| < draft-nir-cfrg-chacha20-poly1305-03.txt | draft-nir-cfrg-chacha20-poly1305-04.txt > | |||
|---|---|---|---|---|
| Network Working Group Y. Nir | Network Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Intended status: Informational A. Langley | Intended status: Informational A. Langley | |||
| Expires: November 8, 2014 Google Inc | Expires: November 22, 2014 Google Inc | |||
| May 7, 2014 | May 21, 2014 | |||
| ChaCha20 and Poly1305 for IETF protocols | ChaCha20 and Poly1305 for IETF protocols | |||
| draft-nir-cfrg-chacha20-poly1305-03 | draft-nir-cfrg-chacha20-poly1305-04 | |||
| Abstract | Abstract | |||
| This document defines the ChaCha20 stream cipher, as well as the use | This document defines the ChaCha20 stream cipher, as well as the use | |||
| of the Poly1305 authenticator, both as stand-alone algorithms, and as | of the Poly1305 authenticator, both as stand-alone algorithms, and as | |||
| a "combined mode", or Authenticated Encryption with Additional Data | a "combined mode", or Authenticated Encryption with Additional Data | |||
| (AEAD) algorithm. | (AEAD) algorithm. | |||
| This document does not introduce any new crypto, but is meant to | This document does not introduce any new crypto, but is meant to | |||
| serve as a stable reference and an implementation guide. | serve as a stable reference and an implementation guide. | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 8, 2014. | This Internet-Draft will expire on November 22, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 28 ¶ | skipping to change at page 2, line 28 ¶ | |||
| 2.4.1. Example and Test Vector for the ChaCha20 Cipher . . . 9 | 2.4.1. Example and Test Vector for the ChaCha20 Cipher . . . 9 | |||
| 2.5. The Poly1305 algorithm . . . . . . . . . . . . . . . . . . 11 | 2.5. The Poly1305 algorithm . . . . . . . . . . . . . . . . . . 11 | |||
| 2.5.1. Poly1305 Example and Test Vector . . . . . . . . . . . 12 | 2.5.1. Poly1305 Example and Test Vector . . . . . . . . . . . 12 | |||
| 2.6. Generating the Poly1305 key using ChaCha20 . . . . . . . . 14 | 2.6. Generating the Poly1305 key using ChaCha20 . . . . . . . . 14 | |||
| 2.6.1. Poly1305 Key Generation Test Vector . . . . . . . . . 14 | 2.6.1. Poly1305 Key Generation Test Vector . . . . . . . . . 14 | |||
| 2.7. A Pseudo-Random Function for ChaCha/Poly-1305 based | 2.7. A Pseudo-Random Function for ChaCha/Poly-1305 based | |||
| Crypto Suites . . . . . . . . . . . . . . . . . . . . . . 15 | Crypto Suites . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 2.8. AEAD Construction . . . . . . . . . . . . . . . . . . . . 16 | 2.8. AEAD Construction . . . . . . . . . . . . . . . . . . . . 16 | |||
| 2.8.1. Example and Test Vector for AEAD_CHACHA20-POLY1305 . . 17 | 2.8.1. Example and Test Vector for AEAD_CHACHA20-POLY1305 . . 17 | |||
| 3. Implementation Advice . . . . . . . . . . . . . . . . . . . . 19 | 3. Implementation Advice . . . . . . . . . . . . . . . . . . . . 19 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 20 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 21 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . . 21 | 7.1. Normative References . . . . . . . . . . . . . . . . . . . 21 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . . 21 | 7.2. Informative References . . . . . . . . . . . . . . . . . . 21 | |||
| Appendix A. Additional Test Vectors . . . . . . . . . . . . . . . 22 | Appendix A. Additional Test Vectors . . . . . . . . . . . . . . . 22 | |||
| A.1. The ChaCha20 Block Functions . . . . . . . . . . . . . . . 22 | A.1. The ChaCha20 Block Functions . . . . . . . . . . . . . . . 22 | |||
| A.2. ChaCha20 Encryption . . . . . . . . . . . . . . . . . . . 25 | A.2. ChaCha20 Encryption . . . . . . . . . . . . . . . . . . . 25 | |||
| A.3. Poly1305 Message Authentication Code . . . . . . . . . . . 28 | A.3. Poly1305 Message Authentication Code . . . . . . . . . . . 28 | |||
| A.4. Poly1305 Key Generation Using ChaCha20 . . . . . . . . . . 32 | A.4. Poly1305 Key Generation Using ChaCha20 . . . . . . . . . . 32 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33 | A.5. ChaCha20-Poly1305 AEAD Decryption . . . . . . . . . . . . 33 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 36 | ||||
| 1. Introduction | 1. Introduction | |||
| The Advanced Encryption Standard (AES - [FIPS-197]) has become the | The Advanced Encryption Standard (AES - [FIPS-197]) has become the | |||
| gold standard in encryption. Its efficient design, wide | gold standard in encryption. Its efficient design, wide | |||
| implementation, and hardware support allow for high performance in | implementation, and hardware support allow for high performance in | |||
| many areas. On most modern platforms, AES is anywhere from 4x to 10x | many areas. On most modern platforms, AES is anywhere from 4x to 10x | |||
| as fast as the previous most-used cipher, 3-key Data Encryption | as fast as the previous most-used cipher, 3-key Data Encryption | |||
| Standard (3DES - [FIPS-46]), which makes it not only the best choice, | Standard (3DES - [FIPS-46]), which makes it not only the best choice, | |||
| but the only practical choice. | but the only practical choice. | |||
