idnits 2.17.1 

draft-irtf-cfrg-xchacha-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The abstract seems to contain references ([RFC7539]), which it
     shouldn't.  Please replace those with straight textual mentions of the
     documents in question.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == Line 180 has weird spacing: '...ccccccc  ccccc...'

  == Line 181 has weird spacing: '...kkkkkkk  kkkkk...'

  == Line 182 has weird spacing: '...kkkkkkk  kkkkk...'

  == Line 183 has weird spacing: '...bbbbbbb  nnnnn...'

  == Line 186 has weird spacing: '...ccccccc  ccccc...'

  == (4 more instances...)

  == The document doesn't use any RFC 2119 keywords, yet seems to have RFC
     2119 boilerplate text.

  -- The document date (July 23, 2019) is 1739 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  -- Looks like a reference, but probably isn't: '1' on line 368

  -- Looks like a reference, but probably isn't: '2' on line 371

  -- Looks like a reference, but probably isn't: '3' on line 373

  -- Looks like a reference, but probably isn't: '4' on line 375

  -- Looks like a reference, but probably isn't: '5' on line 377

  -- Looks like a reference, but probably isn't: '6' on line 380

  -- Looks like a reference, but probably isn't: '7' on line 382

  -- Looks like a reference, but probably isn't: '8' on line 384

  -- Looks like a reference, but probably isn't: '9' on line 386

  -- Looks like a reference, but probably isn't: '10' on line 388

  -- Looks like a reference, but probably isn't: '11' on line 392

  -- Looks like a reference, but probably isn't: '12' on line 394

  -- Looks like a reference, but probably isn't: '13' on line 396

  ** Obsolete normative reference: RFC 7539 (Obsoleted by RFC 8439)


     Summary: 2 errors (**), 0 flaws (~~), 8 warnings (==), 14 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	(No Working Group)                                        S. Arciszewski
3	Internet-Draft                            Paragon Initiative Enterprises
4	Intended status: Informational                             July 23, 2019
5	Expires: January 24, 2020

7	       XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305
8	                       draft-irtf-cfrg-xchacha-01

10	Abstract

12	   The eXtended-nonce ChaCha cipher construction (XChaCha) allows for
13	   ChaCha-based ciphersuites to accept a 192-bit nonce with similar
14	   guarantees to the original construction, except with a much lower
15	   probability of nonce misuse occurring.  This helps for long running
16	   TLS connections.  This also enables XChaCha constructions to be
17	   stateless, while retaining the same security assumptions as ChaCha.

19	   This document defines XChaCha20, which uses HChaCha20 to convert the
20	   key and part of the nonce into a subkey, which is in turn used with
21	   the remainder of the nonce with ChaCha20 to generate a pseudorandom
22	   keystream (e.g. for message encryption).

24	   This document also defines AEAD_XChaCha20_Poly1305, a variant of
25	   [RFC7539] that utilizes the XChaCha20 construction in place of
26	   ChaCha20.

28	Status of This Memo

30	   This Internet-Draft is submitted in full conformance with the
31	   provisions of BCP 78 and BCP 79.

33	   Internet-Drafts are working documents of the Internet Engineering
34	   Task Force (IETF).  Note that other groups may also distribute
35	   working documents as Internet-Drafts.  The list of current Internet-
36	   Drafts is at https://datatracker.ietf.org/drafts/current/.

38	   Internet-Drafts are draft documents valid for a maximum of six months
39	   and may be updated, replaced, or obsoleted by other documents at any
40	   time.  It is inappropriate to use Internet-Drafts as reference
41	   material or to cite them other than as "work in progress."

43	   This Internet-Draft will expire on January 24, 2020.

45	Copyright Notice

47	   Copyright (c) 2019 IETF Trust and the persons identified as the
48	   document authors.  All rights reserved.

50	   This document is subject to BCP 78 and the IETF Trust's Legal
51	   Provisions Relating to IETF Documents
52	   (https://trustee.ietf.org/license-info) in effect on the date of
53	   publication of this document.  Please review these documents
54	   carefully, as they describe your rights and restrictions with respect
55	   to this document.  Code Components extracted from this document must
56	   include Simplified BSD License text as described in Section 4.e of
57	   the Trust Legal Provisions and are provided without warranty as
58	   described in the Simplified BSD License.

60	Table of Contents

62	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
63	     1.1.  Notation and Conventions  . . . . . . . . . . . . . . . .   3
64	   2.  AEAD_XChaCha20_Poly1305 . . . . . . . . . . . . . . . . . . .   3
65	     2.1.  Motivation for XChaCha20-Poly1305 . . . . . . . . . . . .   4
66	     2.2.  HChaCha20 . . . . . . . . . . . . . . . . . . . . . . . .   4
67	       2.2.1.  Test Vector for the HChaCha20 Block Function  . . . .   5
68	     2.3.  XChaCha20 . . . . . . . . . . . . . . . . . . . . . . . .   6
69	       2.3.1.  XChaCha20 Pseudocode  . . . . . . . . . . . . . . . .   6
70	   3.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
71	     3.1.  Proving XChaCha20 to be Secure  . . . . . . . . . . . . .   6
72	   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
73	   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
74	     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
75	     5.2.  URIs  . . . . . . . . . . . . . . . . . . . . . . . . . .   8
76	   Appendix A.  Additional Test Vectors  . . . . . . . . . . . . . .   9
77	     A.1.  Example and Test Vector for AEAD_XCHACHA20_POLY1305 . . .   9
78	     A.2.  Example and Test Vectors for XChaCha20  . . . . . . . . .  11
79	       A.2.1.  With Block Counter = 0  . . . . . . . . . . . . . . .  11
80	       A.2.2.  With Block Counter = 1  . . . . . . . . . . . . . . .  13
81	     A.3.  Developer-Friendly Test Vectors . . . . . . . . . . . . .  15
82	       A.3.1.  AEAD_XCHACHA20_POLY1305 . . . . . . . . . . . . . . .  15
83	       A.3.2.  XChaCha20 . . . . . . . . . . . . . . . . . . . . . .  16
84	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  18

86	1.  Introduction

88	   AEAD constructions (Authenticated Encryption with Associated Data)
89	   allow for message confidentiality to be assured even in the presence
90	   of adaptive chosen-ciphertext attacks, but they're known to be
91	   brittle to nonce-misuse conditions [1].

