idnits 2.17.1 

draft-nir-cfrg-chacha20-poly1305-03.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == Line 224 has weird spacing: '...db886dc  c9a62...'

  == Line 274 has weird spacing: '...ccccccc  ccccc...'

  == Line 275 has weird spacing: '...kkkkkkk  kkkkk...'

  == Line 276 has weird spacing: '...kkkkkkk  kkkkk...'

  == Line 277 has weird spacing: '...bbbbbbb  nnnnn...'

  == (6 more instances...)

  == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but
     does not include the phrase in its RFC 2119 key words list.

  -- The document date (May 7, 2014) is 3642 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  -- Looks like a reference, but probably isn't: '3' on line 497

  -- Looks like a reference, but probably isn't: '7' on line 498

  -- Looks like a reference, but probably isn't: '11' on line 499

  -- Looks like a reference, but probably isn't: '15' on line 500

  -- Looks like a reference, but probably isn't: '4' on line 501

  -- Looks like a reference, but probably isn't: '8' on line 502

  -- Looks like a reference, but probably isn't: '12' on line 503

  -- Looks like a reference, but probably isn't: '16' on line 495

  -- Obsolete informational reference (is this intentional?): RFC 5996
     (Obsoleted by RFC 7296)


     Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 11 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                             Y. Nir
3	Internet-Draft                                               Check Point
4	Intended status: Informational                                A. Langley
5	Expires: November 8, 2014                                     Google Inc
6	                                                             May 7, 2014

8	                ChaCha20 and Poly1305 for IETF protocols
9	                  draft-nir-cfrg-chacha20-poly1305-03

11	Abstract

13	   This document defines the ChaCha20 stream cipher, as well as the use
14	   of the Poly1305 authenticator, both as stand-alone algorithms, and as
15	   a "combined mode", or Authenticated Encryption with Additional Data
16	   (AEAD) algorithm.

18	   This document does not introduce any new crypto, but is meant to
19	   serve as a stable reference and an implementation guide.

21	Status of this Memo

23	   This Internet-Draft is submitted in full conformance with the
24	   provisions of BCP 78 and BCP 79.

26	   Internet-Drafts are working documents of the Internet Engineering
27	   Task Force (IETF).  Note that other groups may also distribute
28	   working documents as Internet-Drafts.  The list of current Internet-
29	   Drafts is at http://datatracker.ietf.org/drafts/current/.

31	   Internet-Drafts are draft documents valid for a maximum of six months
32	   and may be updated, replaced, or obsoleted by other documents at any
33	   time.  It is inappropriate to use Internet-Drafts as reference
34	   material or to cite them other than as "work in progress."

36	   This Internet-Draft will expire on November 8, 2014.

38	Copyright Notice

40	   Copyright (c) 2014 IETF Trust and the persons identified as the
41	   document authors.  All rights reserved.

43	   This document is subject to BCP 78 and the IETF Trust's Legal
44	   Provisions Relating to IETF Documents
45	   (http://trustee.ietf.org/license-info) in effect on the date of
46	   publication of this document.  Please review these documents
47	   carefully, as they describe your rights and restrictions with respect
48	   to this document.

50	Table of Contents

52	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
53	     1.1.  Conventions Used in This Document  . . . . . . . . . . . .  3
54	   2.  The Algorithms . . . . . . . . . . . . . . . . . . . . . . . .  4
55	     2.1.  The ChaCha Quarter Round . . . . . . . . . . . . . . . . .  4
56	       2.1.1.  Test Vector for the ChaCha Quarter Round . . . . . . .  4
57	     2.2.  A Quarter Round on the ChaCha State  . . . . . . . . . . .  5
58	       2.2.1.  Test Vector for the Quarter Round on the ChaCha
59	               state  . . . . . . . . . . . . . . . . . . . . . . . .  5
60	     2.3.  The ChaCha20 block Function  . . . . . . . . . . . . . . .  6
61	       2.3.1.  Test Vector for the ChaCha20 Block Function  . . . . .  7
62	     2.4.  The ChaCha20 encryption algorithm  . . . . . . . . . . . .  8
63	       2.4.1.  Example and Test Vector for the ChaCha20 Cipher  . . .  9
64	     2.5.  The Poly1305 algorithm . . . . . . . . . . . . . . . . . . 11
65	       2.5.1.  Poly1305 Example and Test Vector . . . . . . . . . . . 12
66	     2.6.  Generating the Poly1305 key using ChaCha20 . . . . . . . . 14
67	       2.6.1.  Poly1305 Key Generation Test Vector  . . . . . . . . . 14
68	     2.7.  A Pseudo-Random Function for ChaCha/Poly-1305 based
69	           Crypto Suites  . . . . . . . . . . . . . . . . . . . . . . 15
70	     2.8.  AEAD Construction  . . . . . . . . . . . . . . . . . . . . 16
71	       2.8.1.  Example and Test Vector for AEAD_CHACHA20-POLY1305 . . 17
72	   3.  Implementation Advice  . . . . . . . . . . . . . . . . . . . . 19
73	   4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 19
74	   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 20
75	   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 21
76	   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
77	     7.1.  Normative References . . . . . . . . . . . . . . . . . . . 21
78	     7.2.  Informative References . . . . . . . . . . . . . . . . . . 21
79	   Appendix A.  Additional Test Vectors . . . . . . . . . . . . . . . 22
80	     A.1.  The ChaCha20 Block Functions . . . . . . . . . . . . . . . 22
81	     A.2.  ChaCha20 Encryption  . . . . . . . . . . . . . . . . . . . 25
82	     A.3.  Poly1305 Message Authentication Code . . . . . . . . . . . 28
83	     A.4.  Poly1305 Key Generation Using ChaCha20 . . . . . . . . . . 32
84	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33

86	1.  Introduction

88	   The Advanced Encryption Standard (AES - [FIPS-197]) has become the
89	   gold standard in encryption.  Its efficient design, wide
90	   implementation, and hardware support allow for high performance in
91	   many areas.  On most modern platforms, AES is anywhere from 4x to 10x
92	   as fast as the previous most-used cipher, 3-key Data Encryption
93	   Standard (3DES - [FIPS-46]), which makes it not only the best choice,
94	   but the only practical choice.