| skipping to change at page 7, line 19 ¶ | skipping to change at page 7, line 19 ¶ | |||
| cccccccc cccccccc cccccccc cccccccc | cccccccc cccccccc cccccccc cccccccc | |||
| kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk | kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk | |||
| kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk | kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk | |||
| bbbbbbbb nnnnnnnn nnnnnnnn nnnnnnnn | bbbbbbbb nnnnnnnn nnnnnnnn nnnnnnnn | |||
| c=constant k=key b=blockcount n=nonce | c=constant k=key b=blockcount n=nonce | |||
| ChaCha20 runs 20 rounds, alternating between "column" and "diagonal" | ChaCha20 runs 20 rounds, alternating between "column" and "diagonal" | |||
| rounds. Each round is 4 quarter-rounds, and they are run as follows. | rounds. Each round is 4 quarter-rounds, and they are run as follows. | |||
| Rounds 1-4 are part of the "column" round, while 5-8 are part of the | Quarter-rounds 1-4 are part of a "column" round, while 5-8 are part | |||
| "diagonal" round: | of a "diagonal" round: | |||
| 1. QUARTERROUND ( 0, 4, 8,12) | 1. QUARTERROUND ( 0, 4, 8,12) | |||
| 2. QUARTERROUND ( 1, 5, 9,13) | 2. QUARTERROUND ( 1, 5, 9,13) | |||
| 3. QUARTERROUND ( 2, 6,10,14) | 3. QUARTERROUND ( 2, 6,10,14) | |||
| 4. QUARTERROUND ( 3, 7,11,15) | 4. QUARTERROUND ( 3, 7,11,15) | |||
| 5. QUARTERROUND ( 0, 5,10,15) | 5. QUARTERROUND ( 0, 5,10,15) | |||
| 6. QUARTERROUND ( 1, 6,11,12) | 6. QUARTERROUND ( 1, 6,11,12) | |||
| 7. QUARTERROUND ( 2, 7, 8,13) | 7. QUARTERROUND ( 2, 7, 8,13) | |||
| 8. QUARTERROUND ( 3, 4, 9,14) | 8. QUARTERROUND ( 3, 4, 9,14) | |||
| At the end of 20 rounds, the original input words are added to the | At the end of 20 rounds, the original input words are added to the | |||
| skipping to change at page 9, line 33 ¶ | skipping to change at page 9, line 33 ¶ | |||
| block function: | block function: | |||
| o Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13: | o Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13: | |||
| 14:15:16:17:18:19:1a:1b:1c:1d:1e:1f. | 14:15:16:17:18:19:1a:1b:1c:1d:1e:1f. | |||
| o Nonce = (00:00:00:00:00:00:00:4a:00:00:00:00). | o Nonce = (00:00:00:00:00:00:00:4a:00:00:00:00). | |||
| o Initial Counter = 1. | o Initial Counter = 1. | |||
| We use the following for the plaintext. It was chosen to be long | We use the following for the plaintext. It was chosen to be long | |||
| enough to require more than one block, but not so long that it would | enough to require more than one block, but not so long that it would | |||
| make this example cumbersome (so, less than 3 blocks): | make this example cumbersome (so, less than 3 blocks): | |||
| Plaintext Sunscreen: | Plaintext Sunscreen: | |||
| 000 4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c|Ladies and Gentl | 000 4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c Ladies and Gentl | |||
| 016 65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73|emen of the clas | 016 65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73 emen of the clas | |||
| 032 73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63|s of '99: If I c | 032 73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63 s of '99: If I c | |||
| 048 6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f|ould offer you o | 048 6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f ould offer you o | |||
| 064 6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20|nly one tip for | 064 6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20 nly one tip for | |||
| 080 74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73|the future, suns | 080 74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73 the future, suns | |||
| 096 63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69|creen would be i | 096 63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69 creen would be i | |||
| 112 74 2e |t. | 112 74 2e t. | |||
| The following figure shows 4 ChaCha state matrices: | The following figure shows 4 ChaCha state matrices: | |||
| 1. First block as it is set up. | 1. First block as it is set up. | |||
| 2. Second block as it is set up. Note that these blocks are only | 2. Second block as it is set up. Note that these blocks are only | |||
| two bits apart - only the counter in position 12 is different. | two bits apart - only the counter in position 12 is different. | |||
| 3. Third block is the first block after the ChaCha20 block | 3. Third block is the first block after the ChaCha20 block | |||
| operation. | operation. | |||
| 4. Final block is the second block after the ChaCha20 block | 4. Final block is the second block after the ChaCha20 block | |||
| operation was applied. | operation was applied. | |||
| After that, we show the keystream. | After that, we show the keystream. | |||
| skipping to change at page 10, line 39 ¶ | skipping to change at page 10, line 39 ¶ | |||
| Keystream: | Keystream: | |||
| 22:4f:51:f3:40:1b:d9:e1:2f:de:27:6f:b8:63:1d:ed:8c:13:1f:82:3d:2c:06 | 22:4f:51:f3:40:1b:d9:e1:2f:de:27:6f:b8:63:1d:ed:8c:13:1f:82:3d:2c:06 | |||