93	   Several nonce misuse resistant cipher constructions have been
94	   proposed over the years, including AES-SIV ([RFC5297]), AES-GCM-SIV
95	   [2], and several CAESAR candidates [3].

97	   However, misuse resistant cipher constructions come at a cost in
98	   performance as they must necessarily make two passes over the message
99	   to be encrypted.  An alternative strategy can significantly reduce
100	   the chance of accidental nonce reuse in environments where a large
101	   number of messages are encrypted.  Simply use a large enough nonce
102	   such that applications can generate them randomly for each message
103	   and the probability of a collision remains low.

105	   To this end, we propose a solution that is already implemented in
106	   many software projects that extends the nonce of ChaCha20 to 192 bits
107	   and uses it to build an AEAD construction.

109	1.1.  Notation and Conventions

111	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
112	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
113	   document are to be interpreted as described in RFC 2119 [RFC2119].

115	2.  AEAD_XChaCha20_Poly1305

117	   XChaCha20-Poly1305 is a variant of the ChaCha20-Poly1305 AEAD
118	   construction as defined in [RFC7539] that uses a 192-bit nonce
119	   instead of a 96-bit nonce.

121	   The algorithm for XChaCha20-Poly1305 is as follows:

123	   1.  Calculate a subkey from the first 16 bytes of the nonce and the
124	       key, using HChaCha20 (Section 2.2).

126	   2.  Use the subkey and remaining 8 bytes of the nonce (prefixed with
127	       4 NUL bytes) with AEAD_CHACHA20_POLY1305 from [RFC7539] as
128	       normal.  The definition for XChaCha20 is given in Section 2.3.

130	   XChaCha20-Poly1305 implementations already exist in WireGuard [4],
131	   libsodium [5], xsecretbox [6], Tink [7], and in Go's crypto/
132	   chacha20poly1305 [8] library.

134	   Similarly, Google's HPolyC [9] implements XChaCha12.

136	   LibreSSL [10] has already implemented XChaCha20-Poly1305.

138	   Note that the construction we're building upon uses the IETF's
139	   ChaCha20 (96-bit nonce), not Bernstein's ChaCha20 (64-bit nonce).

141	2.1.  Motivation for XChaCha20-Poly1305

143	   The nonce used by the original ChaCha20-Poly1305 is too short to
144	   safely use with random strings for long-lived keys.
145	   XChaCha20-Poly1305 does not have this restriction.

147	   By generating a subkey from a 128-bit nonce and the key, a reuse of
148	   only the latter 64 bits of the nonce isn't security-affecting, since
149	   the key (and thus, keystream) will be different.  Additionally a re-
150	   use of only the first 128 bits of the nonce isn't security-affecting,
151	   as the nonce derived from the latter 64 bits is different.

153	   Assuming a secure random number generator, random 192-bit nonces
154	   should experience a single collision (with probability 50%) after
155	   roughly 2^96 messages (approximately 7.2998163e+28).  A more
156	   conservative threshold (2^-32 chance of collision) still allows for
157	   2^80 messages to be sent under a single key.

159	   Therefore, with XChaCha20-Poly1305, users can safely generate a
160	   random 192-bit nonce for each message and not worry about nonce-reuse
161	   vulnerabilities.

163	   As long as ChaCha20-Poly1305 is a secure AEAD cipher and ChaCha is a
164	   secure pseudorandom function (PRF), XChaCha20-Poly1305 is secure.

166	2.2.  HChaCha20

168	   *HChaCha20* is an intermediary step towards XChaCha20 based on the
169	   construction and security proof used to create XSalsa20 [11], an
170	   extended-nonce Salsa20 variant used in NaCl [12].

172	   HChaCha20 is initialized the same way as the ChaCha cipher, except
173	   that HChaCha20 uses a 128-bit nonce and has no counter.  Instead, the
174	   block counter is replaced by the first 32 bits of the nonce.

176	   Consider the two figures below, where each non-whitespace character
177	   represents one nibble of information about the ChaCha states (all
178	   numbers little-endian):

180	                  cccccccc  cccccccc  cccccccc  cccccccc
181	                  kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
182	                  kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
183	                  bbbbbbbb  nnnnnnnn  nnnnnnnn  nnnnnnnn

185	           ChaCha20 State: c=constant k=key b=blockcount n=nonce
186	                  cccccccc  cccccccc  cccccccc  cccccccc
187	                  kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
188	                  kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
189	                  nnnnnnnn  nnnnnnnn  nnnnnnnn  nnnnnnnn

191	                 HChaCha20 State: c=constant k=key n=nonce

193	   After initialization, proceed through the ChaCha rounds as usual.

195	   Once the 20 ChaCha rounds have been completed, the first 128 bits and
196	   last 128 bits of the ChaCha state (both little-endian) are
197	   concatenated, and this 256-bit subkey is returned.

199	2.2.1.  Test Vector for the HChaCha20 Block Function

201	   o  Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:
202	      14:15:16:17:18:19:1a:1b:1c:1d:1e:1f.  The key is a sequence of
203	      octets with no particular structure before we copy it into the
204	      HChaCha state.

