| < draft-nir-cfrg-chacha20-poly1305-01.txt | draft-nir-cfrg-chacha20-poly1305-02.txt > | |||
|---|---|---|---|---|
| Network Working Group Y. Nir | Network Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Intended status: Informational A. Langley | Intended status: Informational A. Langley | |||
| Expires: August 4, 2014 Google Inc | Expires: October 5, 2014 Google Inc | |||
| January 31, 2014 | April 3, 2014 | |||
| ChaCha20 and Poly1305 for IETF protocols | ChaCha20 and Poly1305 for IETF protocols | |||
| draft-nir-cfrg-chacha20-poly1305-01 | draft-nir-cfrg-chacha20-poly1305-02 | |||
| Abstract | Abstract | |||
| This document defines the ChaCha20 stream cipher, as well as the use | This document defines the ChaCha20 stream cipher, as well as the use | |||
| of the Poly1305 authenticator, both as stand-alone algorithms, and as | of the Poly1305 authenticator, both as stand-alone algorithms, and as | |||
| a "combined mode", or Authenticated Encryption with Additional Data | a "combined mode", or Authenticated Encryption with Additional Data | |||
| (AEAD) algorithm. | (AEAD) algorithm. | |||
| This document does not introduce any new crypto, but is meant to | This document does not introduce any new crypto, but is meant to | |||
| serve as a stable reference and an implementation guide. | serve as a stable reference and an implementation guide. | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 4, 2014. | This Internet-Draft will expire on October 5, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 22 ¶ | skipping to change at page 2, line 22 ¶ | |||
| 2.2. A Quarter Round on the ChaCha State . . . . . . . . . . . 5 | 2.2. A Quarter Round on the ChaCha State . . . . . . . . . . . 5 | |||
| 2.2.1. Test Vector for the Quarter Round on the ChaCha | 2.2.1. Test Vector for the Quarter Round on the ChaCha | |||
| state . . . . . . . . . . . . . . . . . . . . . . . . 5 | state . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.3. The ChaCha20 block Function . . . . . . . . . . . . . . . 6 | 2.3. The ChaCha20 block Function . . . . . . . . . . . . . . . 6 | |||
| 2.3.1. Test Vector for the ChaCha20 Block Function . . . . . 7 | 2.3.1. Test Vector for the ChaCha20 Block Function . . . . . 7 | |||
| 2.4. The ChaCha20 encryption algorithm . . . . . . . . . . . . 8 | 2.4. The ChaCha20 encryption algorithm . . . . . . . . . . . . 8 | |||
| 2.4.1. Example and Test Vector for the ChaCha20 Cipher . . . 9 | 2.4.1. Example and Test Vector for the ChaCha20 Cipher . . . 9 | |||
| 2.5. The Poly1305 algorithm . . . . . . . . . . . . . . . . . . 10 | 2.5. The Poly1305 algorithm . . . . . . . . . . . . . . . . . . 10 | |||
| 2.5.1. Poly1305 Example and Test Vector . . . . . . . . . . . 12 | 2.5.1. Poly1305 Example and Test Vector . . . . . . . . . . . 12 | |||
| 2.6. Generating the Poly1305 key using ChaCha20 . . . . . . . . 13 | 2.6. Generating the Poly1305 key using ChaCha20 . . . . . . . . 13 | |||
| 2.7. AEAD Construction . . . . . . . . . . . . . . . . . . . . 14 | 2.6.1. Poly1305 Key Generation Test Vector . . . . . . . . . 14 | |||
| 2.7.1. Example and Test Vector for AEAD_CHACHA20-POLY1305 . . 15 | 2.7. AEAD Construction . . . . . . . . . . . . . . . . . . . . 15 | |||
| 3. Implementation Advice . . . . . . . . . . . . . . . . . . . . 17 | 2.7.1. Example and Test Vector for AEAD_CHACHA20-POLY1305 . . 16 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | 3. Implementation Advice . . . . . . . . . . . . . . . . . . . . 18 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 19 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . . 19 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . . 19 | 7.1. Normative References . . . . . . . . . . . . . . . . . . . 20 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 | 7.2. Informative References . . . . . . . . . . . . . . . . . . 20 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21 | ||||
| 1. Introduction | 1. Introduction | |||