96	   The problem is that if future advances in cryptanalysis reveal a
97	   weakness in AES, users will be in an unenviable position.  With the
98	   only other widely supported cipher being the much slower 3DES, it is
99	   not feasible to re-configure implementations to use 3DES.
100	   [standby-cipher] describes this issue and the need for a standby
101	   cipher in greater detail.

103	   This document defines such a standby cipher.  We use ChaCha20
104	   ([chacha]) with or without the Poly1305 ([poly1305]) authenticator.
105	   These algorithms are not just fast and secure.  They are fast even in
106	   software-only C-language implementations, allowing for much quicker
107	   deployment when compared with algorithms such as AES that are
108	   significantly accelerated by hardware implementations.

110	   These document does not introduce these new algorithms.  They have
111	   been defined in scientific papers by D. J. Bernstein, which are
112	   referenced by this document.  The purpose of this document is to
113	   serve as a stable reference for IETF documents making use of these
114	   algorithms.

116	1.1.  Conventions Used in This Document

118	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
119	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
120	   document are to be interpreted as described in [RFC2119].

122	   The description of the ChaCha algorithm will at various time refer to
123	   the ChaCha state as a "vector" or as a "matrix".  This follows the
124	   use of these terms in DJB's paper.  The matrix notation is more
125	   visually convenient, and gives a better notion as to why some rounds
126	   are called "column rounds" while others are called "diagonal rounds".
127	   Here's a diagram of how to martices relate to vectors (using the C
128	   language convention of zero being the index origin).

130	      0   1   2   3
131	      4   5   6   7
132	      8   9  10  11
133	     12  13  14  15

135	   The elements in this vector or matrix are 32-bit unsigned integers.

137	   The algorithm name is "ChaCha".  "ChaCha20" is a specific instance
138	   where 20 "rounds" (or 80 quarter rounds - see Section 2.1) are used.
139	   Other variations are defined, with 8 or 12 rounds, but in this
140	   document we only describe the 20-round ChaCha, so the names "ChaCha"
141	   and "ChaCha20" will be used interchangeably.

143	2.  The Algorithms

145	   The subsections below describe the algorithms used and the AEAD
146	   construction.

148	2.1.  The ChaCha Quarter Round

150	   The basic operation of the ChaCha algorithm is the quarter round.  It
151	   operates on four 32-bit unsigned integers, denoted a, b, c, and d.
152	   The operation is as follows (in C-like notation):
153	   o  a += b; d ^= a; d <<<= 16;
154	   o  c += d; b ^= c; b <<<= 12;
155	   o  a += b; d ^= a; d <<<= 8;
156	   o  c += d; b ^= c; b <<<= 7;
157	   Where "+" denotes integer addition without carry, "^" denotes a
158	   bitwise XOR, and "<<< n" denotes an n-bit left rotation (towards the
159	   high bits).

161	   For example, let's see the add, XOR and roll operations from the
162	   first line with sample numbers:
163	   o  b = 0x01020304
164	   o  a = 0x11111111
165	   o  d = 0x01234567
166	   o  a = a + b = 0x11111111 + 0x01020304 = 0x12131415
167	   o  d = d ^ a = 0x01234567 ^ 0x12131415 = 0x13305172
168	   o  d = d<<<16 = 0x51721330

170	2.1.1.  Test Vector for the ChaCha Quarter Round

172	   For a test vector, we will use the same numbers as in the example,
173	   adding something random for c.
174	   o  a = 0x11111111
175	   o  b = 0x01020304
176	   o  c = 0x9b8d6f43
177	   o  d = 0x01234567

179	   After running a Quarter Round on these 4 numbers, we get these:

181	   o  a = 0xea2a92f4
182	   o  b = 0xcb1cf8ce
183	   o  c = 0x4581472e
184	   o  d = 0x5881c4bb

186	2.2.  A Quarter Round on the ChaCha State

188	   The ChaCha state does not have 4 integer numbers, but 16.  So the
189	   quarter round operation works on only 4 of them - hence the name.
190	   Each quarter round operates on 4 pre-determined numbers in the ChaCha
191	   state.  We will denote by QUATERROUND(x,y,z,w) a quarter-round
192	   operation on the numbers at indexes x, y, z, and w of the ChaCha
193	   state when viewed as a vector.  For example, if we apply
194	   QUARTERROUND(1,5,9,13) to a state, this means running the quarter
195	   round operation on the elements marked with an asterisk, while
196	   leaving the others alone:

198	      0  *a   2   3
199	      4  *b   6   7
200	      8  *c  10  11
201	     12  *d  14  15

203	   Note that this run of quarter round is part of what is called a
204	   "column round".

206	2.2.1.  Test Vector for the Quarter Round on the ChaCha state

208	   For a test vector, we will use a ChaCha state that was generated
209	   randomly:

211	   Sample ChaCha State

213	       879531e0  c5ecf37d  516461b1  c9a62f8a
214	       44c20ef3  3390af7f  d9fc690b  2a5f714c
215	       53372767  b00a5631  974c541a  359e9963
216	       5c971061  3d631689  2098d9d6  91dbd320

218	   We will apply the QUARTERROUND(2,7,8,13) operation to this state.
219	   For obvious reasons, this one is part of what is called a "diagonal
220	   round":

222	   After applying QUARTERROUND(2,7,8,13)

224	       879531e0  c5ecf37d  bdb886dc  c9a62f8a
225	       44c20ef3  3390af7f  d9fc690b  cfacafd2
226	       e46bea80  b00a5631  974c541a  359e9963
227	       5c971061  ccc07c79  2098d9d6  91dbd320

229	   Note that only the numbers in positions 2, 7, 8, and 13 changed.

231	2.3.  The ChaCha20 block Function

233	   The ChaCha block function transforms a ChaCha state by running
234	   multiple quarter rounds.

236	   The inputs to ChaCha20 are:
237	   o  A 256-bit key, treated as a concatenation of 8 32-bit little-
238	      endian integers.
239	   o  A 96-bit nonce, treated as a concatenation of 3 32-bit little-
240	      endian integers.
241	   o  A 32-bit block count parameter, treated as a 32-bit little-endian
242	      integer.

244	   The output is 64 random-looking bytes.

246	   The ChaCha algorithm described here uses a 256-bit key.  The original
247	   algorithm also specified 128-bit keys and 8- and 12-round variants,
248	   but these are out of scope for this document.  In this section we
249	   describe the ChaCha block function.

