| < draft-nir-cfrg-chacha20-poly1305-02.txt | draft-nir-cfrg-chacha20-poly1305-03.txt > | |||
|---|---|---|---|---|
| Network Working Group Y. Nir | Network Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Intended status: Informational A. Langley | Intended status: Informational A. Langley | |||
| Expires: October 5, 2014 Google Inc | Expires: November 8, 2014 Google Inc | |||
| April 3, 2014 | May 7, 2014 | |||
| ChaCha20 and Poly1305 for IETF protocols | ChaCha20 and Poly1305 for IETF protocols | |||
| draft-nir-cfrg-chacha20-poly1305-02 | draft-nir-cfrg-chacha20-poly1305-03 | |||
| Abstract | Abstract | |||
| This document defines the ChaCha20 stream cipher, as well as the use | This document defines the ChaCha20 stream cipher, as well as the use | |||
| of the Poly1305 authenticator, both as stand-alone algorithms, and as | of the Poly1305 authenticator, both as stand-alone algorithms, and as | |||
| a "combined mode", or Authenticated Encryption with Additional Data | a "combined mode", or Authenticated Encryption with Additional Data | |||
| (AEAD) algorithm. | (AEAD) algorithm. | |||
| This document does not introduce any new crypto, but is meant to | This document does not introduce any new crypto, but is meant to | |||
| serve as a stable reference and an implementation guide. | serve as a stable reference and an implementation guide. | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 5, 2014. | This Internet-Draft will expire on November 8, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 19 ¶ | skipping to change at page 2, line 19 ¶ | |||
| 2. The Algorithms . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. The Algorithms . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.1. The ChaCha Quarter Round . . . . . . . . . . . . . . . . . 4 | 2.1. The ChaCha Quarter Round . . . . . . . . . . . . . . . . . 4 | |||
| 2.1.1. Test Vector for the ChaCha Quarter Round . . . . . . . 4 | 2.1.1. Test Vector for the ChaCha Quarter Round . . . . . . . 4 | |||
| 2.2. A Quarter Round on the ChaCha State . . . . . . . . . . . 5 | 2.2. A Quarter Round on the ChaCha State . . . . . . . . . . . 5 | |||
| 2.2.1. Test Vector for the Quarter Round on the ChaCha | 2.2.1. Test Vector for the Quarter Round on the ChaCha | |||
| state . . . . . . . . . . . . . . . . . . . . . . . . 5 | state . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.3. The ChaCha20 block Function . . . . . . . . . . . . . . . 6 | 2.3. The ChaCha20 block Function . . . . . . . . . . . . . . . 6 | |||
| 2.3.1. Test Vector for the ChaCha20 Block Function . . . . . 7 | 2.3.1. Test Vector for the ChaCha20 Block Function . . . . . 7 | |||
| 2.4. The ChaCha20 encryption algorithm . . . . . . . . . . . . 8 | 2.4. The ChaCha20 encryption algorithm . . . . . . . . . . . . 8 | |||
| 2.4.1. Example and Test Vector for the ChaCha20 Cipher . . . 9 | 2.4.1. Example and Test Vector for the ChaCha20 Cipher . . . 9 | |||
| 2.5. The Poly1305 algorithm . . . . . . . . . . . . . . . . . . 10 | 2.5. The Poly1305 algorithm . . . . . . . . . . . . . . . . . . 11 | |||
| 2.5.1. Poly1305 Example and Test Vector . . . . . . . . . . . 12 | 2.5.1. Poly1305 Example and Test Vector . . . . . . . . . . . 12 | |||
| 2.6. Generating the Poly1305 key using ChaCha20 . . . . . . . . 13 | 2.6. Generating the Poly1305 key using ChaCha20 . . . . . . . . 14 | |||
| 2.6.1. Poly1305 Key Generation Test Vector . . . . . . . . . 14 | 2.6.1. Poly1305 Key Generation Test Vector . . . . . . . . . 14 | |||
| 2.7. AEAD Construction . . . . . . . . . . . . . . . . . . . . 15 | 2.7. A Pseudo-Random Function for ChaCha/Poly-1305 based | |||
| 2.7.1. Example and Test Vector for AEAD_CHACHA20-POLY1305 . . 16 | Crypto Suites . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 3. Implementation Advice . . . . . . . . . . . . . . . . . . . . 18 | 2.8. AEAD Construction . . . . . . . . . . . . . . . . . . . . 16 | |||
| 2.8.1. Example and Test Vector for AEAD_CHACHA20-POLY1305 . . 17 | ||||
| 3. Implementation Advice . . . . . . . . . . . . . . . . . . . . 19 | ||||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 20 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . . 20 | 7.1. Normative References . . . . . . . . . . . . . . . . . . . 21 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . . 20 | 7.2. Informative References . . . . . . . . . . . . . . . . . . 21 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21 | Appendix A. Additional Test Vectors . . . . . . . . . . . . . . . 22 | |||
| A.1. The ChaCha20 Block Functions . . . . . . . . . . . . . . . 22 | ||||
| A.2. ChaCha20 Encryption . . . . . . . . . . . . . . . . . . . 25 | ||||
| A.3. Poly1305 Message Authentication Code . . . . . . . . . . . 28 | ||||
| A.4. Poly1305 Key Generation Using ChaCha20 . . . . . . . . . . 32 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33 | ||||
| 1. Introduction | 1. Introduction | |||
| The Advanced Encryption Standard (AES - [FIPS-197]) has become the | The Advanced Encryption Standard (AES - [FIPS-197]) has become the | |||
| gold standard in encryption. Its efficient design, wide | gold standard in encryption. Its efficient design, wide | |||
| implementation, and hardware support allow for high performance in | implementation, and hardware support allow for high performance in | |||
| many areas. On most modern platforms, AES is anywhere from 4x to 10x | many areas. On most modern platforms, AES is anywhere from 4x to 10x | |||
| as fast as the previous most-used cipher, 3-key Data Encryption | as fast as the previous most-used cipher, 3-key Data Encryption | |||
| Standard (3DES - [FIPS-46]), which makes it not only the best choice, | Standard (3DES - [FIPS-46]), which makes it not only the best choice, | |||
| but the only choice. | but the only practical choice. | |||