| e2:7e:4f:ca:ec:9e:f3:cf:78:8a:3b:0a:a3:72:60:0a:92:b5:79:74:cd:ed:2b | e2:7e:4f:ca:ec:9e:f3:cf:78:8a:3b:0a:a3:72:60:0a:92:b5:79:74:cd:ed:2b | |||
| 93:34:79:4c:ba:40:c6:3e:34:cd:ea:21:2c:4c:f0:7d:41:b7:69:a6:74:9f:3f | 93:34:79:4c:ba:40:c6:3e:34:cd:ea:21:2c:4c:f0:7d:41:b7:69:a6:74:9f:3f | |||
| 63:0f:41:22:ca:fe:28:ec:4d:c4:7e:26:d4:34:6d:70:b9:8c:73:f3:e9:c5:3a | 63:0f:41:22:ca:fe:28:ec:4d:c4:7e:26:d4:34:6d:70:b9:8c:73:f3:e9:c5:3a | |||
| c4:0c:59:45:39:8b:6e:da:1a:83:2c:89:c1:67:ea:cd:90:1d:7e:2b:f3:63 | c4:0c:59:45:39:8b:6e:da:1a:83:2c:89:c1:67:ea:cd:90:1d:7e:2b:f3:63 | |||
| Finally, we XOR the Keystream with the plaintext, yielding the | Finally, we XOR the Keystream with the plaintext, yielding the | |||
| Ciphertext: | Ciphertext: | |||
| Ciphertext Sunscreen: | Ciphertext Sunscreen: | |||
| 000 6e 2e 35 9a 25 68 f9 80 41 ba 07 28 dd 0d 69 81|n.5.%h..A..(..i. | 000 6e 2e 35 9a 25 68 f9 80 41 ba 07 28 dd 0d 69 81 n.5.%h..A..(..i. | |||
| 016 e9 7e 7a ec 1d 43 60 c2 0a 27 af cc fd 9f ae 0b|.~z..C`..'...... | 016 e9 7e 7a ec 1d 43 60 c2 0a 27 af cc fd 9f ae 0b .~z..C`..'...... | |||
| 032 f9 1b 65 c5 52 47 33 ab 8f 59 3d ab cd 62 b3 57|..e.RG3..Y=..b.W | 032 f9 1b 65 c5 52 47 33 ab 8f 59 3d ab cd 62 b3 57 ..e.RG3..Y=..b.W | |||
| 048 16 39 d6 24 e6 51 52 ab 8f 53 0c 35 9f 08 61 d8|.9.$.QR..S.5..a. | 048 16 39 d6 24 e6 51 52 ab 8f 53 0c 35 9f 08 61 d8 .9.$.QR..S.5..a. | |||
| 064 07 ca 0d bf 50 0d 6a 61 56 a3 8e 08 8a 22 b6 5e|....P.jaV....".^ | 064 07 ca 0d bf 50 0d 6a 61 56 a3 8e 08 8a 22 b6 5e ....P.jaV....".^ | |||
| 080 52 bc 51 4d 16 cc f8 06 81 8c e9 1a b7 79 37 36|R.QM.........y76 | 080 52 bc 51 4d 16 cc f8 06 81 8c e9 1a b7 79 37 36 R.QM.........y76 | |||
| 096 5a f9 0b bf 74 a3 5b e6 b4 0b 8e ed f2 78 5e 42|Z...t.[......x^B | 096 5a f9 0b bf 74 a3 5b e6 b4 0b 8e ed f2 78 5e 42 Z...t.[......x^B | |||
| 112 87 4d |.M | 112 87 4d .M | |||
| 2.5. The Poly1305 algorithm | 2.5. The Poly1305 algorithm | |||
| Poly1305 is a one-time authenticator designed by D. J. Bernstein. | Poly1305 is a one-time authenticator designed by D. J. Bernstein. | |||
| Poly1305 takes a 32-byte one-time key and a message and produces a | Poly1305 takes a 32-byte one-time key and a message and produces a | |||
| 16-byte tag. | 16-byte tag. | |||
| The original article ([poly1305]) is entitled "The Poly1305-AES | The original article ([poly1305]) is entitled "The Poly1305-AES | |||
| message-authentication code", and the MAC function there requires a | message-authentication code", and the MAC function there requires a | |||
| 128-bit AES key, a 128-bit "additional key", and a 128-bit (non- | 128-bit AES key, a 128-bit "additional key", and a 128-bit (non- | |||
| skipping to change at page 13, line 5 ¶ | skipping to change at page 13, line 5 ¶ | |||
| o Key Material: 85:d6:be:78:57:55:6d:33:7f:44:52:fe:42:d5:06:a8:01: | o Key Material: 85:d6:be:78:57:55:6d:33:7f:44:52:fe:42:d5:06:a8:01: | |||
| 03:80:8a:fb:0d:b2:fd:4a:bf:f6:af:41:49:f5:1b | 03:80:8a:fb:0d:b2:fd:4a:bf:f6:af:41:49:f5:1b | |||
| o s as an octet string: 01:03:80:8a:fb:0d:b2:fd:4a:bf:f6:af:41:49: | o s as an octet string: 01:03:80:8a:fb:0d:b2:fd:4a:bf:f6:af:41:49: | |||
| f5:1b | f5:1b | |||
| o s as a 128-bit number: 1bf54941aff6bf4afdb20dfb8a800301 | o s as a 128-bit number: 1bf54941aff6bf4afdb20dfb8a800301 | |||
| o r before clamping: 85:d6:be:78:57:55:6d:33:7f:44:52:fe:42:d5:06:a8 | o r before clamping: 85:d6:be:78:57:55:6d:33:7f:44:52:fe:42:d5:06:a8 | |||
| o Clamped r as a number: 806d5400e52447c036d555408bed685. | o Clamped r as a number: 806d5400e52447c036d555408bed685. | |||
| For our message, we'll use a short text: | For our message, we'll use a short text: | |||
| Message to be Authenticated: | Message to be Authenticated: | |||
| 000 43 72 79 70 74 6f 67 72 61 70 68 69 63 20 46 6f|Cryptographic Fo | 000 43 72 79 70 74 6f 67 72 61 70 68 69 63 20 46 6f Cryptographic Fo | |||
| 016 72 75 6d 20 52 65 73 65 61 72 63 68 20 47 72 6f|rum Research Gro | 016 72 75 6d 20 52 65 73 65 61 72 63 68 20 47 72 6f rum Research Gro | |||
| 032 75 70 |up | 032 75 70 up | |||
| Since Poly1305 works in 16-byte chunks, the 34-byte message divides | Since Poly1305 works in 16-byte chunks, the 34-byte message divides | |||
| into 3 blocks. In the following calculation, "Acc" denotes the | into 3 blocks. In the following calculation, "Acc" denotes the | |||
| accumulator and "Block" the current block: | accumulator and "Block" the current block: | |||
| Block #1 | Block #1 | |||
| Acc = 00 | Acc = 00 | |||
| Block = 6f4620636968706172676f7470797243 | Block = 6f4620636968706172676f7470797243 | |||
| Block with 0x01 byte = 016f4620636968706172676f7470797243 | Block with 0x01 byte = 016f4620636968706172676f7470797243 | |||
| skipping to change at page 16, line 7 ¶ | skipping to change at page 16, line 7 ¶ | |||
| Chacha20 could be used as a key-derivation function, by generating an | Chacha20 could be used as a key-derivation function, by generating an | |||
| arbitrarily long keystream. However, that is not what protocols such | arbitrarily long keystream. However, that is not what protocols such | |||
| as IKEv2 require. | as IKEv2 require. | |||
| For this reason, this document does not specify a PRF, and recommends | For this reason, this document does not specify a PRF, and recommends | |||