251	   Note also that the original ChaCha had a 64-bit nonce and 64-bit
252	   block count.  We have modified this here to be more consistent with
253	   recommendations in section 3.2 of [RFC5116].  This limits the use of
254	   a single (key,nonce) combination to 2^32 blocks, or 256 GB, but that
255	   is enough for most uses.  In cases where a single key is used by
256	   multiple senders, it is important to make sure that they don't use
257	   the same nonces.  This can be assured by partitioning the nonce space
258	   so that the first 32 bits are unique per sender, while the other 64
259	   bits come from a counter.

261	   The ChaCha20 state is initialized as follows:
262	   o  The first 4 words (0-3) are constants: 0x61707865, 0x3320646e,
263	      0x79622d32, 0x6b206574.
264	   o  The next 8 words (4-11) are taken from the 256-bit key by reading
265	      the bytes in little-endian order, in 4-byte chunks.
266	   o  Word 12 is a block counter.  Since each block is 64-byte, a 32-bit
267	      word is enough for 256 Gigabytes of data.

269	   o  Words 13-15 are a nonce, which should not be repeated for the same
270	      key.  The 13th word is the first 32 bits of the input nonce taken
271	      as a little-endian integer, while the 15th word is the last 32
272	      bits.

274	       cccccccc  cccccccc  cccccccc  cccccccc
275	       kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
276	       kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
277	       bbbbbbbb  nnnnnnnn  nnnnnnnn  nnnnnnnn

279	   c=constant k=key b=blockcount n=nonce

281	   ChaCha20 runs 20 rounds, alternating between "column" and "diagonal"
282	   rounds.  Each round is 4 quarter-rounds, and they are run as follows.
283	   Rounds 1-4 are part of the "column" round, while 5-8 are part of the
284	   "diagonal" round:
285	   1.  QUARTERROUND ( 0, 4, 8,12)
286	   2.  QUARTERROUND ( 1, 5, 9,13)
287	   3.  QUARTERROUND ( 2, 6,10,14)
288	   4.  QUARTERROUND ( 3, 7,11,15)
289	   5.  QUARTERROUND ( 0, 5,10,15)
290	   6.  QUARTERROUND ( 1, 6,11,12)
291	   7.  QUARTERROUND ( 2, 7, 8,13)
292	   8.  QUARTERROUND ( 3, 4, 9,14)

294	   At the end of 20 rounds, the original input words are added to the
295	   output words, and the result is serialized by sequencing the words
296	   one-by-one in little-endian order.

298	2.3.1.  Test Vector for the ChaCha20 Block Function

300	   For a test vector, we will use the following inputs to the ChaCha20
301	   block function:
302	   o  Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:
303	      14:15:16:17:18:19:1a:1b:1c:1d:1e:1f.  The key is a sequence of
304	      octets with no particular structure before we copy it into the
305	      ChaCha state.
306	   o  Nonce = (00:00:00:09:00:00:00:4a:00:00:00:00)
307	   o  Block Count = 1.

309	   After setting up the ChaCha state, it looks like this:

311	   ChaCha State with the key set up.

313	       61707865  3320646e  79622d32  6b206574
314	       03020100  07060504  0b0a0908  0f0e0d0c
315	       13121110  17161514  1b1a1918  1f1e1d1c
316	       00000001  09000000  4a000000  00000000

318	   After running 20 rounds (10 column rounds interleaved with 10
319	   diagonal rounds), the ChaCha state looks like this:

321	   ChaCha State after 20 rounds

323	       837778ab  e238d763  a67ae21e  5950bb2f
324	       c4f2d0c7  fc62bb2f  8fa018fc  3f5ec7b7
325	       335271c2  f29489f3  eabda8fc  82e46ebd
326	       d19c12b4  b04e16de  9e83d0cb  4e3c50a2

328	   Finally we add the original state to the result (simple vector or
329	   matrix addition), giving this:

331	   ChaCha State at the end of the ChaCha20 operation

333	       e4e7f110  15593bd1  1fdd0f50  c47120a3
334	       c7f4d1c7  0368c033  9aaa2204  4e6cd4c3
335	       466482d2  09aa9f07  05d7c214  a2028bd9
336	       d19c12b5  b94e16de  e883d0cb  4e3c50a2

338	   After we serialize the state, we get this:

340	  Serialized Block:
341	  000  10 f1 e7 e4 d1 3b 59 15 50 0f dd 1f a3 20 71 c4  .....;Y.P.... q.
342	  016  c7 d1 f4 c7 33 c0 68 03 04 22 aa 9a c3 d4 6c 4e  ....3.h.."....lN
343	  032  d2 82 64 46 07 9f aa 09 14 c2 d7 05 d9 8b 02 a2  ..dF............
344	  048  b5 12 9c d1 de 16 4e b9 cb d0 83 e8 a2 50 3c 4e  ......N......P<N

346	2.4.  The ChaCha20 encryption algorithm

348	   ChaCha20 is a stream cipher designed by D. J. Bernstein.  It is a
349	   refinement of the Salsa20 algorithm, and uses a 256-bit key.

351	   ChaCha20 successively calls the ChaCha20 block function, with the
352	   same key and nonce, and with successively increasing block counter
353	   parameters.  The resulting state is then serialized by writing the
354	   numbers in little-endian order, creating a key-stream block.
355	   Concatenating the key-stream blocks from the successive blocks forms
356	   a key stream, which is then XOR-ed with the plaintext.
357	   Alternatively, each key-stream block can be XOR-ed with a plaintext
358	   block before proceeding to create the next block, saving some memory.
359	   There is no requirement for the plaintext to be an integral multiple
360	   of 512-bits.  If there is extra keystream from the last block, it is
361	   discarded.  Specific protocols MAY require that the plaintext and
362	   ciphertext have certain length.  Such protocols need to specify how
363	   the plaintext is padded, and how much padding it receives.