206	   o  Nonce = (00:00:00:09:00:00:00:4a:00:00:00:00:31:41:59:27)

208	   After setting up the HChaCha state, it looks like this:

210	                    61707865 3320646e 79622d32 6b206574
211	                    03020100 07060504 0b0a0908 0f0e0d0c
212	                    13121110 17161514 1b1a1918 1f1e1d1c
213	                    09000000 4a000000 00000000 27594131

215	                     ChaCha state with the key setup.

217	   After running 20 rounds (10 column rounds interleaved with 10
218	   "diagonal rounds"), the HChaCha state looks like this:

220	                    423b4182 fe7bb227 50420ed3 737d878a
221	                    0aa76448 7954cdf3 846acd37 7b3c58ad
222	                    77e35583 83e77c12 e0076a2d bc6cd0e5
223	                    d5e4f9a0 53a8748a 13c42ec1 dcecd326

225	                       HChaCha state after 20 rounds

227	   HChaCha20 will then return only the first and last rows, in little
228	   endian, resulting in the following 256-bit key:

230	                    82413b42 27b27bfe d30e4250 8a877d73
231	                    a0f9e4d5 8a74a853 c12ec413 26d3ecdc

233	                        Resultant HChaCha20 subkey

235	2.3.  XChaCha20

237	   XChaCha20 can be constructed from an existing ChaCha20 implementation
238	   and HChaCha20.  All one needs to do is:

240	   1.  Pass the key and the first 16 bytes of the 24-byte nonce to
241	       HChaCha20 to obtain the subkey.

243	   2.  Use the subkey and remaining 8 byte nonce with ChaCha20 as normal
244	       (prefixed by 4 NUL bytes, since [RFC7539] specifies a 12-byte
245	       nonce).

247	   XChaCha20 is a stream cipher and offers no integrity guarantees
248	   without being combined with a MAC algorithm (e.g.  Poly1305).

250	   The same HChaCha20 subkey derivation can also be used in the context
251	   of an AEAD_ChaCha20_Poly1305 implementation to create
252	   AEAD_XChaCha20_Poly1305, as described in Section 2.  Note that, with
253	   the AEAD mode, the initial block counter is set to 1 instead of 0,
254	   since the first block is used to derive the one-time Poly1305 key.

256	2.3.1.  XChaCha20 Pseudocode

258	 xchacha20_encrypt(key, nonce, plaintext):
259	     subkey = hchacha20(key, nonce[0:15])
260	     chacha20_nonce = "\x00\x00\x00\x00" + nonce[16:23]
261	     blk_ctr = 0
262	     return chacha20_encrypt(subkey, chacha20_nonce, plaintext, blk_ctr)

264	3.  Security Considerations

266	   The security of the XChaCha construction depends on both the security
267	   of the ChaCha stream cipher and the HChaCha intermediary step, for
268	   reasons explained in the XSalsa20 paper [13] (which our XChaCha
269	   construction is derived from).

271	   Given that the 20-round ChaCha stream cipher (ChaCha20) is believed
272	   to be at least as secure as Salsa20, our only relevant security
273	   consideration involves HChaCha20.

275	3.1.  Proving XChaCha20 to be Secure

277	   In the XSalsa20 paper, when HSalsa20 is defined, the author states,
278	   "The indices 0, 5, 10, 15, 6, 7, 8, 9 here were not chosen
279	   arbitrarily; the choice is important for the security proof later in
280	   this paper."
281	   In the analysis of Theorem 3.1 from the same paper (which covers
282	   generalized cascades), the author further states: "Note that this
283	   bound is affected less by the insecurity of H than by the insecurity
284	   of S."

286	   This means that the security of HSalsa20 affects the security of
287	   XSalsa20 less than Salsa20 does, and the same applies to any
288	   generalized cascade following a similar construction.

290	   However, we want to be sure that HChaCha is secure even if it's less
291	   security-affecting than ChaCha (which we already believe to be
292	   secure).

294	   In Salsa20, the indices 0, 5, 10, 15 were populated with constants,
295	   while the indices 6, 7, 8, and 9 were populated by the nonce.  The
296	   security proof for HSalsa20 relies on the definition of a function Q
297	   (specified in Theorem 3.3 of the paper) that provides two critical
298	   properties:

300	   1.  Q(i) is a public computation of H(i) and S(i).

302	   2.  Q(i) is a public computation of uniform random strings from
303	       uniform random strings.

305	   Thus, HSalsa20 uses the same indices as the public inputs (constant +
306	   nonce) for its final output.

308	   The reliance on public computation for the security proof makes
309	   sense, and can be applied to ChaCha with a slight tweak.

311	   ChaCha is a slightly different construction than Salsa20: The
312	   constants occupy the indices at 0, 1, 2, 3.  Meanwhile, the nonce
313	   populates indices 12, 13, 14, 15.

315	   Consequently, we can extract a public computation from ChaCha20 by
316	   selecting these indices from HChaCha20's final state as the HChaCha20
317	   output, and the same security proof can be used.

319	   Therefore, if the argument that makes HSalsa20 secure is valid, then
320	   it also applies to HChaCha for the corresponding output indices.

322	                 HSalsa20:  0,  5, 10, 15,  6,  7,  8,  9
323	                 HChaCha:   0,  1,  2,  3, 12, 13, 14, 15

325	         Input and output indices for the relevant security proof

327	   If the 20-round HChaCha (HChaCha20) is secure, and the 20-round
328	   ChaCha20 is secure, then XChaCha20 is also secure.

330	4.  IANA Considerations

332	   This document defines a new stream cipher ("XChaCha20", see
333	   Section 2.3) and a new AEAD cipher construction
334	   ("XChaCha20-Poly1305", see Section 2).

336	   A new entry in the "Authenticated Encryption with Associated Data
337	   (AEAD) Parameters" registry with the name "AEAD_XCHACHA20_POLY1305"
338	   should be assigned.