| The Advanced Encryption Standard (AES - [FIPS-197]) has become the | The Advanced Encryption Standard (AES - [FIPS-197]) has become the | |||
| gold standard in encryption. Its efficient design, wide | gold standard in encryption. Its efficient design, wide | |||
| implementation, and hardware support allow for high performance in | implementation, and hardware support allow for high performance in | |||
| many areas. On most modern platforms, AES is anywhere from 4x to 10x | many areas. On most modern platforms, AES is anywhere from 4x to 10x | |||
| as fast as the previous most-used cipher, 3-key Data Encryption | as fast as the previous most-used cipher, 3-key Data Encryption | |||
| Standard (3DES - [FIPS-46]), which makes it not only the best choice, | Standard (3DES - [FIPS-46]), which makes it not only the best choice, | |||
| but the only choice. | but the only choice. | |||
| skipping to change at page 14, line 32 ¶ | skipping to change at page 14, line 32 ¶ | |||
| time Poly1305 key: The first 128 bits are clamped, and form "r", | time Poly1305 key: The first 128 bits are clamped, and form "r", | |||
| while the next 128 bits become "s". The other 256 bits are | while the next 128 bits become "s". The other 256 bits are | |||
| discarded. | discarded. | |||
| Note that while many protocols have provisions for a nonce for | Note that while many protocols have provisions for a nonce for | |||
| encryption algorithms (often called Initialization Vectors, or IVs), | encryption algorithms (often called Initialization Vectors, or IVs), | |||
| they usually don't have such a provision for the MAC function. In | they usually don't have such a provision for the MAC function. In | |||
| that case the per-invocation nonce will have to come from somewhere | that case the per-invocation nonce will have to come from somewhere | |||
| else, such as a message counter. | else, such as a message counter. | |||
| 2.6.1. Poly1305 Key Generation Test Vector | ||||
| For this example, we'll set: | ||||
| Key: | ||||
| 000 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f ................ | ||||
| 016 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f ................ | ||||
| Nonce: | ||||
| 000 00 00 00 00 00 01 02 03 04 05 06 07 ............ | ||||
| The ChaCha state set up with key, nonce, and block counter zero: | ||||
| 61707865 3320646e 79622d32 6b206574 | ||||
| 83828180 87868584 8b8a8988 8f8e8d8c | ||||
| 93929190 97969594 9b9a9998 9f9e9d9c | ||||
| 00000000 00000000 03020100 07060504 | ||||
| The ChaCha state after 20 rounds: | ||||
| 8ba0d58a cc815f90 27405081 7194b24a | ||||
| 37b633a8 a50dfde3 e2b8db08 46a6d1fd | ||||
| 7da03782 9183a233 148ad271 b46773d1 | ||||
| 3cc1875a 8607def1 ca5c3086 7085eb87 | ||||
| Output bytes: | ||||
| 000 8a d5 a0 8b 90 5f 81 cc 81 50 40 27 4a b2 94 71 ....._...P@'J..q | ||||
| 016 a8 33 b6 37 e3 fd 0d a5 08 db b8 e2 fd d1 a6 46 .3.7...........F | ||||
| And that output is also the 32-byte one-time key used for Poly1305. | ||||
| 2.7. AEAD Construction | 2.7. AEAD Construction | |||
| Note: Much of the content of this document, including this AEAD | Note: Much of the content of this document, including this AEAD | |||
| construction is taken from Adam Langley's draft ([agl-draft]) for the | construction is taken from Adam Langley's draft ([agl-draft]) for the | |||
| use of these algorithms in TLS. The AEAD construction described here | use of these algorithms in TLS. The AEAD construction described here | |||
| is called AEAD_CHACHA20-POLY1305. | is called AEAD_CHACHA20-POLY1305. | |||
| AEAD_CHACHA20-POLY1305 is an authenticated encryption with additional | AEAD_CHACHA20-POLY1305 is an authenticated encryption with additional | |||
| data algorithm. The inputs to AEAD_CHACHA20-POLY1305 are: | data algorithm. The inputs to AEAD_CHACHA20-POLY1305 are: | |||
| o A 256-bit key | o A 256-bit key | |||
| skipping to change at page 18, line 14 ¶ | skipping to change at page 18, line 48 ¶ | |||
| on the copy. This way, for the next block you don't need to recreate | on the copy. This way, for the next block you don't need to recreate | |||