365	   The inputs to ChaCha20 are:

367	   o  A 256-bit key
368	   o  A 32-bit initial counter.  This can be set to any number, but will
369	      usually be zero or one.  It makes sense to use 1 if we use the
370	      zero block for something else, such as generating a one-time
371	      authenticator key as part of an AEAD algorithm.
372	   o  A 96-bit nonce.  In some protocols, this is known as the
373	      Initialization Vector.
374	   o  an arbitrary-length plaintext

376	   The output is an encrypted message of the same length.

378	   Decryption is done in the same way.  The ChaCha20 block function is
379	   used to expand the key into a key stream, which is XOR-ed with the
380	   ciphertext giving back the plaintext.

382	2.4.1.  Example and Test Vector for the ChaCha20 Cipher

384	   For a test vector, we will use the following inputs to the ChaCha20
385	   block function:
386	   o  Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:
387	      14:15:16:17:18:19:1a:1b:1c:1d:1e:1f.
388	   o  Nonce = (00:00:00:00:00:00:00:4a:00:00:00:00).
389	   o  Initial Counter = 1.

391	   We use the following for the plaintext.  It was chosen to be long
392	   enough to require more than one block, but not so long that it would
393	   make this example cumbersome (so, less than 3 blocks):

395	   Plaintext Sunscreen:
396	   000  4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c|Ladies and Gentl
397	   016  65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73|emen of the clas
398	   032  73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63|s of '99: If I c
399	   048  6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f|ould offer you o
400	   064  6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20|nly one tip for
401	   080  74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73|the future, suns
402	   096  63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69|creen would be i
403	   112  74 2e                                          |t.

405	   The following figure shows 4 ChaCha state matrices:
406	   1.  First block as it is set up.
407	   2.  Second block as it is set up.  Note that these blocks are only
408	       two bits apart - only the counter in position 12 is different.
409	   3.  Third block is the first block after the ChaCha20 block
410	       operation.
411	   4.  Final block is the second block after the ChaCha20 block
412	       operation was applied.
413	   After that, we show the keystream.

415	   First block setup:
416	       61707865  3320646e  79622d32  6b206574
417	       03020100  07060504  0b0a0908  0f0e0d0c
418	       13121110  17161514  1b1a1918  1f1e1d1c
419	       00000001  00000000  4a000000  00000000

421	   Second block setup:
422	       61707865  3320646e  79622d32  6b206574
423	       03020100  07060504  0b0a0908  0f0e0d0c
424	       13121110  17161514  1b1a1918  1f1e1d1c
425	       00000002  00000000  4a000000  00000000

427	   First block after block operation:
428	       f3514f22  e1d91b40  6f27de2f  ed1d63b8
429	       821f138c  e2062c3d  ecca4f7e  78cff39e
430	       a30a3b8a  920a6072  cd7479b5  34932bed
431	       40ba4c79  cd343ec6  4c2c21ea  b7417df0

433	   Second block after block operation:
434	       9f74a669  410f633f  28feca22  7ec44dec
435	       6d34d426  738cb970  3ac5e9f3  45590cc4
436	       da6e8b39  892c831a  cdea67c1  2b7e1d90
437	       037463f3  a11a2073  e8bcfb88  edc49139

439	   Keystream:
440	   22:4f:51:f3:40:1b:d9:e1:2f:de:27:6f:b8:63:1d:ed:8c:13:1f:82:3d:2c:06
441	   e2:7e:4f:ca:ec:9e:f3:cf:78:8a:3b:0a:a3:72:60:0a:92:b5:79:74:cd:ed:2b
442	   93:34:79:4c:ba:40:c6:3e:34:cd:ea:21:2c:4c:f0:7d:41:b7:69:a6:74:9f:3f
443	   63:0f:41:22:ca:fe:28:ec:4d:c4:7e:26:d4:34:6d:70:b9:8c:73:f3:e9:c5:3a
444	   c4:0c:59:45:39:8b:6e:da:1a:83:2c:89:c1:67:ea:cd:90:1d:7e:2b:f3:63

446	   Finally, we XOR the Keystream with the plaintext, yielding the
447	   Ciphertext:

449	   Ciphertext Sunscreen:
450	   000  6e 2e 35 9a 25 68 f9 80 41 ba 07 28 dd 0d 69 81|n.5.%h..A..(..i.
451	   016  e9 7e 7a ec 1d 43 60 c2 0a 27 af cc fd 9f ae 0b|.~z..C`..'......
452	   032  f9 1b 65 c5 52 47 33 ab 8f 59 3d ab cd 62 b3 57|..e.RG3..Y=..b.W
453	   048  16 39 d6 24 e6 51 52 ab 8f 53 0c 35 9f 08 61 d8|.9.$.QR..S.5..a.
454	   064  07 ca 0d bf 50 0d 6a 61 56 a3 8e 08 8a 22 b6 5e|....P.jaV....".^
455	   080  52 bc 51 4d 16 cc f8 06 81 8c e9 1a b7 79 37 36|R.QM.........y76
456	   096  5a f9 0b bf 74 a3 5b e6 b4 0b 8e ed f2 78 5e 42|Z...t.[......x^B
457	   112  87 4d                                          |.M

459	2.5.  The Poly1305 algorithm

461	   Poly1305 is a one-time authenticator designed by D. J. Bernstein.
462	   Poly1305 takes a 32-byte one-time key and a message and produces a
463	   16-byte tag.

465	   The original article ([poly1305]) is entitled "The Poly1305-AES
466	   message-authentication code", and the MAC function there requires a
467	   128-bit AES key, a 128-bit "additional key", and a 128-bit (non-
468	   secret) nonce.  AES is used there for encrypting the nonce, so as to
469	   get a unique (and secret) 128-bit string, but as the paper states,
470	   "There is nothing special about AES here.  One can replace AES with
471	   an arbitrary keyed function from an arbitrary set of nonces to 16-
472	   byte strings.".