340	          Name                    | Reference | Number Identifier
341	          ------------------------+-----------+------------------
342	          AEAD_XCHACHA20_POLY1305 | Section 2 |      TBD1

344	5.  References

346	5.1.  Normative References

348	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
349	              Requirement Levels", BCP 14, RFC 2119,
350	              DOI 10.17487/RFC2119, March 1997,
351	              <https://www.rfc-editor.org/info/rfc2119>.

353	   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
354	              Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
355	              <https://www.rfc-editor.org/info/rfc4648>.

357	   [RFC5297]  Harkins, D., "Synthetic Initialization Vector (SIV)
358	              Authenticated Encryption Using the Advanced Encryption
359	              Standard (AES)", RFC 5297, DOI 10.17487/RFC5297, October
360	              2008, <https://www.rfc-editor.org/info/rfc5297>.

362	   [RFC7539]  Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
363	              Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015,
364	              <https://www.rfc-editor.org/info/rfc7539>.

366	5.2.  URIs

368	   [1] https://cryptologie.net/article/361/breaking-https-aes-gcm-or-a-
369	       part-of-it/

371	   [2] https://eprint.iacr.org/2017/168.pdf

373	   [3] https://competitions.cr.yp.to/caesar-submissions.html

375	   [4] https://www.wireguard.com

377	   [5] https://download.libsodium.org/doc/secret-key_cryptography/
378	       xchacha20-poly1305_construction.html

380	   [6] https://github.com/jedisct1/xsecretbox

382	   [7] https://github.com/google/tink

384	   [8] https://godoc.org/golang.org/x/crypto/chacha20poly1305#NewX

386	   [9] https://github.com/google/hpolyc

388	   [10] https://github.com/libressl-portable/openbsd/commit/
389	        f9ad715107c72ecbd84924fa7268f4d4686c9e43#diff-
390	        e67c04cb298e3a810d8d68c7893942be

392	   [11] https://cr.yp.to/snuffle/xsalsa-20110204.pdf

394	   [12] https://nacl.cr.yp.to

396	   [13] https://cr.yp.to/snuffle/xsalsa-20110204.pdf

398	Appendix A.  Additional Test Vectors

400	A.1.  Example and Test Vector for AEAD_XCHACHA20_POLY1305

402	   Plaintext:

404	  000  4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c  Ladies and Gentl
405	  016  65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73  emen of the clas
406	  032  73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63  s of '99: If I c
407	  048  6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f  ould offer you o
408	  064  6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20  nly one tip for
409	  080  74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73  the future, suns
410	  096  63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69  creen would be i
411	  112  74 2e                                            t.

413	   AAD:

415	    000  50 51 52 53 c0 c1 c2 c3 c4 c5 c6 c7              PQRS........

417	   Key:

419	  000  80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f  ................
420	  016  90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f  ................

422	   IV:

424	  000  40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f  @ABCDEFGHIJKLMNO
425	  016  50 51 52 53 54 55 56 57                          PQRSTUVW

427	   32-bit fixed-common part:

429	        000  00 00 00 00                                      ....

431	   Poly1305 Key:

433	  000  7b 19 1f 80 f3 61 f0 99 09 4f 6f 4b 8f b9 7d f8  {....a...OoK..}.
434	  016  47 cc 68 73 a8 f2 b1 90 dd 73 80 71 83 f9 07 d5  G.hs.....s.q....

436	   Ciphertext:

438	  000  bd 6d 17 9d 3e 83 d4 3b 95 76 57 94 93 c0 e9 39  .m..>..;.vW....9
439	  016  57 2a 17 00 25 2b fa cc be d2 90 2c 21 39 6c bb  W*..%+.....,!9l.
440	  032  73 1c 7f 1b 0b 4a a6 44 0b f3 a8 2f 4e da 7e 39  s....J.D.../N.~9
441	  048  ae 64 c6 70 8c 54 c2 16 cb 96 b7 2e 12 13 b4 52  .d.p.T.........R
442	  064  2f 8c 9b a4 0d b5 d9 45 b1 1b 69 b9 82 c1 bb 9e  /......E..i.....
443	  080  3f 3f ac 2b c3 69 48 8f 76 b2 38 35 65 d3 ff f9  ??.+.iH.v.85e...
444	  096  21 f9 66 4c 97 63 7d a9 76 88 12 f6 15 c6 8b 13  !.fL.c}.v.......
445	  112  b5 2e                                            ..

447	   Tag:

449	              c0:87:59:24:c1:c7:98:79:47:de:af:d8:78:0a:cf:49

451	A.2.  Example and Test Vectors for XChaCha20

453	   Note: This is for the XChaCha20 stream cipher itself, not the AEAD
454	   construction.

456	A.2.1.  With Block Counter = 0

458	   Counter: 0

460	   Plaintext:

462	  000  54 68 65 20 64 68 6f 6c 65 20 28 70 72 6f 6e 6f  The dhole (prono
463	  010  75 6e 63 65 64 20 22 64 6f 6c 65 22 29 20 69 73  unced "dole") is
464	  020  20 61 6c 73 6f 20 6b 6e 6f 77 6e 20 61 73 20 74   also known as t
465	  030  68 65 20 41 73 69 61 74 69 63 20 77 69 6c 64 20  he Asiatic wild
466	  040  64 6f 67 2c 20 72 65 64 20 64 6f 67 2c 20 61 6e  dog, red dog, an
467	  050  64 20 77 68 69 73 74 6c 69 6e 67 20 64 6f 67 2e  d whistling dog.
468	  060  20 49 74 20 69 73 20 61 62 6f 75 74 20 74 68 65   It is about the
469	  070  20 73 69 7a 65 20 6f 66 20 61 20 47 65 72 6d 61   size of a Germa
470	  080  6e 20 73 68 65 70 68 65 72 64 20 62 75 74 20 6c  n shepherd but l
471	  090  6f 6f 6b 73 20 6d 6f 72 65 20 6c 69 6b 65 20 61  ooks more like a
472	  0a0  20 6c 6f 6e 67 2d 6c 65 67 67 65 64 20 66 6f 78   long-legged fox
473	  0b0  2e 20 54 68 69 73 20 68 69 67 68 6c 79 20 65 6c  . This highly el
474	  0c0  75 73 69 76 65 20 61 6e 64 20 73 6b 69 6c 6c 65  usive and skille
475	  0d0  64 20 6a 75 6d 70 65 72 20 69 73 20 63 6c 61 73  d jumper is clas
476	  0e0  73 69 66 69 65 64 20 77 69 74 68 20 77 6f 6c 76  sified with wolv
477	  0f0  65 73 2c 20 63 6f 79 6f 74 65 73 2c 20 6a 61 63  es, coyotes, jac
478	  100  6b 61 6c 73 2c 20 61 6e 64 20 66 6f 78 65 73 20  kals, and foxes
479	  110  69 6e 20 74 68 65 20 74 61 78 6f 6e 6f 6d 69 63  in the taxonomic
480	  120  20 66 61 6d 69 6c 79 20 43 61 6e 69 64 61 65 2e   family Canidae.