| that crypto suites use some other PRF such as PRF_HMAC_SHA2_256 | that crypto suites use some other PRF such as PRF_HMAC_SHA2_256 | |||
| (section 2.1.2 of [RFC4868]) | (section 2.1.2 of [RFC4868]) | |||
| 2.8. AEAD Construction | 2.8. AEAD Construction | |||
| Note: Much of the content of this document, including this AEAD | ||||
| construction is taken from Adam Langley's draft ([agl-draft]) for the | ||||
| use of these algorithms in TLS. The AEAD construction described here | ||||
| is called AEAD_CHACHA20-POLY1305. | ||||
| AEAD_CHACHA20-POLY1305 is an authenticated encryption with additional | AEAD_CHACHA20-POLY1305 is an authenticated encryption with additional | |||
| data algorithm. The inputs to AEAD_CHACHA20-POLY1305 are: | data algorithm. The inputs to AEAD_CHACHA20-POLY1305 are: | |||
| o A 256-bit key | o A 256-bit key | |||
| o A 96-bit nonce - different for each invocation with the same key. | o A 96-bit nonce - different for each invocation with the same key. | |||
| o An arbitrary length plaintext | o An arbitrary length plaintext | |||
| o Arbitrary length additional data | o Arbitrary length additional authenticated data (AAD) | |||
| The ChaCha20 and Poly1305 primitives are combined into an AEAD that | The ChaCha20 and Poly1305 primitives are combined into an AEAD that | |||
| takes a 256-bit key and 64-bit IV as follows: | takes a 256-bit key and 64-bit IV as follows: | |||
| o First the 96-bit nonce is constructed by prepending a 32-bit | o First the 96-bit nonce is constructed by prepending a 32-bit | |||
| constant value to the IV. This could be set to zero, or could be | constant value to the IV. This could be set to zero, or could be | |||
| derived from keying material, or could be assigned to a sender. | derived from keying material, or could be assigned to a sender. | |||
| It is up to the specific protocol to define the source for that | It is up to the specific protocol to define the source for that | |||
| 32-bit value. | 32-bit value. | |||
| o Next, a Poly1305 one-time key is generated from the 256-bit key | o Next, a Poly1305 one-time key is generated from the 256-bit key | |||
| and nonce using the procedure described in Section 2.6. | and nonce using the procedure described in Section 2.6. | |||
| o The ChaCha20 encryption function is called to encrypt the | o The ChaCha20 encryption function is called to encrypt the | |||
| plaintext, using the same key and nonce, and with the initial | plaintext, using the same key and nonce, and with the initial | |||
| counter set to 1. | counter set to 1. | |||
| o The Poly1305 function is called with the Poly1305 key calculated | o The Poly1305 function is called with the Poly1305 key calculated | |||
| above, and a message constructed as a concatenation of the | above, and a message constructed as a concatenation of the | |||
| following: | following: | |||
| * The additional data | * The AAD | |||
| * padding1 - the padding is up to 15 zero bytes, and it brings | ||||
| the total length so far to an integral multiple of 16. If the | ||||
| length of the AAD was already an integral multiple of 16 bytes, | ||||
| this field is zero-length, | ||||
| * The ciphertext | ||||
| * padding2 - the padding is up to 15 zero bytes, and it brings | ||||
| the total length so far to an integral multiple of 16. If the | ||||
| length of the ciphertext was already an integral multiple of 16 | ||||
| bytes, this field is zero-length, | ||||
| * The length of the additional data in octets (as a 64-bit | * The length of the additional data in octets (as a 64-bit | |||
| little-endian integer). TBD: bit count rather than octets? | little-endian integer). TBD: bit count rather than octets? | |||
| network order? | network order? | |||
| * The ciphertext | ||||
| * The length of the ciphertext in octets (as a 64-bit little- | * The length of the ciphertext in octets (as a 64-bit little- | |||
| endian integer). TBD: bit count rather than octets? network | endian integer). TBD: bit count rather than octets? network | |||
| order? | order? | |||
| Decryption is pretty much the same thing. | Decryption is pretty much the same thing. | |||
| The output from the AEAD is twofold: | The output from the AEAD is twofold: | |||
| o A ciphertext of the same length as the plaintext. | o A ciphertext of the same length as the plaintext. | |||
| o A 128-bit tag, which is the output of the Poly1305 function. | o A 128-bit tag, which is the output of the Poly1305 function. | |||
| skipping to change at page 16, line 50 ¶ | skipping to change at page 17, line 4 ¶ | |||
| endian integer). TBD: bit count rather than octets? network | endian integer). TBD: bit count rather than octets? network | |||
| order? | order? | |||
| Decryption is pretty much the same thing. | Decryption is pretty much the same thing. | |||
| The output from the AEAD is twofold: | The output from the AEAD is twofold: | |||
| o A ciphertext of the same length as the plaintext. | o A ciphertext of the same length as the plaintext. | |||
| o A 128-bit tag, which is the output of the Poly1305 function. | o A 128-bit tag, which is the output of the Poly1305 function. | |||