| The problem is that if future advances in cryptanalysis reveal a | The problem is that if future advances in cryptanalysis reveal a | |||
| weakness in AES, users will be in an unenviable position. With the | weakness in AES, users will be in an unenviable position. With the | |||
| only other widely supported cipher being the much slower 3DES, it is | only other widely supported cipher being the much slower 3DES, it is | |||
| not feasible to re-configure implementations to use 3DES. | not feasible to re-configure implementations to use 3DES. | |||
| [standby-cipher] describes this issue and the need for a standby | [standby-cipher] describes this issue and the need for a standby | |||
| cipher in greater detail. | cipher in greater detail. | |||
| This document defines such a standby cipher. We use ChaCha20 | This document defines such a standby cipher. We use ChaCha20 | |||
| ([chacha]) with or without the Poly1305 ([poly1305]) authenticator. | ([chacha]) with or without the Poly1305 ([poly1305]) authenticator. | |||
| These algorithms are not just fast and secure. They are fast even if | These algorithms are not just fast and secure. They are fast even in | |||
| software-only C-language implementations, allowing for much quicker | software-only C-language implementations, allowing for much quicker | |||
| deployment when compared with algorithms such as AES that are | deployment when compared with algorithms such as AES that are | |||
| significantly accelerated by hardware implementations. | significantly accelerated by hardware implementations. | |||
| These document does not introduce these new algorithms. They have | These document does not introduce these new algorithms. They have | |||
| been defined in scientific papers by D. J. Bernstein, which are | been defined in scientific papers by D. J. Bernstein, which are | |||
| referenced by this document. The purpose of this document is to | referenced by this document. The purpose of this document is to | |||
| serve as a stable reference for IETF documents making use of these | serve as a stable reference for IETF documents making use of these | |||
| algorithms. | algorithms. | |||
| skipping to change at page 6, line 44 ¶ | skipping to change at page 6, line 44 ¶ | |||
| Note also that the original ChaCha had a 64-bit nonce and 64-bit | Note also that the original ChaCha had a 64-bit nonce and 64-bit | |||
| block count. We have modified this here to be more consistent with | block count. We have modified this here to be more consistent with | |||
| recommendations in section 3.2 of [RFC5116]. This limits the use of | recommendations in section 3.2 of [RFC5116]. This limits the use of | |||
| a single (key,nonce) combination to 2^32 blocks, or 256 GB, but that | a single (key,nonce) combination to 2^32 blocks, or 256 GB, but that | |||
| is enough for most uses. In cases where a single key is used by | is enough for most uses. In cases where a single key is used by | |||
| multiple senders, it is important to make sure that they don't use | multiple senders, it is important to make sure that they don't use | |||
| the same nonces. This can be assured by partitioning the nonce space | the same nonces. This can be assured by partitioning the nonce space | |||
| so that the first 32 bits are unique per sender, while the other 64 | so that the first 32 bits are unique per sender, while the other 64 | |||
| bits come from a counter. | bits come from a counter. | |||
| The ChaCha20 as follows: | The ChaCha20 state is initialized as follows: | |||
| o The first 4 words (0-3) are constants: 0x61707865, 0x3320646e, | o The first 4 words (0-3) are constants: 0x61707865, 0x3320646e, | |||
| 0x79622d32, 0x6b206574. | 0x79622d32, 0x6b206574. | |||
| o The next 8 words (4-11) are taken from the 256-bit key by reading | o The next 8 words (4-11) are taken from the 256-bit key by reading | |||
| the bytes in little-endian order, in 4-byte chunks. | the bytes in little-endian order, in 4-byte chunks. | |||
| o Word 12 is a block counter. Since each block is 64-byte, a 32-bit | o Word 12 is a block counter. Since each block is 64-byte, a 32-bit | |||
| word is enough for 256 Gigabytes of data. | word is enough for 256 Gigabytes of data. | |||
| o Words 13-15 are a nonce, which should not be repeated for the same | o Words 13-15 are a nonce, which should not be repeated for the same | |||
| key. The 13th word is the first 32 bits of the input nonce taken | key. The 13th word is the first 32 bits of the input nonce taken | |||
| as a little-endian integer, while the 15th word is the last 32 | as a little-endian integer, while the 15th word is the last 32 | |||
| skipping to change at page 8, line 25 ¶ | skipping to change at page 8, line 25 ¶ | |||
| Finally we add the original state to the result (simple vector or | Finally we add the original state to the result (simple vector or | |||
| matrix addition), giving this: | matrix addition), giving this: | |||
| ChaCha State at the end of the ChaCha20 operation | ChaCha State at the end of the ChaCha20 operation | |||
| e4e7f110 15593bd1 1fdd0f50 c47120a3 | e4e7f110 15593bd1 1fdd0f50 c47120a3 | |||
| c7f4d1c7 0368c033 9aaa2204 4e6cd4c3 | c7f4d1c7 0368c033 9aaa2204 4e6cd4c3 | |||
| 466482d2 09aa9f07 05d7c214 a2028bd9 | 466482d2 09aa9f07 05d7c214 a2028bd9 | |||
| d19c12b5 b94e16de e883d0cb 4e3c50a2 | d19c12b5 b94e16de e883d0cb 4e3c50a2 | |||
| After we serialize the state, we get this: | ||||
| Serialized Block: | ||||
| 000 10 f1 e7 e4 d1 3b 59 15 50 0f dd 1f a3 20 71 c4 .....;Y.P.... q. | ||||
| 016 c7 d1 f4 c7 33 c0 68 03 04 22 aa 9a c3 d4 6c 4e ....3.h.."....lN | ||||
| 032 d2 82 64 46 07 9f aa 09 14 c2 d7 05 d9 8b 02 a2 ..dF............ | ||||
| 048 b5 12 9c d1 de 16 4e b9 cb d0 83 e8 a2 50 3c 4e ......N......P<N | ||||