482	   Key:

484	  000  80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f  ................
485	  016  90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f  ................

487	   IV:

489	  000  40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f  @ABCDEFGHIJKLMNO
490	  016  50 51 52 53 54 55 56 58                          PQRSTUVX
491	   Keystream:

493	  000: 11 31 ce 9a 2a 20 ae 0d 67 c8 93 5c 77 89 fa 10  .1..* ..g..\w...
494	  010: 25 c9 e5 bb 72 0f b9 6f 11 35 4f b9 7a f0 bd 9a  %...r..o.5O.z...
495	  020: ad ec 08 63 ba 60 ca c8 58 2c 48 f8 6c df c4 8e  ...c.`..X,H.l...
496	  030: dd 46 a4 86 42 c5 de 62 cc f1 1c 7b 21 bf 33 7d  .F..B..b...{!.3}
497	  040: 29 62 4b 4b 1b 14 0a ce 53 74 0e 40 5b 21 68 54  )bKK....St.@[!hT
498	  050: 0f d7 d6 30 c1 f5 36 fe cd 72 2f c3 cd db a7 f4  ...0..6..r/.....
499	  060: cc a9 8c f9 e4 7e 5e 64 d1 15 45 0f 9b 12 5b 54  .....~^d..E...[T
500	  070: 44 9f f7 61 41 ca 62 0a 1f 9c fc ab 2a 1a 8a 25  D..aA.b.....*..%
501	  080: 5e 76 6a 52 66 b8 78 84 61 20 ea 64 ad 99 aa 47  ^vjRf.x.a .d...G
502	  090: 94 71 e6 3b ef cb d3 7c d1 c2 2a 22 1f e4 62 21  .q.;...|..*"..b!
503	  0a0: 5c f3 2c 74 89 5b f5 05 86 3c cd dd 48 f6 29 16  \.,t.[...<..H.).
504	  0b0: dc 65 21 f1 ec 50 a5 ae 08 90 3a a2 59 d9 bf 60  .e!..P....:.Y..`
505	  0c0: 7c d8 02 6f ba 54 86 04 f1 b6 07 2d 91 bc 91 24  |..o.T.....-...$
506	  0d0: 3a 5b 84 5f 7f d1 71 b0 2e dc 5a 0a 84 cf 28 dd  :[._..q...Z...(.
507	  0e0: 24 11 46 bc 37 6e 3f 48 df 5e 7f ee 1d 11 04 8c  $.F.7n?H.^......
508	  0f0: 19 0a 3d 3d eb 0f eb 64 b4 2d 9c 6f de ee 29 0f  ..==...d.-.o..).
509	  100: a0 e6 ae 2c 26 c0 24 9e a8 c1 81 f7 e2 ff d1 00  ...,&.$.........
510	  110: cb e5 fd 3c 4f 82 71 d6 2b 15 33 0c b8 fd cf 00  ...<O.q.+.3.....
511	  120: b3 df 50 7c a8 c9 24 f7 01 7b 7e 71 2d 15 a2 eb  ..P|..$..{~q-...

513	   Ciphertext:

515	  000: 45 59 ab ba 4e 48 c1 61 02 e8 bb 2c 05 e6 94 7f  EY..NH.a...,....
516	  010: 50 a7 86 de 16 2f 9b 0b 7e 59 2a 9b 53 d0 d4 e9  P..../..~Y*.S...
517	  020: 8d 8d 64 10 d5 40 a1 a6 37 5b 26 d8 0d ac e4 fa  ..d..@..7[&.....
518	  030: b5 23 84 c7 31 ac bf 16 a5 92 3c 0c 48 d3 57 5d  .#..1.....<.H.W]
519	  040: 4d 0d 2c 67 3b 66 6f aa 73 10 61 27 77 01 09 3a  M.,g;fo.s.a'w..:
520	  050: 6b f7 a1 58 a8 86 42 92 a4 1c 48 e3 a9 b4 c0 da  k..X..B...H.....
521	  060: ec e0 f8 d9 8d 0d 7e 05 b3 7a 30 7b bb 66 33 31  ......~..z0{.f31
522	  070: 64 ec 9e 1b 24 ea 0d 6c 3f fd dc ec 4f 68 e7 44  d...$..l?...Oh.D
523	  080: 30 56 19 3a 03 c8 10 e1 13 44 ca 06 d8 ed 8a 2b  0V.:.....D.....+
524	  090: fb 1e 8d 48 cf a6 bc 0e b4 e2 46 4b 74 81 42 40  ...H......FKt.B@
525	  0a0: 7c 9f 43 1a ee 76 99 60 e1 5b a8 b9 68 90 46 6e  |.C..v.`.[..h.Fn
526	  0b0: f2 45 75 99 85 23 85 c6 61 f7 52 ce 20 f9 da 0c  .Eu..#..a.R. ...
527	  0c0: 09 ab 6b 19 df 74 e7 6a 95 96 74 46 f8 d0 fd 41  ..k..t.j..tF...A
528	  0d0: 5e 7b ee 2a 12 a1 14 c2 0e b5 29 2a e7 a3 49 ae  ^{.*......)*..I.
529	  0e0: 57 78 20 d5 52 0a 1f 3f b6 2a 17 ce 6a 7e 68 fa  Wx .R..?.*..j~h.
530	  0f0: 7c 79 11 1d 88 60 92 0b c0 48 ef 43 fe 84 48 6c  |y...`...H.C..Hl
531	  100: cb 87 c2 5f 0a e0 45 f0 cc e1 e7 98 9a 9a a2 20  ..._..E........
532	  110: a2 8b dd 48 27 e7 51 a2 4a 6d 5c 62 d7 90 a6 63  ...H'.Q.Jm\b...c
533	  120: 93 b9 31 11 c1 a5 5d d7 42 1a 10 18 49 74 c7 c5  ..1...].B...It..