| A few notes about this design: | A few notes about this design: | |||
| 1. The amount of encrypted data possible in a single invocation is | 1. The amount of encrypted data possible in a single invocation is | |||
| 2^32-1 blocks of 64 bytes each, for a total of 247,877,906,880 | 2^32-1 blocks of 64 bytes each, because of the size of the block | |||
| bytes, or nearly 256 GB. This should be enough for traffic | counter field in the ChaCha20 block function. This gives a total | |||
| protocols such as IPsec and TLS, but may be too small for file | of 247,877,906,880 bytes, or nearly 256 GB. This should be | |||
| and/or disk encryption. For such uses, we can return to the | enough for traffic protocols such as IPsec and TLS, but may be | |||
| original design, reduce the nonce to 64 bits, and use the integer | too small for file and/or disk encryption. For such uses, we can | |||
| at position 13 as the top 32 bits of a 64-bit block counter, | return to the original design, reduce the nonce to 64 bits, and | |||
| increasing the total message size to over a million petabytes | use the integer at position 13 as the top 32 bits of a 64-bit | |||
| (1,180,591,620,717,411,303,360 bytes to be exact). | block counter, increasing the total message size to over a | |||
| million petabytes (1,180,591,620,717,411,303,360 bytes to be | ||||
| exact). | ||||
| 2. Despite the previous item, the ciphertext length field in the | 2. Despite the previous item, the ciphertext length field in the | |||
| construction of the buffer on which Poly1305 runs limits the | construction of the buffer on which Poly1305 runs limits the | |||
| ciphertext (and hence, the plaintext) size to 2^64 bytes, or | ciphertext (and hence, the plaintext) size to 2^64 bytes, or | |||
| sixteen thousand petabytes (18,446,744,073,709,551,616 bytes to | sixteen thousand petabytes (18,446,744,073,709,551,616 bytes to | |||
| be exact). | be exact). | |||
| 2.8.1. Example and Test Vector for AEAD_CHACHA20-POLY1305 | 2.8.1. Example and Test Vector for AEAD_CHACHA20-POLY1305 | |||
| For a test vector, we will use the following inputs to the | For a test vector, we will use the following inputs to the | |||
| AEAD_CHACHA20-POLY1305 function: | AEAD_CHACHA20-POLY1305 function: | |||
| Plaintext: | Plaintext: | |||
| 000 4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c|Ladies and Gentl | 000 4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c Ladies and Gentl | |||
| 016 65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73|emen of the clas | 016 65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73 emen of the clas | |||
| 032 73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63|s of '99: If I c | 032 73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63 s of '99: If I c | |||
| 048 6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f|ould offer you o | 048 6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f ould offer you o | |||
| 064 6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20|nly one tip for | 064 6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20 nly one tip for | |||
| 080 74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73|the future, suns | 080 74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73 the future, suns | |||
| 096 63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69|creen would be i | 096 63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69 creen would be i | |||
| 112 74 2e |t. | 112 74 2e t. | |||
| AAD: | AAD: | |||
| 000 50 51 52 53 c0 c1 c2 c3 c4 c5 c6 c7 PQRS........ | 000 50 51 52 53 c0 c1 c2 c3 c4 c5 c6 c7 PQRS........ | |||
| Key: | Key: | |||
| 000 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f|................ | 000 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f ................ | |||
| 016 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f|................ | 016 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f ................ | |||
| IV: | IV: | |||
| 000 40 41 42 43 44 45 46 47 @ABCDEFG | 000 40 41 42 43 44 45 46 47 @ABCDEFG | |||
| 32-bit fixed-common part: | 32-bit fixed-common part: | |||
| 000 07 00 00 00 .... | 000 07 00 00 00 .... | |||
| Set up for generating poly1305 one-time key (sender id=7): | Set up for generating poly1305 one-time key (sender id=7): | |||
| 61707865 3320646e 79622d32 6b206574 | 61707865 3320646e 79622d32 6b206574 | |||
| 83828180 87868584 8b8a8988 8f8e8d8c | 83828180 87868584 8b8a8988 8f8e8d8c | |||
| 93929190 97969594 9b9a9998 9f9e9d9c | 93929190 97969594 9b9a9998 9f9e9d9c | |||
| 00000000 00000007 43424140 47464544 | 00000000 00000007 43424140 47464544 | |||
| After generating Poly1305 one-time key: | After generating Poly1305 one-time key: | |||
| 252bac7b af47b42d 557ab609 8455e9a4 | 252bac7b af47b42d 557ab609 8455e9a4 | |||
| 73d6e10a ebd97510 7875932a ff53d53e | 73d6e10a ebd97510 7875932a ff53d53e | |||
| decc7ea2 b44ddbad e49c17d1 d8430bc9 | decc7ea2 b44ddbad e49c17d1 d8430bc9 | |||
| 8c94b7bc 8b7d4b4b 3927f67d 1669a432 | 8c94b7bc 8b7d4b4b 3927f67d 1669a432 | |||
| Poly1305 Key: | Poly1305 Key: | |||