| 2.4. The ChaCha20 encryption algorithm | 2.4. The ChaCha20 encryption algorithm | |||
| ChaCha20 is a stream cipher designed by D. J. Bernstein. It is a | ChaCha20 is a stream cipher designed by D. J. Bernstein. It is a | |||
| refinement of the Salsa20 algorithm, and uses a 256-bit key. | refinement of the Salsa20 algorithm, and uses a 256-bit key. | |||
| ChaCha20 successively calls the ChaCha20 block function, with the | ChaCha20 successively calls the ChaCha20 block function, with the | |||
| same key and nonce, and with successively increasing block counter | same key and nonce, and with successively increasing block counter | |||
| parameters. The resulting state is then serialized by writing the | parameters. The resulting state is then serialized by writing the | |||
| numbers in little-endian order. Concatenating the results from the | numbers in little-endian order, creating a key-stream block. | |||
| successive blocks forms a key stream, which is then XOR-ed with the | Concatenating the key-stream blocks from the successive blocks forms | |||
| plaintext. There is no requirement for the plaintext to be an | a key stream, which is then XOR-ed with the plaintext. | |||
| integral multiple of 512-bits. If there is extra keystream from the | Alternatively, each key-stream block can be XOR-ed with a plaintext | |||
| last block, it is discarded. Specific protocols MAY require that the | block before proceeding to create the next block, saving some memory. | |||
| plaintext and ciphertext have certain length. Such protocols need to | There is no requirement for the plaintext to be an integral multiple | |||
| specify how the plaintext is padded, and how much padding it | of 512-bits. If there is extra keystream from the last block, it is | |||
| receives. | discarded. Specific protocols MAY require that the plaintext and | |||
| ciphertext have certain length. Such protocols need to specify how | ||||
| the plaintext is padded, and how much padding it receives. | ||||
| The inputs to ChaCha20 are: | The inputs to ChaCha20 are: | |||
| o A 256-bit key | o A 256-bit key | |||
| o A 32-bit initial counter. This can be set to any number, but will | o A 32-bit initial counter. This can be set to any number, but will | |||
| usually be zero or one. It makes sense to use 1 if we use the | usually be zero or one. It makes sense to use 1 if we use the | |||
| zero block for something else, such as generating a one-time | zero block for something else, such as generating a one-time | |||
| authenticator key as part of an AEAD algorithm. | authenticator key as part of an AEAD algorithm. | |||
| o A 96-bit nonce. In some protocols, this is known as the | o A 96-bit nonce. In some protocols, this is known as the | |||
| Initialization Vector. | Initialization Vector. | |||
| o an arbitrary-length plaintext | o an arbitrary-length plaintext | |||
| The output is an encrypted message of the same length. | The output is an encrypted message of the same length. | |||
| Decryption is done in the same way. The ChaCha20 block function is | ||||
| used to expand the key into a key stream, which is XOR-ed with the | ||||
| ciphertext giving back the plaintext. | ||||
| 2.4.1. Example and Test Vector for the ChaCha20 Cipher | 2.4.1. Example and Test Vector for the ChaCha20 Cipher | |||
| For a test vector, we will use the following inputs to the ChaCha20 | For a test vector, we will use the following inputs to the ChaCha20 | |||
| block function: | block function: | |||
| o Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13: | o Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13: | |||
| 14:15:16:17:18:19:1a:1b:1c:1d:1e:1f. | 14:15:16:17:18:19:1a:1b:1c:1d:1e:1f. | |||
| o Nonce = (00:00:00:00:00:00:00:4a:00:00:00:00). | o Nonce = (00:00:00:00:00:00:00:4a:00:00:00:00). | |||
| o Initial Counter = 1. | o Initial Counter = 1. | |||
| We use the following for the plaintext. It was chosen to be long | We use the following for the plaintext. It was chosen to be long | |||
| skipping to change at page 13, line 49 ¶ | skipping to change at page 14, line 13 ¶ | |||
| Tag: a8:06:1d:c1:30:51:36:c6:c2:2b:8b:af:0c:01:27:a9 | Tag: a8:06:1d:c1:30:51:36:c6:c2:2b:8b:af:0c:01:27:a9 | |||
| 2.6. Generating the Poly1305 key using ChaCha20 | 2.6. Generating the Poly1305 key using ChaCha20 | |||
| As said in Section 2.5, it is acceptable to generate the one-time | As said in Section 2.5, it is acceptable to generate the one-time | |||
| Poly1305 pseudo-randomly. This section proposes such a method. | Poly1305 pseudo-randomly. This section proposes such a method. | |||
| To generate such a key pair (r,s), we will use the ChaCha20 block | To generate such a key pair (r,s), we will use the ChaCha20 block | |||
| function described in Section 2.3. This assumes that we have a 256- | function described in Section 2.3. This assumes that we have a 256- | |||
| bit session key for the MAC function, such as SK_ai and SK_ar in | bit session key for the MAC function, such as SK_ai and SK_ar in | |||
| IKEv2, the integrity key in ESP and AH, or the client_write_MAC_key | IKEv2 ([RFC5996]), the integrity key in ESP and AH, or the | |||
| and server_write_MAC_key in TLS. Any document that specifies the use | client_write_MAC_key and server_write_MAC_key in TLS. Any document | |||
| of Poly1305 as a MAC algorithm for some protocol must specify that | that specifies the use of Poly1305 as a MAC algorithm for some | |||
| 256 bits are allocated for the integrity key. | protocol must specify that 256 bits are allocated for the integrity | |||
| key. | ||||
| The method is to call the block function with the following | The method is to call the block function with the following | |||
| parameters: | parameters: | |||