474	   Regardless of how the key is generated, the key is partitioned into
475	   two parts, called "r" and "s".  The pair (r,s) should be unique, and
476	   MUST be unpredictable for each invocation (that is why it was
477	   originally obtained by encrypting a nonce), while "r" MAY be
478	   constant, but needs to be modified as follows before being used: ("r"
479	   is treated as a 16-octet little-endian number):
480	   o  r[3], r[7], r[11], and r[15] are required to have their top four
481	      bits clear (be smaller than 16)
482	   o  r[4], r[8], and r[12] are required to have their bottom two bits
483	      clear (be divisible by 4)

485	   The following sample code clamps "r" to be appropriate:

487	   /*
488	   Adapted from poly1305aes_test_clamp.c version 20050207
489	   D. J. Bernstein
490	   Public domain.
491	   */

493	   #include "poly1305aes_test.h"

495	   void poly1305aes_test_clamp(unsigned char r[16])
496	   {
497	     r[3] &= 15;
498	     r[7] &= 15;
499	     r[11] &= 15;
500	     r[15] &= 15;
501	     r[4] &= 252;
502	     r[8] &= 252;
503	     r[12] &= 252;
504	   }

506	   The "s" should be unpredictable, but it is perfectly acceptable to
507	   generate both "r" and "s" uniquely each time.  Because each of them
508	   is 128-bit, pseudo-randomly generating them (see Section 2.6) is also
509	   acceptable.

511	   The inputs to Poly1305 are:
512	   o  A 256-bit one-time key
513	   o  An arbitrary length message

515	   The output is a 128-bit tag.

517	   First, the "r" value should be clamped.

519	   Next, set the constant prime "P" be 2^130-5:
520	   3fffffffffffffffffffffffffffffffb.  Also set a variable "accumulator"
521	   to zero.

523	   Next, divide the message into 16-byte blocks.  The last one might be
524	   shorter:
525	   o  Read the block as a little-endian number.
526	   o  Add one bit beyond the number of octets.  For a 16-byte block this
527	      is equivalent to adding 2^128 to the number.  For the shorter
528	      block it can be 2^120, 2^112, or any power of two that is evenly
529	      divisible by 8, all the way down to 2^8.
530	   o  If the block is not 17 bytes long (the last block), pad it with
531	      zeros.  This is meaningless if you're treating it them as numbers.
532	   o  Add this number to the accumulator.
533	   o  Multiply by "r"
534	   o  Set the accumulator to the result modulo p.  To summarize: Acc =
535	      ((Acc+block)*r) % p.

537	   Finally, the value of the secret key "s" is added to the accumulator,
538	   and the 128 least significant bits are serialized in little-endian
539	   order to form the tag.

541	2.5.1.  Poly1305 Example and Test Vector

543	   For our example, we will dispense with generating the one-time key
544	   using AES, and assume that we got the following keying material:
545	   o  Key Material: 85:d6:be:78:57:55:6d:33:7f:44:52:fe:42:d5:06:a8:01:
546	      03:80:8a:fb:0d:b2:fd:4a:bf:f6:af:41:49:f5:1b
547	   o  s as an octet string: 01:03:80:8a:fb:0d:b2:fd:4a:bf:f6:af:41:49:
548	      f5:1b
549	   o  s as a 128-bit number: 1bf54941aff6bf4afdb20dfb8a800301
550	   o  r before clamping: 85:d6:be:78:57:55:6d:33:7f:44:52:fe:42:d5:06:a8
551	   o  Clamped r as a number: 806d5400e52447c036d555408bed685.

553	   For our message, we'll use a short text:

555	   Message to be Authenticated:
556	   000  43 72 79 70 74 6f 67 72 61 70 68 69 63 20 46 6f|Cryptographic Fo
557	   016  72 75 6d 20 52 65 73 65 61 72 63 68 20 47 72 6f|rum Research Gro
558	   032  75 70                                          |up

560	   Since Poly1305 works in 16-byte chunks, the 34-byte message divides
561	   into 3 blocks.  In the following calculation, "Acc" denotes the
562	   accumulator and "Block" the current block:

564	   Block #1

566	   Acc = 00
567	   Block = 6f4620636968706172676f7470797243
568	   Block with 0x01 byte = 016f4620636968706172676f7470797243
569	   Acc + block = 016f4620636968706172676f7470797243
570	   (Acc+Block) * r =
571	        b83fe991ca66800489155dcd69e8426ba2779453994ac90ed284034da565ecf
572	   Acc = ((Acc+Block)*r) % P = 2c88c77849d64ae9147ddeb88e69c83fc

574	   Block #2

576	   Acc = 2c88c77849d64ae9147ddeb88e69c83fc
577	   Block = 6f7247206863726165736552206d7572
578	   Block with 0x01 byte = 016f7247206863726165736552206d7572
579	   Acc + block = 437febea505c820f2ad5150db0709f96e
580	   (Acc+Block) * r =
581	        21dcc992d0c659ba4036f65bb7f88562ae59b32c2b3b8f7efc8b00f78e548a26
582	   Acc = ((Acc+Block)*r) % P = 2d8adaf23b0337fa7cccfb4ea344b30de

584	   Last Block

586	   Acc = 2d8adaf23b0337fa7cccfb4ea344b30de
587	   Block = 7075
588	   Block with 0x01 byte = 017075
589	   Acc + block = 2d8adaf23b0337fa7cccfb4ea344ca153
590	   (Acc + Block) * r =
591	        16d8e08a0f3fe1de4fe4a15486aca7a270a29f1e6c849221e4a6798b8e45321f
592	   ((Acc + Block) * r) % P = 28d31b7caff946c77c8844335369d03a7

594	   Adding s we get this number, and serialize if to get the tag:

596	   Acc + s = 2a927010caf8b2bc2c6365130c11d06a8

598	   Tag: a8:06:1d:c1:30:51:36:c6:c2:2b:8b:af:0c:01:27:a9

600	2.6.  Generating the Poly1305 key using ChaCha20

602	   As said in Section 2.5, it is acceptable to generate the one-time
603	   Poly1305 pseudo-randomly.  This section proposes such a method.

605	   To generate such a key pair (r,s), we will use the ChaCha20 block
606	   function described in Section 2.3.  This assumes that we have a 256-
607	   bit session key for the MAC function, such as SK_ai and SK_ar in
608	   IKEv2 ([RFC5996]), the integrity key in ESP and AH, or the
609	   client_write_MAC_key and server_write_MAC_key in TLS.  Any document
610	   that specifies the use of Poly1305 as a MAC algorithm for some
611	   protocol must specify that 256 bits are allocated for the integrity
612	   key.