| 000 7b ac 2b 25 2d b4 47 af 09 b6 7a 55 a4 e9 55 84|{.+%-.G...zU..U. | 000 7b ac 2b 25 2d b4 47 af 09 b6 7a 55 a4 e9 55 84 {.+%-.G...zU..U. | |||
| 016 0a e1 d6 73 10 75 d9 eb 2a 93 75 78 3e d5 53 ff|...s.u..*.ux>.S. | 016 0a e1 d6 73 10 75 d9 eb 2a 93 75 78 3e d5 53 ff ...s.u..*.ux>.S. | |||
| Poly1305 r = 455e9a4057ab6080f47b42c052bac7b | Poly1305 r = 455e9a4057ab6080f47b42c052bac7b | |||
| Poly1305 s = ff53d53e7875932aebd9751073d6e10a | Poly1305 s = ff53d53e7875932aebd9751073d6e10a | |||
| Keystream bytes: | Keystream bytes: | |||
| 9f:7b:e9:5d:01:fd:40:ba:15:e2:8f:fb:36:81:0a:ae: | 9f:7b:e9:5d:01:fd:40:ba:15:e2:8f:fb:36:81:0a:ae: | |||
| c1:c0:88:3f:09:01:6e:de:dd:8a:d0:87:55:82:03:a5: | c1:c0:88:3f:09:01:6e:de:dd:8a:d0:87:55:82:03:a5: | |||
| 4e:9e:cb:38:ac:8e:5e:2b:b8:da:b2:0f:fa:db:52:e8: | 4e:9e:cb:38:ac:8e:5e:2b:b8:da:b2:0f:fa:db:52:e8: | |||
| 75:04:b2:6e:be:69:6d:4f:60:a4:85:cf:11:b8:1b:59: | 75:04:b2:6e:be:69:6d:4f:60:a4:85:cf:11:b8:1b:59: | |||
| fc:b1:c4:5f:42:19:ee:ac:ec:6a:de:c3:4e:66:69:78: | fc:b1:c4:5f:42:19:ee:ac:ec:6a:de:c3:4e:66:69:78: | |||
| 8e:db:41:c4:9c:a3:01:e1:27:e0:ac:ab:3b:44:b9:cf: | 8e:db:41:c4:9c:a3:01:e1:27:e0:ac:ab:3b:44:b9:cf: | |||
| 5c:86:bb:95:e0:6b:0d:f2:90:1a:b6:45:e4:ab:e6:22: | 5c:86:bb:95:e0:6b:0d:f2:90:1a:b6:45:e4:ab:e6:22: | |||
| 15:38 | 15:38 | |||
| Ciphertext: | Ciphertext: | |||
| 000 d3 1a 8d 34 64 8e 60 db 7b 86 af bc 53 ef 7e c2|...4d.`.{...S.~. | 000 d3 1a 8d 34 64 8e 60 db 7b 86 af bc 53 ef 7e c2 ...4d.`.{...S.~. | |||
| 016 a4 ad ed 51 29 6e 08 fe a9 e2 b5 a7 36 ee 62 d6|...Q)n......6.b. | 016 a4 ad ed 51 29 6e 08 fe a9 e2 b5 a7 36 ee 62 d6 ...Q)n......6.b. | |||
| 032 3d be a4 5e 8c a9 67 12 82 fa fb 69 da 92 72 8b|=..^..g....i..r. | 032 3d be a4 5e 8c a9 67 12 82 fa fb 69 da 92 72 8b =..^..g....i..r. | |||
| 048 1a 71 de 0a 9e 06 0b 29 05 d6 a5 b6 7e cd 3b 36|.q.....)....~.;6 | 048 1a 71 de 0a 9e 06 0b 29 05 d6 a5 b6 7e cd 3b 36 .q.....)....~.;6 | |||
| 064 92 dd bd 7f 2d 77 8b 8c 98 03 ae e3 28 09 1b 58|...-w......(..X | 064 92 dd bd 7f 2d 77 8b 8c 98 03 ae e3 28 09 1b 58 ...-w......(..X | |||
| 080 fa b3 24 e4 fa d6 75 94 55 85 80 8b 48 31 d7 bc|..$...u.U...H1.. | 080 fa b3 24 e4 fa d6 75 94 55 85 80 8b 48 31 d7 bc ..$...u.U...H1.. | |||
| 096 3f f4 de f0 8e 4b 7a 9d e5 76 d2 65 86 ce c6 4b|?....Kz..v.e...K | 096 3f f4 de f0 8e 4b 7a 9d e5 76 d2 65 86 ce c6 4b ?....Kz..v.e...K | |||
| 112 61 16 |a. | 112 61 16 a. | |||
| AEAD Construction for Poly1305: | AEAD Construction for Poly1305: | |||
| 000 50 51 52 53 c0 c1 c2 c3 c4 c5 c6 c7 0c 00 00 00|PQRS............ | 000 50 51 52 53 c0 c1 c2 c3 c4 c5 c6 c7 00 00 00 00 PQRS............ | |||
| 016 00 00 00 00 d3 1a 8d 34 64 8e 60 db 7b 86 af bc|.......4d.`.{... | 016 d3 1a 8d 34 64 8e 60 db 7b 86 af bc 53 ef 7e c2 ...4d.`.{...S.~. | |||
| 032 53 ef 7e c2 a4 ad ed 51 29 6e 08 fe a9 e2 b5 a7|S.~....Q)n...... | 032 a4 ad ed 51 29 6e 08 fe a9 e2 b5 a7 36 ee 62 d6 ...Q)n......6.b. | |||
| 048 36 ee 62 d6 3d be a4 5e 8c a9 67 12 82 fa fb 69|6.b.=..^..g....i | 048 3d be a4 5e 8c a9 67 12 82 fa fb 69 da 92 72 8b =..^..g....i..r. | |||
| 064 da 92 72 8b 1a 71 de 0a 9e 06 0b 29 05 d6 a5 b6|..r..q.....).... | 064 1a 71 de 0a 9e 06 0b 29 05 d6 a5 b6 7e cd 3b 36 .q.....)....~.;6 | |||
| 080 7e cd 3b 36 92 dd bd 7f 2d 77 8b 8c 98 03 ae e3|~.;6...-w...... | 080 92 dd bd 7f 2d 77 8b 8c 98 03 ae e3 28 09 1b 58 ....-w......(..X | |||
| 096 28 09 1b 58 fa b3 24 e4 fa d6 75 94 55 85 80 8b|(..X..$...u.U... | 096 fa b3 24 e4 fa d6 75 94 55 85 80 8b 48 31 d7 bc ..$...u.U...H1.. | |||
| 112 48 31 d7 bc 3f f4 de f0 8e 4b 7a 9d e5 76 d2 65|H1..?....Kz..v.e | 112 3f f4 de f0 8e 4b 7a 9d e5 76 d2 65 86 ce c6 4b ?....Kz..v.e...K | |||
| 128 86 ce c6 4b 61 16 72 00 00 00 00 00 00 00 |...Ka.r....... | 128 61 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a............... | |||
| 144 0c 00 00 00 00 00 00 00 72 00 00 00 00 00 00 00 ........r....... | ||||
| Note the 4 zero bytes in line 000 and the 14 zero bytes in line 128 | ||||
| Tag: | Tag: | |||
| 18:fb:11:a5:03:1a:d1:3a:7e:3b:03:d4:6e:e3:a6:a7 | 1a:e1:0b:59:4f:09:e2:6a:7e:90:2e:cb:d0:60:06:91 | |||
| 3. Implementation Advice | 3. Implementation Advice | |||
| Each block of ChaCha20 involves 16 move operations and one increment | Each block of ChaCha20 involves 16 move operations and one increment | |||
| operation for loading the state, 80 each of XOR, addition and Roll | operation for loading the state, 80 each of XOR, addition and Roll | |||
| operations for the rounds, 16 more add operations and 16 XOR | operations for the rounds, 16 more add operations and 16 XOR | |||
| operations for protecting the plaintext. Section 2.3 describes the | operations for protecting the plaintext. Section 2.3 describes the | |||
| ChaCha block function as "adding the original input words". This | ChaCha block function as "adding the original input words". This | |||
| implies that before starting the rounds on the ChaCha state, it is | implies that before starting the rounds on the ChaCha state, it is | |||
| copied aside only to be added in later. This would be correct, but | copied aside only to be added in later. This would be correct, but | |||
| skipping to change at page 21, line 12 ¶ | skipping to change at page 21, line 16 ¶ | |||