| o The 256-bit session integrity key is used as the ChaCha20 key. | o The 256-bit session integrity key is used as the ChaCha20 key. | |||
| o The block counter is set to zero. | o The block counter is set to zero. | |||
| o The protocol will specify a 96-bit or 64-bit nonce. This MUST be | o The protocol will specify a 96-bit or 64-bit nonce. This MUST be | |||
| unique per invocation with the same key, so it MUST NOT be | unique per invocation with the same key, so it MUST NOT be | |||
| randomly generated. A counter is a good way to implement this, | randomly generated. A counter is a good way to implement this, | |||
| but other methods, such as an LFSR are also acceptable. ChaCha20 | but other methods, such as an LFSR are also acceptable. ChaCha20 | |||
| as specified here requires a 96-bit nonce. So if the provided | as specified here requires a 96-bit nonce. So if the provided | |||
| skipping to change at page 15, line 17 ¶ | skipping to change at page 15, line 26 ¶ | |||
| 37b633a8 a50dfde3 e2b8db08 46a6d1fd | 37b633a8 a50dfde3 e2b8db08 46a6d1fd | |||
| 7da03782 9183a233 148ad271 b46773d1 | 7da03782 9183a233 148ad271 b46773d1 | |||
| 3cc1875a 8607def1 ca5c3086 7085eb87 | 3cc1875a 8607def1 ca5c3086 7085eb87 | |||
| Output bytes: | Output bytes: | |||
| 000 8a d5 a0 8b 90 5f 81 cc 81 50 40 27 4a b2 94 71 ....._...P@'J..q | 000 8a d5 a0 8b 90 5f 81 cc 81 50 40 27 4a b2 94 71 ....._...P@'J..q | |||
| 016 a8 33 b6 37 e3 fd 0d a5 08 db b8 e2 fd d1 a6 46 .3.7...........F | 016 a8 33 b6 37 e3 fd 0d a5 08 db b8 e2 fd d1 a6 46 .3.7...........F | |||
| And that output is also the 32-byte one-time key used for Poly1305. | And that output is also the 32-byte one-time key used for Poly1305. | |||
| 2.7. AEAD Construction | 2.7. A Pseudo-Random Function for ChaCha/Poly-1305 based Crypto Suites | |||
| Some protocols such as IKEv2([RFC5996]) require a Pseudo-Random | ||||
| Function (PRF), mostly for key derivation. In the IKEv2 definition, | ||||
| a PRF is a function that accepts a variable-length key and a | ||||
| variable-length input, and returns a fixed-length output. This | ||||
| section does not specify such a function. | ||||
| Poly-1305 is an obvious choice, because MAC functions are often used | ||||
| as PRFs. However, Poly-1305 prohibits using the same key twice, | ||||
| whereas the PRF in IKEv2 is used multiple times with the same key. | ||||
| This issue can be solved by adding a nonce or a counter to Poly-1305, | ||||
| much as we do when using this function as a MAC, but that would | ||||
| require changing the interface for the PRF function. | ||||
| Chacha20 could be used as a key-derivation function, by generating an | ||||
| arbitrarily long keystream. However, that is not what protocols such | ||||
| as IKEv2 require. | ||||
| For this reason, this document does not specify a PRF, and recommends | ||||
| that crypto suites use some other PRF such as PRF_HMAC_SHA2_256 | ||||
| (section 2.1.2 of [RFC4868]) | ||||
| 2.8. AEAD Construction | ||||
| Note: Much of the content of this document, including this AEAD | Note: Much of the content of this document, including this AEAD | |||
| construction is taken from Adam Langley's draft ([agl-draft]) for the | construction is taken from Adam Langley's draft ([agl-draft]) for the | |||
| use of these algorithms in TLS. The AEAD construction described here | use of these algorithms in TLS. The AEAD construction described here | |||
| is called AEAD_CHACHA20-POLY1305. | is called AEAD_CHACHA20-POLY1305. | |||
| AEAD_CHACHA20-POLY1305 is an authenticated encryption with additional | AEAD_CHACHA20-POLY1305 is an authenticated encryption with additional | |||
| data algorithm. The inputs to AEAD_CHACHA20-POLY1305 are: | data algorithm. The inputs to AEAD_CHACHA20-POLY1305 are: | |||
| o A 256-bit key | o A 256-bit key | |||
| o A 96-bit nonce - different for each invocation with the same key. | o A 96-bit nonce - different for each invocation with the same key. | |||
| skipping to change at page 16, line 32 ¶ | skipping to change at page 17, line 16 ¶ | |||
| original design, reduce the nonce to 64 bits, and use the integer | original design, reduce the nonce to 64 bits, and use the integer | |||
| at position 13 as the top 32 bits of a 64-bit block counter, | at position 13 as the top 32 bits of a 64-bit block counter, | |||
| increasing the total message size to over a million petabytes | increasing the total message size to over a million petabytes | |||
| (1,180,591,620,717,411,303,360 bytes to be exact). | (1,180,591,620,717,411,303,360 bytes to be exact). | |||
| 2. Despite the previous item, the ciphertext length field in the | 2. Despite the previous item, the ciphertext length field in the | |||
| construction of the buffer on which Poly1305 runs limits the | construction of the buffer on which Poly1305 runs limits the | |||
| ciphertext (and hence, the plaintext) size to 2^64 bytes, or | ciphertext (and hence, the plaintext) size to 2^64 bytes, or | |||
| sixteen thousand petabytes (18,446,744,073,709,551,616 bytes to | sixteen thousand petabytes (18,446,744,073,709,551,616 bytes to | |||
| be exact). | be exact). | |||
| 2.7.1. Example and Test Vector for AEAD_CHACHA20-POLY1305 | 2.8.1. Example and Test Vector for AEAD_CHACHA20-POLY1305 | |||
| For a test vector, we will use the following inputs to the | For a test vector, we will use the following inputs to the | |||
| AEAD_CHACHA20-POLY1305 function: | AEAD_CHACHA20-POLY1305 function: | |||
| Plaintext: | Plaintext: | |||
| 000 4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c|Ladies and Gentl | 000 4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c|Ladies and Gentl | |||
| 016 65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73|emen of the clas | 016 65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73|emen of the clas | |||