614	   The method is to call the block function with the following
615	   parameters:
616	   o  The 256-bit session integrity key is used as the ChaCha20 key.
617	   o  The block counter is set to zero.
618	   o  The protocol will specify a 96-bit or 64-bit nonce.  This MUST be
619	      unique per invocation with the same key, so it MUST NOT be
620	      randomly generated.  A counter is a good way to implement this,
621	      but other methods, such as an LFSR are also acceptable.  ChaCha20
622	      as specified here requires a 96-bit nonce.  So if the provided
623	      nonce is only 64-bit, then the first 32 bits of the nonce will be
624	      set to a constant number.  This will usually be zero, but for
625	      protocols with multiple sender, it may be different for each
626	      sender, but should be the same for all invocations of the function
627	      with the same key by a particular sender.

629	   After running the block function, we have a 512-bit state.  We take
630	   the first 256 bits or the serialized state, and use those as the one-
631	   time Poly1305 key: The first 128 bits are clamped, and form "r",
632	   while the next 128 bits become "s".  The other 256 bits are
633	   discarded.

635	   Note that while many protocols have provisions for a nonce for
636	   encryption algorithms (often called Initialization Vectors, or IVs),
637	   they usually don't have such a provision for the MAC function.  In
638	   that case the per-invocation nonce will have to come from somewhere
639	   else, such as a message counter.

641	2.6.1.  Poly1305 Key Generation Test Vector

643	   For this example, we'll set:

645	  Key:
646	  000  80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f  ................
647	  016  90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f  ................

649	   Nonce:
650	   000  00 00 00 00 00 01 02 03 04 05 06 07              ............

652	   The ChaCha state set up with key, nonce, and block counter zero:
653	         61707865  3320646e  79622d32  6b206574
654	         83828180  87868584  8b8a8988  8f8e8d8c
655	         93929190  97969594  9b9a9998  9f9e9d9c
656	         00000000  00000000  03020100  07060504

658	   The ChaCha state after 20 rounds:
659	         8ba0d58a  cc815f90  27405081  7194b24a
660	         37b633a8  a50dfde3  e2b8db08  46a6d1fd
661	         7da03782  9183a233  148ad271  b46773d1
662	         3cc1875a  8607def1  ca5c3086  7085eb87

664	  Output bytes:
665	  000  8a d5 a0 8b 90 5f 81 cc 81 50 40 27 4a b2 94 71  ....._...P@'J..q
666	  016  a8 33 b6 37 e3 fd 0d a5 08 db b8 e2 fd d1 a6 46  .3.7...........F

668	   And that output is also the 32-byte one-time key used for Poly1305.

670	2.7.  A Pseudo-Random Function for ChaCha/Poly-1305 based Crypto Suites

672	   Some protocols such as IKEv2([RFC5996]) require a Pseudo-Random
673	   Function (PRF), mostly for key derivation.  In the IKEv2 definition,
674	   a PRF is a function that accepts a variable-length key and a
675	   variable-length input, and returns a fixed-length output.  This
676	   section does not specify such a function.

678	   Poly-1305 is an obvious choice, because MAC functions are often used
679	   as PRFs.  However, Poly-1305 prohibits using the same key twice,
680	   whereas the PRF in IKEv2 is used multiple times with the same key.
681	   This issue can be solved by adding a nonce or a counter to Poly-1305,
682	   much as we do when using this function as a MAC, but that would
683	   require changing the interface for the PRF function.

685	   Chacha20 could be used as a key-derivation function, by generating an
686	   arbitrarily long keystream.  However, that is not what protocols such
687	   as IKEv2 require.

689	   For this reason, this document does not specify a PRF, and recommends
690	   that crypto suites use some other PRF such as PRF_HMAC_SHA2_256
691	   (section 2.1.2 of [RFC4868])

693	2.8.  AEAD Construction

695	   Note: Much of the content of this document, including this AEAD
696	   construction is taken from Adam Langley's draft ([agl-draft]) for the
697	   use of these algorithms in TLS.  The AEAD construction described here
698	   is called AEAD_CHACHA20-POLY1305.

700	   AEAD_CHACHA20-POLY1305 is an authenticated encryption with additional
701	   data algorithm.  The inputs to AEAD_CHACHA20-POLY1305 are:
702	   o  A 256-bit key
703	   o  A 96-bit nonce - different for each invocation with the same key.
704	   o  An arbitrary length plaintext
705	   o  Arbitrary length additional data

707	   The ChaCha20 and Poly1305 primitives are combined into an AEAD that
708	   takes a 256-bit key and 64-bit IV as follows:
709	   o  First the 96-bit nonce is constructed by prepending a 32-bit
710	      constant value to the IV.  This could be set to zero, or could be
711	      derived from keying material, or could be assigned to a sender.
712	      It is up to the specific protocol to define the source for that
713	      32-bit value.
714	   o  Next, a Poly1305 one-time key is generated from the 256-bit key
715	      and nonce using the procedure described in Section 2.6.
716	   o  The ChaCha20 encryption function is called to encrypt the
717	      plaintext, using the same key and nonce, and with the initial
718	      counter set to 1.
719	   o  The Poly1305 function is called with the Poly1305 key calculated
720	      above, and a message constructed as a concatenation of the
721	      following:
722	      *  The additional data
723	      *  The length of the additional data in octets (as a 64-bit
724	         little-endian integer).  TBD: bit count rather than octets?
725	         network order?
726	      *  The ciphertext
727	      *  The length of the ciphertext in octets (as a 64-bit little-
728	         endian integer).  TBD: bit count rather than octets? network
729	         order?

731	   Decryption is pretty much the same thing.

733	   The output from the AEAD is twofold:
734	   o  A ciphertext of the same length as the plaintext.
735	   o  A 128-bit tag, which is the output of the Poly1305 function.

737	   A few notes about this design:
738	   1.  The amount of encrypted data possible in a single invocation is
739	       2^32-1 blocks of 64 bytes each, for a total of 247,877,906,880
740	       bytes, or nearly 256 GB.  This should be enough for traffic
741	       protocols such as IPsec and TLS, but may be too small for file
742	       and/or disk encryption.  For such uses, we can return to the
743	       original design, reduce the nonce to 64 bits, and use the integer
744	       at position 13 as the top 32 bits of a 64-bit block counter,
745	       increasing the total message size to over a million petabytes
746	       (1,180,591,620,717,411,303,360 bytes to be exact).
747	   2.  Despite the previous item, the ciphertext length field in the
748	       construction of the buffer on which Poly1305 runs limits the
749	       ciphertext (and hence, the plaintext) size to 2^64 bytes, or
750	       sixteen thousand petabytes (18,446,744,073,709,551,616 bytes to
751	       be exact).