| There are no IANA considerations for this document. | There are no IANA considerations for this document. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| ChaCha20 and Poly1305 were invented by Daniel J. Bernstein. The AEAD | ChaCha20 and Poly1305 were invented by Daniel J. Bernstein. The AEAD | |||
| construction and the method of creating the one-time poly1305 key | construction and the method of creating the one-time poly1305 key | |||
| were invented by Adam Langley. | were invented by Adam Langley. | |||
| Thanks to Robert Ransom and Ilari Liusvaara for their helpful | Thanks to Robert Ransom and Ilari Liusvaara for their helpful | |||
| comments and explanations. | comments and explanations. Thanks to Niels Moeller for suggesting a | |||
| more efficient AEAD construction. | ||||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [chacha] Bernstein, D., "ChaCha, a variant of Salsa20", Jan 2008. | [chacha] Bernstein, D., "ChaCha, a variant of Salsa20", Jan 2008. | |||
| skipping to change at page 22, line 9 ¶ | skipping to change at page 22, line 15 ¶ | |||
| [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA- | [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA- | |||
| 384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007. | 384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007. | |||
| [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | |||
| Encryption", RFC 5116, January 2008. | Encryption", RFC 5116, January 2008. | |||
| [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, | [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, | |||
| "Internet Key Exchange Protocol Version 2 (IKEv2)", | "Internet Key Exchange Protocol Version 2 (IKEv2)", | |||
| RFC 5996, September 2010. | RFC 5996, September 2010. | |||
| [agl-draft] | ||||
| Langley, A. and W. Chang, "ChaCha20 and Poly1305 based | ||||
| Cipher Suites for TLS", draft-agl-tls-chacha20poly1305-04 | ||||
| (work in progress), November 2013. | ||||
| [poly1305_donna] | [poly1305_donna] | |||
| Floodyberry, A., "Poly1305-donna", | Floodyberry, A., "Poly1305-donna", | |||
| <https://github.com/floodyberry/poly1305-donna>. | <https://github.com/floodyberry/poly1305-donna>. | |||
| [standby-cipher] | [standby-cipher] | |||
| McGrew, D., Grieco, A., and Y. Sheffer, "Selection of | McGrew, D., Grieco, A., and Y. Sheffer, "Selection of | |||
| Future Cryptographic Standards", | Future Cryptographic Standards", | |||
| draft-mcgrew-standby-cipher (work in progress). | draft-mcgrew-standby-cipher (work in progress). | |||
| Appendix A. Additional Test Vectors | Appendix A. Additional Test Vectors | |||
| skipping to change at page 33, line 33 ¶ | skipping to change at page 33, line 33 ¶ | |||
| 000 1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 ..@..U...3...... | 000 1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 ..@..U...3...... | |||
| 016 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0 G9..@+....\. pu. | 016 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0 G9..@+....\. pu. | |||
| The nonce: | The nonce: | |||
| 000 00 00 00 00 00 00 00 00 00 00 00 02 ............ | 000 00 00 00 00 00 00 00 00 00 00 00 02 ............ | |||
| Poly1305 one-time key: | Poly1305 one-time key: | |||
| 000 96 5e 3b c6 f9 ec 7e d9 56 08 08 f4 d2 29 f9 4b .^;...~.V....).K | 000 96 5e 3b c6 f9 ec 7e d9 56 08 08 f4 d2 29 f9 4b .^;...~.V....).K | |||
| 016 13 7f f2 75 ca 9b 3f cb dd 59 de aa d2 33 10 ae ..u..?..Y...3.. | 016 13 7f f2 75 ca 9b 3f cb dd 59 de aa d2 33 10 ae ..u..?..Y...3.. | |||
| A.5. ChaCha20-Poly1305 AEAD Decryption | ||||
| Below we'll see decrypting a message. We receive a ciphertext, a | ||||
| nonce, and a tag. We know the key. We will check the tag, and then | ||||
| (assuming that it validates) decrypt the ciphertext. In this | ||||
| particular protocol, we'll assume that there is no padding of the | ||||
| plaintext. | ||||
| The key: | ||||
| 000 1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 ..@..U...3...... | ||||
| 016 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0 G9..@+....\. pu. | ||||
| Ciphertext: | ||||
| 000 64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd d...u...`.b...C. | ||||
| 016 5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2 ^.\.4\....g..l.. | ||||
| 032 4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0 Ll..u]C....N8-&. | ||||
| 048 bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf ...<2.....;.5X.. | ||||
| 064 33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81 3/..q......J.... | ||||
| 080 14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55 ...n..3.`....7.U | ||||
| 096 97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38 ...n...a..2N+5.8 | ||||
| 112 36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4 6..{j|.....{S.g. | ||||
| 128 b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9 ..lv{.MF..R..... | ||||
| 144 90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e .@...3"^.....lR> | ||||
| 160 af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a .E4..?..[.Gq..Tj | ||||
| 176 0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a ..+..VN..B"s.H'. | ||||
