a single input to AEAD_CHACHA20-POLY1305. It is | be concatenated into a single input to AEAD_CHACHA20_POLY1305. It is | |||
| up to the application to create a structure in the AAD input if it is | up to the application to create a structure in the AAD input if it is | |||
| needed. | needed. | |||
| 2.8.1. Pseudo-Code for the AEAD Construction | 2.8.1. Pseudo-Code for the AEAD Construction | |||
| pad16(x): | pad16(x): | |||
| if (len(x) % 16)==0 | if (len(x) % 16)==0 | |||
| then return NULL | then return NULL | |||
| else return copies(0, 16-(len(x)%16)) | else return copies(0, 16-(len(x)%16)) | |||
| end | end | |||
| skipping to change at page 20, line 40 ¶ | skipping to change at page 20, line 40 ¶ | |||
| otk = poly1305_key_gen(key, iv, constant) | otk = poly1305_key_gen(key, iv, constant) | |||
| nonce = constant | iv | nonce = constant | iv | |||
| ciphertext = chacha_encrypt(key, 1, nonce, plaintext) | ciphertext = chacha_encrypt(key, 1, nonce, plaintext) | |||
| mac_data = aad | pad16(aad) | mac_data = aad | pad16(aad) | |||
| mac_data |= ciphertext | pad16(ciphertext) | mac_data |= ciphertext | pad16(ciphertext) | |||
| mac_data |= num_to_4_le_bytes(aad.length) | mac_data |= num_to_4_le_bytes(aad.length) | |||
| mac_data |= num_to_4_le_bytes(ciphertext.length) | mac_data |= num_to_4_le_bytes(ciphertext.length) | |||
| tag = poly1305_mac(mac_data, otk) | tag = poly1305_mac(mac_data, otk) | |||
| return (ciphertext, tag) | return (ciphertext, tag) | |||
| 2.8.2. Example and Test Vector for AEAD_CHACHA20-POLY1305 | 2.8.2. Example and Test Vector for AEAD_CHACHA20_POLY1305 | |||
| For a test vector, we will use the following inputs to the | For a test vector, we will use the following inputs to the | |||
| AEAD_CHACHA20-POLY1305 function: | AEAD_CHACHA20_POLY1305 function: | |||
| Plaintext: | Plaintext: | |||
| 000 4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c Ladies and Gentl | 000 4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c Ladies and Gentl | |||
| 016 65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73 emen of the clas | 016 65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73 emen of the clas | |||
| 032 73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63 s of '99: If I c | 032 73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63 s of '99: If I c | |||
| 048 6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f ould offer you o | 048 6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f ould offer you o | |||
| 064 6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20 nly one tip for | 064 6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20 nly one tip for | |||
| 080 74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73 the future, suns | 080 74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73 the future, suns | |||
| 096 63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69 creen would be i | 096 63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69 creen would be i | |||
| 112 74 2e t. | 112 74 2e t. | |||
| skipping to change at page 24, line 42 ¶ | skipping to change at page 24, line 42 ¶ | |||
| reveals how long a prefix of the calculated and received tags is | reveals how long a prefix of the calculated and received tags is | |||
| identical, the number of messages can be reduced significantly. For | identical, the number of messages can be reduced significantly. For | |||
| this reason, with online protocols, implementation MUST use a | this reason, with online protocols, implementation MUST use a | |||
| constant-time comparison function rather than relying on optimized | constant-time comparison function rather than relying on optimized | |||
| but insecure library functions such as the C language's memcmp(). | but insecure library functions such as the C language's memcmp(). | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| IANA is requested to assign an entry in the "Authenticated Encryption | IANA is requested to assign an entry in the "Authenticated Encryption | |||
| with Associated Data (AEAD) Parameters" registry with | with Associated Data (AEAD) Parameters" registry with | |||
| "AEAD_CHACHA20-POLY1305" as the name and this document as reference. | "AEAD_CHACHA20_POLY1305" as the name and this document as reference. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| ChaCha20 and Poly1305 were invented by Daniel J. Bernstein. The | ChaCha20 and Poly1305 were invented by Daniel J. Bernstein. The | |||
| AEAD construction and the method of creating the one-time Poly1305 | AEAD construction and the method of creating the one-time Poly1305 | |||
| key were invented by Adam Langley. | key were invented by Adam Langley. | |||
| Thanks to Robert Ransom, Watson Ladd, Stefan Buhler, Dan Harkins, and | Thanks to Robert Ransom, Watson Ladd, Stefan Buhler, Dan Harkins, and | |||
| Kenny Paterson for their helpful comments and explanations. Thanks | Kenny Paterson for their helpful comments and explanations. Thanks | |||
| to Niels Moeller for suggesting the more efficient AEAD construction | to Niels Moeller for suggesting the more efficient AEAD construction | |||
| End of changes. 9 change blocks. | ||||
| 11 lines changed or deleted | 11 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||