| 032 73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63|s of '99: If I c | 032 73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63|s of '99: If I c | |||
| 048 6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f|ould offer you o | 048 6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f|ould offer you o | |||
| 064 6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20|nly one tip for | 064 6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20|nly one tip for | |||
| skipping to change at page 20, line 15 ¶ | skipping to change at page 21, line 7 ¶ | |||
| the result will some times be under 2^256 and some times be above | the result will some times be under 2^256 and some times be above | |||
| 2^256. Implementers should be careful about timing side-channels for | 2^256. Implementers should be careful about timing side-channels for | |||
| Poly1305 by using the appropriate implementation of these operations. | Poly1305 by using the appropriate implementation of these operations. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| There are no IANA considerations for this document. | There are no IANA considerations for this document. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| None of the algorithms here are my own. ChaCha20 and Poly1305 were | ChaCha20 and Poly1305 were invented by Daniel J. Bernstein. The AEAD | |||
| invented by Daniel J. Bernstein, and the AEAD construction was | construction and the method of creating the one-time poly1305 key | |||
| invented by Adam Langley. | were invented by Adam Langley. | |||
| Thanks to Robert Ransom and Ilari Liusvaara for their helpful | Thanks to Robert Ransom and Ilari Liusvaara for their helpful | |||
| comments and explanations. | comments and explanations. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| skipping to change at page 21, line 9 ¶ | skipping to change at page 21, line 46 ¶ | |||
| Encryption Standard (AES)", FIPS PUB 197, November 2001. | Encryption Standard (AES)", FIPS PUB 197, November 2001. | |||
| [FIPS-46] National Institute of Standards and Technology, "Data | [FIPS-46] National Institute of Standards and Technology, "Data | |||
| Encryption Standard", FIPS PUB 46-2, December 1993, | Encryption Standard", FIPS PUB 46-2, December 1993, | |||
| <http://www.itl.nist.gov/fipspubs/fip46-2.htm>. | <http://www.itl.nist.gov/fipspubs/fip46-2.htm>. | |||
| [NaCl] Bernstein, D., Lange, T., and P. Schwabe, "NaCl: | [NaCl] Bernstein, D., Lange, T., and P. Schwabe, "NaCl: | |||
| Networking and Cryptography library", | Networking and Cryptography library", | |||
| <http://nacl.cace-project.eu/index.html>. | <http://nacl.cace-project.eu/index.html>. | |||
| [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA- | ||||
| 384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007. | ||||
| [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | |||
| Encryption", RFC 5116, January 2008. | Encryption", RFC 5116, January 2008. | |||
| [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, | ||||
| "Internet Key Exchange Protocol Version 2 (IKEv2)", | ||||
| RFC 5996, September 2010. | ||||
| [agl-draft] | [agl-draft] | |||
| Langley, A. and W. Chang, "ChaCha20 and Poly1305 based | Langley, A. and W. Chang, "ChaCha20 and Poly1305 based | |||
| Cipher Suites for TLS", draft-agl-tls-chacha20poly1305-04 | Cipher Suites for TLS", draft-agl-tls-chacha20poly1305-04 | |||
| (work in progress), November 2013. | (work in progress), November 2013. | |||
| [poly1305_donna] | [poly1305_donna] | |||
| Floodyberry, A., "Poly1305-donna", | Floodyberry, A., "Poly1305-donna", | |||
| <https://github.com/floodyberry/poly1305-donna>. | <https://github.com/floodyberry/poly1305-donna>. | |||
| [standby-cipher] | [standby-cipher] | |||
| McGrew, D., Grieco, A., and Y. Sheffer, "Selection of | McGrew, D., Grieco, A., and Y. Sheffer, "Selection of | |||
| Future Cryptographic Standards", | Future Cryptographic Standards", | |||
| draft-mcgrew-standby-cipher (work in progress). | draft-mcgrew-standby-cipher (work in progress). | |||
| Appendix A. Additional Test Vectors | ||||
| The sub-sections of this appendix contain more test vectors for the | ||||
| algorithms in the sub-sections of Section 2. | ||||
| A.1. The ChaCha20 Block Functions | ||||
| Test Vector #1: | ||||
| ============== | ||||
| Key: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| Nonce: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ | ||||
| Block Counter = 0 | ||||
| ChaCha State at the end | ||||
| ade0b876 903df1a0 e56a5d40 28bd8653 | ||||
| b819d2bd 1aed8da0 ccef36a8 c70d778b | ||||
| 7c5941da 8d485751 3fe02477 374ad8b8 | ||||
| f4b8436a 1ca11815 69b687c3 8665eeb2 | ||||
| Keystream: | ||||
| 000 76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28 v.....=.@]j.S..( | ||||
| 016 bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7 .........6...w.. | ||||
| 032 da 41 59 7c 51 57 48 8d 77 24 e0 3f b8 d8 4a 37 .AY|QWH.w$.?..J7 | ||||
| 048 6a 43 b8 f4 15 18 a1 1c c3 87 b6 69 b2 ee 65 86 jC.........i..e. | ||||
| Test Vector #2: | ||||
| ============== | ||||
| Key: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| Nonce: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ | ||||
| Block Counter = 1 | ||||
| ChaCha State at the end | ||||
| bee7079f 7a385155 7c97ba98 0d082d73 | ||||
| a0290fcb 6965e348 3e53c612 ed7aee32 | ||||
| 7621b729 434ee69c b03371d5 d539d874 | ||||
| 281fed31 45fb0a51 1f0ae1ac 6f4d794b | ||||
| Keystream: | ||||
| 000 9f 07 e7 be 55 51 38 7a 98 ba 97 7c 73 2d 08 0d ....UQ8z...|s-.. | ||||
| 016 cb 0f 29 a0 48 e3 65 69 12 c6 53 3e 32 ee 7a ed ..).H.ei..S>2.z. | ||||
| 032 29 b7 21 76 9c e6 4e 43 d5 71 33 b0 74 d8 39 d5 ).!v..NC.q3.t.9. | ||||