753	2.8.1.  Example and Test Vector for AEAD_CHACHA20-POLY1305

755	   For a test vector, we will use the following inputs to the
756	   AEAD_CHACHA20-POLY1305 function:

758	   Plaintext:
759	   000  4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c|Ladies and Gentl
760	   016  65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73|emen of the clas
761	   032  73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63|s of '99: If I c
762	   048  6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f|ould offer you o
763	   064  6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20|nly one tip for
764	   080  74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73|the future, suns
765	   096  63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69|creen would be i
766	   112  74 2e                                          |t.

768	   AAD:
769	   000  50 51 52 53 c0 c1 c2 c3 c4 c5 c6 c7              PQRS........

771	   Key:
772	   000  80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f|................
773	   016  90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f|................

775	   IV:
776	   000  40 41 42 43 44 45 46 47                          @ABCDEFG

778	   32-bit fixed-common part:
779	   000  07 00 00 00                                      ....

781	   Set up for generating poly1305 one-time key (sender id=7):
782	       61707865  3320646e  79622d32  6b206574
783	       83828180  87868584  8b8a8988  8f8e8d8c
784	       93929190  97969594  9b9a9998  9f9e9d9c
785	       00000000  00000007  43424140  47464544

787	   After generating Poly1305 one-time key:
788	       252bac7b  af47b42d  557ab609  8455e9a4
789	       73d6e10a  ebd97510  7875932a  ff53d53e
790	       decc7ea2  b44ddbad  e49c17d1  d8430bc9
791	       8c94b7bc  8b7d4b4b  3927f67d  1669a432

793	   Poly1305 Key:
794	   000  7b ac 2b 25 2d b4 47 af 09 b6 7a 55 a4 e9 55 84|{.+%-.G...zU..U.
795	   016  0a e1 d6 73 10 75 d9 eb 2a 93 75 78 3e d5 53 ff|...s.u..*.ux>.S.

797	   Poly1305 r =  455e9a4057ab6080f47b42c052bac7b
798	   Poly1305 s = ff53d53e7875932aebd9751073d6e10a

800	   Keystream bytes:
801	   9f:7b:e9:5d:01:fd:40:ba:15:e2:8f:fb:36:81:0a:ae:
802	   c1:c0:88:3f:09:01:6e:de:dd:8a:d0:87:55:82:03:a5:
803	   4e:9e:cb:38:ac:8e:5e:2b:b8:da:b2:0f:fa:db:52:e8:
804	   75:04:b2:6e:be:69:6d:4f:60:a4:85:cf:11:b8:1b:59:
805	   fc:b1:c4:5f:42:19:ee:ac:ec:6a:de:c3:4e:66:69:78:
806	   8e:db:41:c4:9c:a3:01:e1:27:e0:ac:ab:3b:44:b9:cf:
807	   5c:86:bb:95:e0:6b:0d:f2:90:1a:b6:45:e4:ab:e6:22:
808	   15:38

810	   Ciphertext:
811	   000  d3 1a 8d 34 64 8e 60 db 7b 86 af bc 53 ef 7e c2|...4d.`.{...S.~.
812	   016  a4 ad ed 51 29 6e 08 fe a9 e2 b5 a7 36 ee 62 d6|...Q)n......6.b.
813	   032  3d be a4 5e 8c a9 67 12 82 fa fb 69 da 92 72 8b|=..^..g....i..r.
814	   048  1a 71 de 0a 9e 06 0b 29 05 d6 a5 b6 7e cd 3b 36|.q.....)....~.;6
815	   064  92 dd bd 7f 2d 77 8b 8c 98 03 ae e3 28 09 1b 58|...-w......(..X
816	   080  fa b3 24 e4 fa d6 75 94 55 85 80 8b 48 31 d7 bc|..$...u.U...H1..
817	   096  3f f4 de f0 8e 4b 7a 9d e5 76 d2 65 86 ce c6 4b|?....Kz..v.e...K
818	   112  61 16                                          |a.

820	   AEAD Construction for Poly1305:
821	   000  50 51 52 53 c0 c1 c2 c3 c4 c5 c6 c7 0c 00 00 00|PQRS............
822	   016  00 00 00 00 d3 1a 8d 34 64 8e 60 db 7b 86 af bc|.......4d.`.{...
823	   032  53 ef 7e c2 a4 ad ed 51 29 6e 08 fe a9 e2 b5 a7|S.~....Q)n......
824	   048  36 ee 62 d6 3d be a4 5e 8c a9 67 12 82 fa fb 69|6.b.=..^..g....i
825	   064  da 92 72 8b 1a 71 de 0a 9e 06 0b 29 05 d6 a5 b6|..r..q.....)....
826	   080  7e cd 3b 36 92 dd bd 7f 2d 77 8b 8c 98 03 ae e3|~.;6...-w......
827	   096  28 09 1b 58 fa b3 24 e4 fa d6 75 94 55 85 80 8b|(..X..$...u.U...
828	   112  48 31 d7 bc 3f f4 de f0 8e 4b 7a 9d e5 76 d2 65|H1..?....Kz..v.e
829	   128  86 ce c6 4b 61 16 72 00 00 00 00 00 00 00      |...Ka.r.......

831	   Tag:
832	   18:fb:11:a5:03:1a:d1:3a:7e:3b:03:d4:6e:e3:a6:a7

834	3.  Implementation Advice

836	   Each block of ChaCha20 involves 16 move operations and one increment
837	   operation for loading the state, 80 each of XOR, addition and Roll
838	   operations for the rounds, 16 more add operations and 16 XOR
839	   operations for protecting the plaintext.  Section 2.3 describes the
840	   ChaCha block function as "adding the original input words".  This
841	   implies that before starting the rounds on the ChaCha state, it is
842	   copied aside only to be added in later.  This would be correct, but
843	   it saves a few operations to instead copy the state and do the work
844	   on the copy.  This way, for the next block you don't need to recreate
845	   the state, but only to increment the block counter.  This saves
846	   approximately 5.5% of the cycles.