| 192 0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e ..1`S.v..U..1YCN | ||||
| 208 ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10 ..NFm.Z.s.rv'.z. | ||||
| 224 49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30 I....6...h..w.q0 | ||||
| 240 30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29 0[.......{qMlo,) | ||||
| 256 a6 ad 5c b4 02 2b 02 70 9b ..\..+.p. | ||||
| The nonce: | ||||
| 000 00 00 00 00 01 02 03 04 05 06 07 08 ............ | ||||
| The AAD: | ||||
| 000 f3 33 88 86 00 00 00 00 00 00 4e 91 .3........N. | ||||
| Received Tag: | ||||
| 000 ee ad 9d 67 89 0c bb 22 39 23 36 fe a1 85 1f 38 ...g..."9#6....8 | ||||
| First, we calculate the one-time Poly1305 key | ||||
| @@@ ChaCha state with key set up | ||||
| 61707865 3320646e 79622d32 6b206574 | ||||
| a540921c 8ad355eb 868833f3 f0b5f604 | ||||
| c1173947 09802b40 bc5cca9d c0757020 | ||||
| 00000000 00000000 04030201 08070605 | ||||
| @@@ ChaCha state after 20 rounds | ||||
| a94af0bd 89dee45c b64bb195 afec8fa1 | ||||
| 508f4726 63f554c0 1ea2c0db aa721526 | ||||
| 11b1e514 a0bacc0f 828a6015 d7825481 | ||||
| e8a4a850 d9dcbbd6 4c2de33a f8ccd912 | ||||
| @@@ out bytes: | ||||
| bd:f0:4a:a9:5c:e4:de:89:95:b1:4b:b6:a1:8f:ec:af: | ||||
| 26:47:8f:50:c0:54:f5:63:db:c0:a2:1e:26:15:72:aa | ||||
| Poly1305 one-time key: | ||||
| 000 bd f0 4a a9 5c e4 de 89 95 b1 4b b6 a1 8f ec af ..J.\.....K..... | ||||
| 016 26 47 8f 50 c0 54 f5 63 db c0 a2 1e 26 15 72 aa &G.P.T.c....&.r. | ||||
| Next, we construct the AEAD buffer | ||||
| Poly1305 Input: | ||||
| 000 f3 33 88 86 00 00 00 00 00 00 4e 91 00 00 00 00 .3........N..... | ||||
| 016 64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd d...u...`.b...C. | ||||
| 032 5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2 ^.\.4\....g..l.. | ||||
| 048 4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0 Ll..u]C....N8-&. | ||||
| 064 bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf ...<2.....;.5X.. | ||||
| 080 33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81 3/..q......J.... | ||||
| 096 14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55 ...n..3.`....7.U | ||||
| 112 97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38 ...n...a..2N+5.8 | ||||
| 128 36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4 6..{j|.....{S.g. | ||||
| 144 b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9 ..lv{.MF..R..... | ||||
| 160 90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e .@...3"^.....lR> | ||||
| 176 af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a .E4..?..[.Gq..Tj | ||||
| 192 0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a ..+..VN..B"s.H'. | ||||
| 208 0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e ..1`S.v..U..1YCN | ||||
| 224 ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10 ..NFm.Z.s.rv'.z. | ||||
| 240 49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30 I....6...h..w.q0 | ||||
| 256 30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29 0[.......{qMlo,) | ||||
| 272 a6 ad 5c b4 02 2b 02 70 9b 00 00 00 00 00 00 00 ..\..+.p........ | ||||
| 288 0c 00 00 00 00 00 00 00 09 01 00 00 00 00 00 00 ................ | ||||
| We calculate the Poly1305 tag and find that it matches | ||||
| Calculated Tag: | ||||
| 000 ee ad 9d 67 89 0c bb 22 39 23 36 fe a1 85 1f 38 ...g..."9#6....8 | ||||
| Finally, we decrypt the ciphertext | ||||
| Plaintext:: | ||||
| 000 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 73 20 Internet-Drafts | ||||
| 016 61 72 65 20 64 72 61 66 74 20 64 6f 63 75 6d 65 are draft docume | ||||
| 032 6e 74 73 20 76 61 6c 69 64 20 66 6f 72 20 61 20 nts valid for a | ||||
| 048 6d 61 78 69 6d 75 6d 20 6f 66 20 73 69 78 20 6d maximum of six m | ||||
| 064 6f 6e 74 68 73 20 61 6e 64 20 6d 61 79 20 62 65 onths and may be | ||||
| 080 20 75 70 64 61 74 65 64 2c 20 72 65 70 6c 61 63 updated, replac | ||||
| 096 65 64 2c 20 6f 72 20 6f 62 73 6f 6c 65 74 65 64 ed, or obsoleted | ||||
| 112 20 62 79 20 6f 74 68 65 72 20 64 6f 63 75 6d 65 by other docume | ||||
| 128 6e 74 73 20 61 74 20 61 6e 79 20 74 69 6d 65 2e nts at any time. | ||||
| 144 20 49 74 20 69 73 20 69 6e 61 70 70 72 6f 70 72 It is inappropr | ||||
| 160 69 61 74 65 20 74 6f 20 75 73 65 20 49 6e 74 65 iate to use Inte | ||||
| 176 72 6e 65 74 2d 44 72 61 66 74 73 20 61 73 20 72 rnet-Drafts as r | ||||
| 192 65 66 65 72 65 6e 63 65 20 6d 61 74 65 72 69 61 eference materia | ||||
| 208 6c 20 6f 72 20 74 6f 20 63 69 74 65 20 74 68 65 l or to cite the | ||||
| 224 6d 20 6f 74 68 65 72 20 74 68 61 6e 20 61 73 20 m other than as | ||||
| 240 2f e2 80 9c 77 6f 72 6b 20 69 6e 20 70 72 6f 67 /...work in prog | ||||
| 256 72 65 73 73 2e 2f e2 80 9d ress./... | ||||
| Authors' Addresses | Authors' Addresses | |||
| Yoav Nir | Yoav Nir | |||
| Check Point Software Technologies Ltd. | Check Point Software Technologies Ltd. | |||
| 5 Hasolelim st. | 5 Hasolelim st. | |||
| Tel Aviv 6789735 | Tel Aviv 6789735 | |||
| Israel | Israel | |||
| Email: ynir.ietf@gmail.com | Email: ynir.ietf@gmail.com | |||
| End of changes. 25 change blocks. | ||||
| 90 lines changed or deleted | 206 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||