| 048 31 ed 1f 28 51 0a fb 45 ac e1 0a 1f 4b 79 4d 6f 1..(Q..E....KyMo | ||||
| Test Vector #3: | ||||
| ============== | ||||
| Key: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................ | ||||
| Nonce: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ | ||||
| Block Counter = 1 | ||||
| ChaCha State at the end | ||||
| 2452eb3a 9249f8ec 8d829d9b ddd4ceb1 | ||||
| e8252083 60818b01 f38422b8 5aaa49c9 | ||||
| bb00ca8e da3ba7b4 c4b592d1 fdf2732f | ||||
| 4436274e 2561b3c8 ebdd4aa6 a0136c00 | ||||
| Keystream: | ||||
| 000 3a eb 52 24 ec f8 49 92 9b 9d 82 8d b1 ce d4 dd :.R$..I......... | ||||
| 016 83 20 25 e8 01 8b 81 60 b8 22 84 f3 c9 49 aa 5a . %....`."...I.Z | ||||
| 032 8e ca 00 bb b4 a7 3b da d1 92 b5 c4 2f 73 f2 fd ......;...../s.. | ||||
| 048 4e 27 36 44 c8 b3 61 25 a6 4a dd eb 00 6c 13 a0 N'6D..a%.J...l.. | ||||
| Test Vector #4: | ||||
| ============== | ||||
| Key: | ||||
| 000 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| Nonce: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ | ||||
| Block Counter = 2 | ||||
| ChaCha State at the end | ||||
| fb4dd572 4bc42ef1 df922636 327f1394 | ||||
| a78dea8f 5e269039 a1bebbc1 caf09aae | ||||
| a25ab213 48a6b46c 1b9d9bcb 092c5be6 | ||||
| 546ca624 1bec45d5 87f47473 96f0992e | ||||
| Keystream: | ||||
| 000 72 d5 4d fb f1 2e c4 4b 36 26 92 df 94 13 7f 32 r.M....K6&....2 | ||||
| 016 8f ea 8d a7 39 90 26 5e c1 bb be a1 ae 9a f0 ca ....9.&^........ | ||||
| 032 13 b2 5a a2 6c b4 a6 48 cb 9b 9d 1b e6 5b 2c 09 ..Z.l..H.....[,. | ||||
| 048 24 a6 6c 54 d5 45 ec 1b 73 74 f4 87 2e 99 f0 96 $.lT.E..st...... | ||||
| Test Vector #5: | ||||
| ============== | ||||
| Key: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| Nonce: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 02 ............ | ||||
| Block Counter = 0 | ||||
| ChaCha State at the end | ||||
| 374dc6c2 3736d58c b904e24a cd3f93ef | ||||
| 88228b1a 96a4dfb3 5b76ab72 c727ee54 | ||||
| 0e0e978a f3145c95 1b748ea8 f786c297 | ||||
| 99c28f5f 628314e8 398a19fa 6ded1b53 | ||||
| Keystream: | ||||
| 000 c2 c6 4d 37 8c d5 36 37 4a e2 04 b9 ef 93 3f cd ..M7..67J.....?. | ||||
| 016 1a 8b 22 88 b3 df a4 96 72 ab 76 5b 54 ee 27 c7 ..".....r.v[T.'. | ||||
| 032 8a 97 0e 0e 95 5c 14 f3 a8 8e 74 1b 97 c2 86 f7 .....\....t..... | ||||
| 048 5f 8f c2 99 e8 14 83 62 fa 19 8a 39 53 1b ed 6d _......b...9S..m | ||||
| A.2. ChaCha20 Encryption | ||||
| Test Vector #1: | ||||
| ============== | ||||
| Key: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| Nonce: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ | ||||
| Initial Block Counter = 0 | ||||
| Plaintext: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 032 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 048 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| Ciphertext: | ||||
| 000 76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28 v.....=.@]j.S..( | ||||
| 016 bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7 .........6...w.. | ||||
| 032 da 41 59 7c 51 57 48 8d 77 24 e0 3f b8 d8 4a 37 .AY|QWH.w$.?..J7 | ||||
| 048 6a 43 b8 f4 15 18 a1 1c c3 87 b6 69 b2 ee 65 86 jC.........i..e. | ||||
| Test Vector #2: | ||||
| ============== | ||||
| Key: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................ | ||||
| Nonce: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 02 ............ | ||||
| Initial Block Counter = 1 | ||||
| Plaintext: | ||||
| 000 41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74 Any submission t | ||||
| 016 6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e o the IETF inten | ||||
| 032 64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72 ded by the Contr | ||||
| 048 69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69 ibutor for publi | ||||
| 064 63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72 cation as all or | ||||
| 080 20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46 part of an IETF | ||||
| 096 20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20 Internet-Draft | ||||
| 112 6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73 or RFC and any s | ||||
| 128 74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69 tatement made wi | ||||
| 144 74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74 thin the context | ||||
| 160 20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69 of an IETF acti | ||||
| 176 76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72 vity is consider | ||||
| 192 65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74 ed an "IETF Cont | ||||
| 208 72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20 ribution". Such | ||||
| 224 73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75 statements inclu | ||||
| 240 64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e de oral statemen | ||||
| 256 74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69 ts in IETF sessi | ||||
| 272 6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20 ons, as well as | ||||
| 288 77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63 written and elec | ||||
| 304 74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61 tronic communica | ||||
| 320 74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e tions made at an | ||||
| 336 79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c y time or place, | ||||
| 352 20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65 which are addre | ||||
| 368 73 73 65 64 20 74 6f ssed to | ||||
| Ciphertext: | ||||
| 000 a3 fb f0 7d f3 fa 2f de 4f 37 6c a2 3e 82 73 70 ...}../.O7l.>.sp | ||||
| 016 41 60 5d 9f 4f 4f 57 bd 8c ff 2c 1d 4b 79 55 ec A`].OOW...,.KyU. | ||||
| 032 2a 97 94 8b d3 72 29 15 c8 f3 d3 37 f7 d3 70 05 *....r)....7..p. | ||||
| 048 0e 9e 96 d6 47 b7 c3 9f 56 e0 31 ca 5e b6 25 0d ....G...V.1.^.%. | ||||