535	A.2.2.  With Block Counter = 1

537	   Counter: 1

539	   Plaintext:

541	  000  54 68 65 20 64 68 6f 6c 65 20 28 70 72 6f 6e 6f  The dhole (prono
542	  010  75 6e 63 65 64 20 22 64 6f 6c 65 22 29 20 69 73  unced "dole") is
543	  020  20 61 6c 73 6f 20 6b 6e 6f 77 6e 20 61 73 20 74   also known as t
544	  030  68 65 20 41 73 69 61 74 69 63 20 77 69 6c 64 20  he Asiatic wild
545	  040  64 6f 67 2c 20 72 65 64 20 64 6f 67 2c 20 61 6e  dog, red dog, an
546	  050  64 20 77 68 69 73 74 6c 69 6e 67 20 64 6f 67 2e  d whistling dog.
547	  060  20 49 74 20 69 73 20 61 62 6f 75 74 20 74 68 65   It is about the
548	  070  20 73 69 7a 65 20 6f 66 20 61 20 47 65 72 6d 61   size of a Germa
549	  080  6e 20 73 68 65 70 68 65 72 64 20 62 75 74 20 6c  n shepherd but l
550	  090  6f 6f 6b 73 20 6d 6f 72 65 20 6c 69 6b 65 20 61  ooks more like a
551	  0a0  20 6c 6f 6e 67 2d 6c 65 67 67 65 64 20 66 6f 78   long-legged fox
552	  0b0  2e 20 54 68 69 73 20 68 69 67 68 6c 79 20 65 6c  . This highly el
553	  0c0  75 73 69 76 65 20 61 6e 64 20 73 6b 69 6c 6c 65  usive and skille
554	  0d0  64 20 6a 75 6d 70 65 72 20 69 73 20 63 6c 61 73  d jumper is clas
555	  0e0  73 69 66 69 65 64 20 77 69 74 68 20 77 6f 6c 76  sified with wolv
556	  0f0  65 73 2c 20 63 6f 79 6f 74 65 73 2c 20 6a 61 63  es, coyotes, jac
557	  100  6b 61 6c 73 2c 20 61 6e 64 20 66 6f 78 65 73 20  kals, and foxes
558	  110  69 6e 20 74 68 65 20 74 61 78 6f 6e 6f 6d 69 63  in the taxonomic
559	  120  20 66 61 6d 69 6c 79 20 43 61 6e 69 64 61 65 2e   family Canidae.

561	   Key:

563	  000  80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f  ................
564	  016  90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f  ................

566	   IV:

568	  000  40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f  @ABCDEFGHIJKLMNO
569	  016  50 51 52 53 54 55 56 58                          PQRSTUVX
570	   Keystream:

572	  000: 29 62 4b 4b 1b 14 0a ce 53 74 0e 40 5b 21 68 54  )bKK....St.@[!hT
573	  010: 0f d7 d6 30 c1 f5 36 fe cd 72 2f c3 cd db a7 f4  ...0..6..r/.....
574	  020: cc a9 8c f9 e4 7e 5e 64 d1 15 45 0f 9b 12 5b 54  .....~^d..E...[T
575	  030: 44 9f f7 61 41 ca 62 0a 1f 9c fc ab 2a 1a 8a 25  D..aA.b.....*..%
576	  040: 5e 76 6a 52 66 b8 78 84 61 20 ea 64 ad 99 aa 47  ^vjRf.x.a .d...G
577	  050: 94 71 e6 3b ef cb d3 7c d1 c2 2a 22 1f e4 62 21  .q.;...|..*"..b!
578	  060: 5c f3 2c 74 89 5b f5 05 86 3c cd dd 48 f6 29 16  \.,t.[...<..H.).
579	  070: dc 65 21 f1 ec 50 a5 ae 08 90 3a a2 59 d9 bf 60  .e!..P....:.Y..`
580	  080: 7c d8 02 6f ba 54 86 04 f1 b6 07 2d 91 bc 91 24  |..o.T.....-...$
581	  090: 3a 5b 84 5f 7f d1 71 b0 2e dc 5a 0a 84 cf 28 dd  :[._..q...Z...(.
582	  0a0: 24 11 46 bc 37 6e 3f 48 df 5e 7f ee 1d 11 04 8c  $.F.7n?H.^......
583	  0b0: 19 0a 3d 3d eb 0f eb 64 b4 2d 9c 6f de ee 29 0f  ..==...d.-.o..).
584	  0c0: a0 e6 ae 2c 26 c0 24 9e a8 c1 81 f7 e2 ff d1 00  ...,&.$.........
585	  0d0: cb e5 fd 3c 4f 82 71 d6 2b 15 33 0c b8 fd cf 00  ...<O.q.+.3.....
586	  0e0: b3 df 50 7c a8 c9 24 f7 01 7b 7e 71 2d 15 a2 eb  ..P|..$..{~q-...
587	  0f0: 5c 50 48 44 51 e5 4e 1b 4b 99 5b d8 fd d9 45 97  \PHDQ.N.K.[...E.
588	  100: bb 94 d7 af 0b 2c 04 df 10 ba 08 90 89 9e d9 29  .....,.........)
589	  110: 3a 0f 55 b8 ba fa 99 92 64 03 5f 1d 4f be 7f e0  :.U.....d._.O...
590	  120: aa fa 10 9a 62 37 20 27 e5 0e 10 cd fe cc a1 27  ....b7 '.......'