| the state, but only to increment the block counter. This saves | the state, but only to increment the block counter. This saves | |||
| approximately 5.5% of the cycles. | approximately 5.5% of the cycles. | |||
| It is NOT RECOMMENDED to use a generic big number library such as the | It is NOT RECOMMENDED to use a generic big number library such as the | |||
| one in OpenSSL for the arithmetic operations in Poly1305. Such | one in OpenSSL for the arithmetic operations in Poly1305. Such | |||
| libraries use dynamic allocation to be able to handle any-sized | libraries use dynamic allocation to be able to handle any-sized | |||
| integer, but that flexibility comes at the expense of performance as | integer, but that flexibility comes at the expense of performance as | |||
| well as side-channel security. More efficient implementations that | well as side-channel security. More efficient implementations that | |||
| run in constant time are available, one of them in DJB's own library, | run in constant time are available, one of them in DJB's own library, | |||
| NaCl ([NaCl]). | NaCl ([NaCl]). A constant-time but not optimal approach would be to | |||
| naively implement the arithmetic operations for a 288-bit integers, | ||||
| because even a naive implementation will not exceed 2^288 in the | ||||
| multiplication of (acc+block) and r. An efficient constant-time | ||||
| implementation can be found in the public domain library poly1305- | ||||
| donna ([poly1305_donna]). | ||||
| 4. Security Considerations | 4. Security Considerations | |||
| The ChaCha20 cipher is designed to provide 256-bit security. | The ChaCha20 cipher is designed to provide 256-bit security. | |||
| The Poly1305 authenticator is designed to ensure that forged messages | The Poly1305 authenticator is designed to ensure that forged messages | |||
| are rejected with a probability of 1-(n/(2^102)) for a 16n-byte | are rejected with a probability of 1-(n/(2^102)) for a 16n-byte | |||
| message, even after sending 2^64 legitimate messages, so it is SUF- | message, even after sending 2^64 legitimate messages, so it is SUF- | |||
| CMA in the terminology of [AE]. | CMA in the terminology of [AE]. | |||
| skipping to change at page 20, line 23 ¶ | skipping to change at page 21, line 17 ¶ | |||
| <http://nacl.cace-project.eu/index.html>. | <http://nacl.cace-project.eu/index.html>. | |||
| [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | |||
| Encryption", RFC 5116, January 2008. | Encryption", RFC 5116, January 2008. | |||
| [agl-draft] | [agl-draft] | |||
| Langley, A. and W. Chang, "ChaCha20 and Poly1305 based | Langley, A. and W. Chang, "ChaCha20 and Poly1305 based | |||
| Cipher Suites for TLS", draft-agl-tls-chacha20poly1305-04 | Cipher Suites for TLS", draft-agl-tls-chacha20poly1305-04 | |||
| (work in progress), November 2013. | (work in progress), November 2013. | |||
| [poly1305_donna] | ||||
| Floodyberry, A., "Poly1305-donna", | ||||
| <https://github.com/floodyberry/poly1305-donna>. | ||||
| [standby-cipher] | [standby-cipher] | |||
| McGrew, D., Grieco, A., and Y. Sheffer, "Selection of | McGrew, D., Grieco, A., and Y. Sheffer, "Selection of | |||
| Future Cryptographic Standards", | Future Cryptographic Standards", | |||
| draft-mcgrew-standby-cipher (work in progress). | draft-mcgrew-standby-cipher (work in progress). | |||
| Authors' Addresses | Authors' Addresses | |||
| Yoav Nir | Yoav Nir | |||
| Check Point Software Technologies Ltd. | Check Point Software Technologies Ltd. | |||
| 5 Hasolelim st. | 5 Hasolelim st. | |||
| Tel Aviv 6789735 | Tel Aviv 6789735 | |||
| Israel | Israel | |||
| Email: synp71@live.com | Email: ynir.ietf@gmail.com | |||
| Adam Langley | Adam Langley | |||
| Google Inc | Google Inc | |||
| Email: agl@google.com | Email: agl@google.com | |||
| End of changes. 8 change blocks. | ||||
| 16 lines changed or deleted | 55 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||