| 064 40 42 e0 27 85 ec ec fa 4b 4b b5 e8 ea d0 44 0e @B.'....KK....D. | ||||
| 080 20 b6 e8 db 09 d8 81 a7 c6 13 2f 42 0e 52 79 50 ........./B.RyP | ||||
| 096 42 bd fa 77 73 d8 a9 05 14 47 b3 29 1c e1 41 1c B..ws....G.)..A. | ||||
| 112 68 04 65 55 2a a6 c4 05 b7 76 4d 5e 87 be a8 5a h.eU*....vM^...Z | ||||
| 128 d0 0f 84 49 ed 8f 72 d0 d6 62 ab 05 26 91 ca 66 ...I..r..b..&..f | ||||
| 144 42 4b c8 6d 2d f8 0e a4 1f 43 ab f9 37 d3 25 9d BK.m-....C..7.%. | ||||
| 160 c4 b2 d0 df b4 8a 6c 91 39 dd d7 f7 69 66 e9 28 ......l.9...if.( | ||||
| 176 e6 35 55 3b a7 6c 5c 87 9d 7b 35 d4 9e b2 e6 2b .5U;.l\..{5....+ | ||||
| 192 08 71 cd ac 63 89 39 e2 5e 8a 1e 0e f9 d5 28 0f .q..c.9.^.....(. | ||||
| 208 a8 ca 32 8b 35 1c 3c 76 59 89 cb cf 3d aa 8b 6c ..2.5.<vY...=..l | ||||
| 224 cc 3a af 9f 39 79 c9 2b 37 20 fc 88 dc 95 ed 84 .:..9y.+7 ...... | ||||
| 240 a1 be 05 9c 64 99 b9 fd a2 36 e7 e8 18 b0 4b 0b ....d....6....K. | ||||
| 256 c3 9c 1e 87 6b 19 3b fe 55 69 75 3f 88 12 8c c0 ....k.;.Uiu?.... | ||||
| 272 8a aa 9b 63 d1 a1 6f 80 ef 25 54 d7 18 9c 41 1f ...c..o..%T...A. | ||||
| 288 58 69 ca 52 c5 b8 3f a3 6f f2 16 b9 c1 d3 00 62 Xi.R..?.o......b | ||||
| 304 be bc fd 2d c5 bc e0 91 19 34 fd a7 9a 86 f6 e6 ...-.....4...... | ||||
| 320 98 ce d7 59 c3 ff 9b 64 77 33 8f 3d a4 f9 cd 85 ...Y...dw3.=.... | ||||
| 336 14 ea 99 82 cc af b3 41 b2 38 4d d9 02 f3 d1 ab .......A.8M..... | ||||
| 352 7a c6 1d d2 9c 6f 21 ba 5b 86 2f 37 30 e3 7c fd z....o!.[./70.|. | ||||
| 368 c4 fd 80 6c 22 f2 21 ...l".! | ||||
| Test Vector #3: | ||||
| ============== | ||||
| Key: | ||||
| 000 1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 ..@..U...3...... | ||||
| 016 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0 G9..@+....\. pu. | ||||
| Nonce: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 02 ............ | ||||
| Initial Block Counter = 42 | ||||
| Plaintext: | ||||
| 000 27 54 77 61 73 20 62 72 69 6c 6c 69 67 2c 20 61 'Twas brillig, a | ||||
| 016 6e 64 20 74 68 65 20 73 6c 69 74 68 79 20 74 6f nd the slithy to | ||||
| 032 76 65 73 0a 44 69 64 20 67 79 72 65 20 61 6e 64 ves.Did gyre and | ||||
| 048 20 67 69 6d 62 6c 65 20 69 6e 20 74 68 65 20 77 gimble in the w | ||||
| 064 61 62 65 3a 0a 41 6c 6c 20 6d 69 6d 73 79 20 77 abe:.All mimsy w | ||||
| 080 65 72 65 20 74 68 65 20 62 6f 72 6f 67 6f 76 65 ere the borogove | ||||
| 096 73 2c 0a 41 6e 64 20 74 68 65 20 6d 6f 6d 65 20 s,.And the mome | ||||
| 112 72 61 74 68 73 20 6f 75 74 67 72 61 62 65 2e raths outgrabe. | ||||
| Ciphertext: | ||||
| 000 62 e6 34 7f 95 ed 87 a4 5f fa e7 42 6f 27 a1 df b.4...._..Bo'.. | ||||
| 016 5f b6 91 10 04 4c 0d 73 11 8e ff a9 5b 01 e5 cf _....L.s....[... | ||||
| 032 16 6d 3d f2 d7 21 ca f9 b2 1e 5f b1 4c 61 68 71 .m=..!...._.Lahq | ||||
| 048 fd 84 c5 4f 9d 65 b2 83 19 6c 7f e4 f6 05 53 eb ...O.e...l...S. | ||||
| 064 f3 9c 64 02 c4 22 34 e3 2a 35 6b 3e 76 43 12 a6 ..d.."4.*5k>vC.. | ||||
| 080 1a 55 32 05 57 16 ea d6 96 25 68 f8 7d 3f 3f 77 .U2.W....%h.}??w | ||||
| 096 04 c6 a8 d1 bc d1 bf 4d 50 d6 15 4b 6d a7 31 b1 .......MP..Km.1. | ||||
| 112 87 b5 8d fd 72 8a fa 36 75 7a 79 7a c1 88 d1 ....r..6uzyz... | ||||
| A.3. Poly1305 Message Authentication Code | ||||
| Notice how in test vector #2 r is equal to zero. The part of the | ||||
| Poly1305 algorithm where the accumulator is multiplied by r means | ||||
| that with r equal zero, the tag will be equal to s regardless of the | ||||
| content of the Text. Fortunately, all the proposed methods of | ||||
| generating r are such that getting this particular weak key is very | ||||
| unlikely. | ||||
| Test Vector #1: | ||||
| ============== | ||||
| One-time Poly1305 Key: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| Text to MAC: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 032 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 048 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| Tag: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| Test Vector #2: | ||||
| ============== | ||||
| One-time Poly1305 Key: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 016 36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e 6.....`p...."z.> | ||||
| Text to MAC: | ||||
| 000 41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74 Any submission t | ||||
| 016 6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e o the IETF inten | ||||
| 032 64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72 ded by the Contr | ||||
| 048 69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69 ibutor for publi | ||||
| 064 63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72 cation as all or | ||||
| 080 20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46 part of an IETF | ||||
| 096 20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20 Internet-Draft | ||||
| 112 6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73 or RFC and any s | ||||
| 128 74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69 tatement made wi | ||||
| 144 74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74 thin the context | ||||
| 160 20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69 of an IETF acti | ||||
| 176 76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72 vity is consider | ||||
| 192 65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74 ed an "IETF Cont | ||||
| 208 72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20 ribution". Such | ||||
| 224 73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75 statements inclu | ||||
| 240 64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e de oral statemen | ||||
| 256 74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69 ts in IETF sessi | ||||
| 272 6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20 ons, as well as | ||||