592	   Ciphertext:

594	  000: 7d 0a 2e 6b 7f 7c 65 a2 36 54 26 30 29 4e 06 3b  }..k.|e.6T&0)N.;
595	  010: 7a b9 b5 55 a5 d5 14 9a a2 1e 4a e1 e4 fb ce 87  z..U......J.....
596	  020: ec c8 e0 8a 8b 5e 35 0a be 62 2b 2f fa 61 7b 20  .....^5..b+/.a{
597	  030: 2c fa d7 20 32 a3 03 7e 76 ff dc dc 43 76 ee 05  ,.. 2..~v...Cv..
598	  040: 3a 19 0d 7e 46 ca 1d e0 41 44 85 03 81 b9 cb 29  :..~F...AD.....)
599	  050: f0 51 91 53 86 b8 a7 10 b8 ac 4d 02 7b 8b 05 0f  .Q.S......M.{...
600	  060: 7c ba 58 54 e0 28 d5 64 e4 53 b8 a9 68 82 41 73  |.XT.(.d.S..h.As
601	  070: fc 16 48 8b 89 70 ca c8 28 f1 1a e5 3c ab d2 01  ..H..p..(...<...
602	  080: 12 f8 71 07 df 24 ee 61 83 d2 27 4f e4 c8 b1 48  ..q..$.a..'O...H
603	  090: 55 34 ef 2c 5f bc 1e c2 4b fc 36 63 ef aa 08 bc  U4.,_...K.6c....
604	  0a0: 04 7d 29 d2 50 43 53 2d b8 39 1a 8a 3d 77 6b f4  .}).PCS-.9..=wk.
605	  0b0: 37 2a 69 55 82 7c cb 0c dd 4a f4 03 a7 ce 4c 63  7*iU.|...J....Lc
606	  0c0: d5 95 c7 5a 43 e0 45 f0 cc e1 f2 9c 8b 93 bd 65  ...ZC.E........e
607	  0d0: af c5 97 49 22 f2 14 a4 0b 7c 40 2c db 91 ae 73  ...I"....|@,...s
608	  0e0: c0 b6 36 15 cd ad 04 80 68 0f 16 51 5a 7a ce 9d  ..6.....h..QZz..
609	  0f0: 39 23 64 64 32 8a 37 74 3f fc 28 f4 dd b3 24 f4  9#dd2.7t?.(...$.
610	  100: d0 f5 bb dc 27 0c 65 b1 74 9a 6e ff f1 fb aa 09  ....'.e.t.n.....
611	  110: 53 61 75 cc d2 9f b9 e6 05 7b 30 73 20 d3 16 83  Sau......{0s ...
612	  120: 8a 9c 71 f7 0b 5b 59 07 a6 6f 7e a4 9a ad c4 09  ..q..[Y..o~.....

614	A.3.  Developer-Friendly Test Vectors

616	   For the sake of usability, the above test vectors have been
617	   reproduced in a format more readily usable by implementors.

619	   All values below are hex-encoded, as per RFC 4648 [RFC4648].

621	A.3.1.  AEAD_XCHACHA20_POLY1305

623	   Plaintext:

625	     4c616469657320616e642047656e746c656d656e206f662074686520636c6173
626	     73206f66202739393a204966204920636f756c64206f6666657220796f75206f
627	     6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73
628	     637265656e20776f756c642062652069742e

630	   AAD:

632	                         50515253c0c1c2c3c4c5c6c7

634	   Key:

636	     808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f

638	   IV:

640	             404142434445464748494a4b4c4d4e4f5051525354555657

642	   32-bit fixed-common part:

644	                                 00000000

646	   Poly1305 Key:

648	     7b191f80f361f099094f6f4b8fb97df847cc6873a8f2b190dd73807183f907d5

650	   Ciphertext:

652	     bd6d179d3e83d43b9576579493c0e939572a1700252bfaccbed2902c21396cbb
653	     731c7f1b0b4aa6440bf3a82f4eda7e39ae64c6708c54c216cb96b72e1213b452
654	     2f8c9ba40db5d945b11b69b982c1bb9e3f3fac2bc369488f76b2383565d3fff9
655	     21f9664c97637da9768812f615c68b13b52e

657	   Tag:

659	                     c0875924c1c7987947deafd8780acf49

661	A.3.2.  XChaCha20

663	A.3.2.1.  Block Counter = 0

665	   Counter: 0

667	   Plaintext:

669	     5468652064686f6c65202870726f6e6f756e6365642022646f6c652229206973
670	     20616c736f206b6e6f776e2061732074686520417369617469632077696c6420
671	     646f672c2072656420646f672c20616e642077686973746c696e6720646f672e
672	     2049742069732061626f7574207468652073697a65206f662061204765726d61
673	     6e20736865706865726420627574206c6f6f6b73206d6f7265206c696b652061
674	     206c6f6e672d6c656767656420666f782e205468697320686967686c7920656c
675	     757369766520616e6420736b696c6c6564206a756d70657220697320636c6173
676	     736966696564207769746820776f6c7665732c20636f796f7465732c206a6163
677	     6b616c732c20616e6420666f78657320696e20746865207461786f6e6f6d6963
678	     2066616d696c792043616e696461652e

680	   Key:

682	     808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f

684	   IV:

686	             404142434445464748494a4b4c4d4e4f5051525354555658

688	   Keystream:

690	     1131ce9a2a20ae0d67c8935c7789fa1025c9e5bb720fb96f11354fb97af0bd9a
691	     adec0863ba60cac8582c48f86cdfc48edd46a48642c5de62ccf11c7b21bf337d
692	     29624b4b1b140ace53740e405b2168540fd7d630c1f536fecd722fc3cddba7f4
693	     cca98cf9e47e5e64d115450f9b125b54449ff76141ca620a1f9cfcab2a1a8a25
694	     5e766a5266b878846120ea64ad99aa479471e63befcbd37cd1c22a221fe46221
695	     5cf32c74895bf505863ccddd48f62916dc6521f1ec50a5ae08903aa259d9bf60
696	     7cd8026fba548604f1b6072d91bc91243a5b845f7fd171b02edc5a0a84cf28dd
697	     241146bc376e3f48df5e7fee1d11048c190a3d3deb0feb64b42d9c6fdeee290f
698	     a0e6ae2c26c0249ea8c181f7e2ffd100cbe5fd3c4f8271d62b15330cb8fdcf00
699	     b3df507ca8c924f7017b7e712d15a2eb

701	   Ciphertext:

703	     4559abba4e48c16102e8bb2c05e6947f50a786de162f9b0b7e592a9b53d0d4e9
704	     8d8d6410d540a1a6375b26d80dace4fab52384c731acbf16a5923c0c48d3575d
705	     4d0d2c673b666faa731061277701093a6bf7a158a8864292a41c48e3a9b4c0da
706	     ece0f8d98d0d7e05b37a307bbb66333164ec9e1b24ea0d6c3ffddcec4f68e744
707	     3056193a03c810e11344ca06d8ed8a2bfb1e8d48cfa6bc0eb4e2464b74814240
708	     7c9f431aee769960e15ba8b96890466ef2457599852385c661f752ce20f9da0c
709	     09ab6b19df74e76a95967446f8d0fd415e7bee2a12a114c20eb5292ae7a349ae
710	     577820d5520a1f3fb62a17ce6a7e68fa7c79111d8860920bc048ef43fe84486c
711	     cb87c25f0ae045f0cce1e7989a9aa220a28bdd4827e751a24a6d5c62d790a663
712	     93b93111c1a55dd7421a10184974c7c5

714	A.3.2.2.  Block Counter = 1

716	   Counter: 1

718	   Plaintext:

720	     5468652064686f6c65202870726f6e6f756e6365642022646f6c652229206973
721	     20616c736f206b6e6f776e2061732074686520417369617469632077696c6420
722	     646f672c2072656420646f672c20616e642077686973746c696e6720646f672e
723	     2049742069732061626f7574207468652073697a65206f662061204765726d61
724	     6e20736865706865726420627574206c6f6f6b73206d6f7265206c696b652061
725	     206c6f6e672d6c656767656420666f782e205468697320686967686c7920656c
726	     757369766520616e6420736b696c6c6564206a756d70657220697320636c6173
727	     736966696564207769746820776f6c7665732c20636f796f7465732c206a6163
728	     6b616c732c20616e6420666f78657320696e20746865207461786f6e6f6d6963
729	     2066616d696c792043616e696461652e

731	   Key:

733	     808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f

735	   IV:

737	             404142434445464748494a4b4c4d4e4f5051525354555658

739	   Keystream:

741	     29624b4b1b140ace53740e405b2168540fd7d630c1f536fecd722fc3cddba7f4
742	     cca98cf9e47e5e64d115450f9b125b54449ff76141ca620a1f9cfcab2a1a8a25
743	     5e766a5266b878846120ea64ad99aa479471e63befcbd37cd1c22a221fe46221
744	     5cf32c74895bf505863ccddd48f62916dc6521f1ec50a5ae08903aa259d9bf60
745	     7cd8026fba548604f1b6072d91bc91243a5b845f7fd171b02edc5a0a84cf28dd
746	     241146bc376e3f48df5e7fee1d11048c190a3d3deb0feb64b42d9c6fdeee290f
747	     a0e6ae2c26c0249ea8c181f7e2ffd100cbe5fd3c4f8271d62b15330cb8fdcf00
748	     b3df507ca8c924f7017b7e712d15a2eb5c50484451e54e1b4b995bd8fdd94597
749	     bb94d7af0b2c04df10ba0890899ed9293a0f55b8bafa999264035f1d4fbe7fe0
750	     aafa109a62372027e50e10cdfecca127

752	   Ciphertext:

754	     7d0a2e6b7f7c65a236542630294e063b7ab9b555a5d5149aa21e4ae1e4fbce87
755	     ecc8e08a8b5e350abe622b2ffa617b202cfad72032a3037e76ffdcdc4376ee05
756	     3a190d7e46ca1de04144850381b9cb29f051915386b8a710b8ac4d027b8b050f
757	     7cba5854e028d564e453b8a968824173fc16488b8970cac828f11ae53cabd201
758	     12f87107df24ee6183d2274fe4c8b1485534ef2c5fbc1ec24bfc3663efaa08bc
759	     047d29d25043532db8391a8a3d776bf4372a6955827ccb0cdd4af403a7ce4c63
760	     d595c75a43e045f0cce1f29c8b93bd65afc5974922f214a40b7c402cdb91ae73
761	     c0b63615cdad0480680f16515a7ace9d39236464328a37743ffc28f4ddb324f4
762	     d0f5bbdc270c65b1749a6efff1fbaa09536175ccd29fb9e6057b307320d31683
763	     8a9c71f70b5b5907a66f7ea49aadc409

765	Author's Address

767	   Scott Arciszewski
768	   Paragon Initiative Enterprises
769	   United States

771	   Email: security@paragonie.com