| 288 77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63 written and elec | ||||
| 304 74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61 tronic communica | ||||
| 320 74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e tions made at an | ||||
| 336 79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c y time or place, | ||||
| 352 20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65 which are addre | ||||
| 368 73 73 65 64 20 74 6f ssed to | ||||
| Tag: | ||||
| 000 36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e 6.....`p...."z.> | ||||
| Test Vector #3: | ||||
| ============== | ||||
| One-time Poly1305 Key: | ||||
| 000 36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e 6.....`p...."z.> | ||||
| 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| Text to MAC: | ||||
| 000 41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74 Any submission t | ||||
| 016 6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e o the IETF inten | ||||
| 032 64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72 ded by the Contr | ||||
| 048 69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69 ibutor for publi | ||||
| 064 63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72 cation as all or | ||||
| 080 20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46 part of an IETF | ||||
| 096 20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20 Internet-Draft | ||||
| 112 6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73 or RFC and any s | ||||
| 128 74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69 tatement made wi | ||||
| 144 74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74 thin the context | ||||
| 160 20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69 of an IETF acti | ||||
| 176 76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72 vity is consider | ||||
| 192 65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74 ed an "IETF Cont | ||||
| 208 72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20 ribution". Such | ||||
| 224 73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75 statements inclu | ||||
| 240 64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e de oral statemen | ||||
| 256 74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69 ts in IETF sessi | ||||
| 272 6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20 ons, as well as | ||||
| 288 77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63 written and elec | ||||
| 304 74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61 tronic communica | ||||
| 320 74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e tions made at an | ||||
| 336 79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c y time or place, | ||||
| 352 20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65 which are addre | ||||
| 368 73 73 65 64 20 74 6f ssed to | ||||
| Tag: | ||||
| 000 f3 47 7e 7c d9 54 17 af 89 a6 b8 79 4c 31 0c f0 .G~|.T.....yL1.. | ||||
| Test Vector #4: | ||||
| ============== | ||||
| One-time Poly1305 Key: | ||||
| 000 1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 ..@..U...3...... | ||||
| 016 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0 G9..@+....\. pu. | ||||
| Text to MAC: | ||||
| 000 27 54 77 61 73 20 62 72 69 6c 6c 69 67 2c 20 61 'Twas brillig, a | ||||
| 016 6e 64 20 74 68 65 20 73 6c 69 74 68 79 20 74 6f nd the slithy to | ||||
| 032 76 65 73 0a 44 69 64 20 67 79 72 65 20 61 6e 64 ves.Did gyre and | ||||
| 048 20 67 69 6d 62 6c 65 20 69 6e 20 74 68 65 20 77 gimble in the w | ||||
| 064 61 62 65 3a 0a 41 6c 6c 20 6d 69 6d 73 79 20 77 abe:.All mimsy w | ||||
| 080 65 72 65 20 74 68 65 20 62 6f 72 6f 67 6f 76 65 ere the borogove | ||||
| 096 73 2c 0a 41 6e 64 20 74 68 65 20 6d 6f 6d 65 20 s,.And the mome | ||||
| 112 72 61 74 68 73 20 6f 75 74 67 72 61 62 65 2e raths outgrabe. | ||||
| Tag: | ||||
| 000 45 41 66 9a 7e aa ee 61 e7 08 dc 7c bc c5 eb 62 EAf.~..a...|...b | ||||
| A.4. Poly1305 Key Generation Using ChaCha20 | ||||
| Test Vector #1: | ||||
| ============== | ||||
| The key: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| The nonce: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ | ||||
| Poly1305 one-time key: | ||||
| 000 76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28 v.....=.@]j.S..( | ||||
| 016 bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7 .........6...w.. | ||||
| Test Vector #2: | ||||
| ============== | ||||
| The key: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||||
| 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................ | ||||
| The nonce: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 02 ............ | ||||
| Poly1305 one-time key: | ||||
| 000 ec fa 25 4f 84 5f 64 74 73 d3 cb 14 0d a9 e8 76 ..%O._dts......v | ||||
| 016 06 cb 33 06 6c 44 7b 87 bc 26 66 dd e3 fb b7 39 ..3.lD{..&f....9 | ||||
| Test Vector #3: | ||||
| ============== | ||||
| The key: | ||||
| 000 1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 ..@..U...3...... | ||||
| 016 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0 G9..@+....\. pu. | ||||
| The nonce: | ||||
| 000 00 00 00 00 00 00 00 00 00 00 00 02 ............ | ||||
| Poly1305 one-time key: | ||||
| 000 96 5e 3b c6 f9 ec 7e d9 56 08 08 f4 d2 29 f9 4b .^;...~.V....).K | ||||
| 016 13 7f f2 75 ca 9b 3f cb dd 59 de aa d2 33 10 ae ..u..?..Y...3.. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Yoav Nir | Yoav Nir | |||
| Check Point Software Technologies Ltd. | Check Point Software Technologies Ltd. | |||
| 5 Hasolelim st. | 5 Hasolelim st. | |||
| Tel Aviv 6789735 | Tel Aviv 6789735 | |||
| Israel | Israel | |||
| Email: ynir.ietf@gmail.com | Email: ynir.ietf@gmail.com | |||
| End of changes. 21 change blocks. | ||||
| 34 lines changed or deleted | 492 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||