848	   It is NOT RECOMMENDED to use a generic big number library such as the
849	   one in OpenSSL for the arithmetic operations in Poly1305.  Such
850	   libraries use dynamic allocation to be able to handle any-sized
851	   integer, but that flexibility comes at the expense of performance as
852	   well as side-channel security.  More efficient implementations that
853	   run in constant time are available, one of them in DJB's own library,
854	   NaCl ([NaCl]).  A constant-time but not optimal approach would be to
855	   naively implement the arithmetic operations for a 288-bit integers,
856	   because even a naive implementation will not exceed 2^288 in the
857	   multiplication of (acc+block) and r.  An efficient constant-time
858	   implementation can be found in the public domain library poly1305-
859	   donna ([poly1305_donna]).

861	4.  Security Considerations

863	   The ChaCha20 cipher is designed to provide 256-bit security.

865	   The Poly1305 authenticator is designed to ensure that forged messages
866	   are rejected with a probability of 1-(n/(2^102)) for a 16n-byte
867	   message, even after sending 2^64 legitimate messages, so it is SUF-
868	   CMA in the terminology of [AE].

870	   Proving the security of either of these is beyond the scope of this
871	   document.  Such proofs are available in the referenced academic
872	   papers.

874	   The most important security consideration in implementing this draft
875	   is the uniqueness of the nonce used in ChaCha20.  Counters and LFSRs
876	   are both acceptable ways of generating unique nonces, as is
877	   encrypting a counter using a 64-bit cipher such as DES.  Note that it
878	   is not acceptable to use a truncation of a counter encrypted with a
879	   128-bit or 256-bit cipher, because such a truncation may repeat after
880	   a short time.

882	   The Poly1305 key MUST be unpredictable to an attacker.  Randomly
883	   generating the key would fulfill this requirement, except that
884	   Poly1305 is often used in communications protocols, so the receiver
885	   should know the key.  Pseudo-random number generation such as by
886	   encrypting a counter is acceptable.  Using ChaCha with a secret key
887	   and a nonce is also acceptable.

889	   The algorithms presented here were designed to be easy to implement
890	   in constant time to avoid side-channel vulnerabilities.  The
891	   operations used in ChaCha20 are all additions, XORs, and fixed
892	   rotations.  All of these can and should be implemented in constant
893	   time.  Access to offsets into the ChaCha state and the number of
894	   operations do not depend on any property of the key, eliminating the
895	   chance of information about the key leaking through the timing of
896	   cache misses.

898	   For Poly1305, the operations are addition, multiplication and
899	   modulus, all on >128-bit numbers.  This can be done in constant time,
900	   but a naive implementation (such as using some generic big number
901	   library) will not be constant time.  For example, if the
902	   multiplication is performed as a separate operation from the modulus,
903	   the result will some times be under 2^256 and some times be above
904	   2^256.  Implementers should be careful about timing side-channels for
905	   Poly1305 by using the appropriate implementation of these operations.

907	5.  IANA Considerations

909	   There are no IANA considerations for this document.

911	6.  Acknowledgements

913	   ChaCha20 and Poly1305 were invented by Daniel J. Bernstein.  The AEAD
914	   construction and the method of creating the one-time poly1305 key
915	   were invented by Adam Langley.

917	   Thanks to Robert Ransom and Ilari Liusvaara for their helpful
918	   comments and explanations.

920	7.  References

922	7.1.  Normative References

924	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
925	              Requirement Levels", BCP 14, RFC 2119, March 1997.

927	   [chacha]   Bernstein, D., "ChaCha, a variant of Salsa20", Jan 2008.

929	   [poly1305]
930	              Bernstein, D., "The Poly1305-AES message-authentication
931	              code", Mar 2005.

933	7.2.  Informative References

935	   [AE]       Bellare, M. and C. Namprempre, "Authenticated Encryption:
936	              Relations among notions and analysis of the generic
937	              composition paradigm",
938	              <http://cseweb.ucsd.edu/~mihir/papers/oem.html>.

940	   [FIPS-197]
941	              National Institute of Standards and Technology, "Advanced
942	              Encryption Standard (AES)", FIPS PUB 197, November 2001.

944	   [FIPS-46]  National Institute of Standards and Technology, "Data
945	              Encryption Standard", FIPS PUB 46-2, December 1993,
946	              <http://www.itl.nist.gov/fipspubs/fip46-2.htm>.

948	   [NaCl]     Bernstein, D., Lange, T., and P. Schwabe, "NaCl:
949	              Networking and Cryptography library",
950	              <http://nacl.cace-project.eu/index.html>.

952	   [RFC4868]  Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-
953	              384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007.

955	   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated
956	              Encryption", RFC 5116, January 2008.

958	   [RFC5996]  Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
959	              "Internet Key Exchange Protocol Version 2 (IKEv2)",
960	              RFC 5996, September 2010.

962	   [agl-draft]
963	              Langley, A. and W. Chang, "ChaCha20 and Poly1305 based
964	              Cipher Suites for TLS", draft-agl-tls-chacha20poly1305-04
965	              (work in progress), November 2013.

967	   [poly1305_donna]
968	              Floodyberry, A., "Poly1305-donna",
969	              <https://github.com/floodyberry/poly1305-donna>.

971	   [standby-cipher]
972	              McGrew, D., Grieco, A., and Y. Sheffer, "Selection of
973	              Future Cryptographic Standards",
974	              draft-mcgrew-standby-cipher (work in progress).

976	Appendix A.  Additional Test Vectors

978	   The sub-sections of this appendix contain more test vectors for the
979	   algorithms in the sub-sections of Section 2.

981	A.1.  The ChaCha20 Block Functions
982	  Test Vector #1:
983	  ==============

985	  Key:
986	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
987	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

989	  Nonce:
990	  000  00 00 00 00 00 00 00 00 00 00 00 00              ............

992	  Block Counter = 0

994	    ChaCha State at the end
995	        ade0b876  903df1a0  e56a5d40  28bd8653
996	        b819d2bd  1aed8da0  ccef36a8  c70d778b
997	        7c5941da  8d485751  3fe02477  374ad8b8
998	        f4b8436a  1ca11815  69b687c3  8665eeb2

1000	  Keystream:
1001	  000  76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28  v.....=.@]j.S..(
1002	  016  bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7  .........6...w..
1003	  032  da 41 59 7c 51 57 48 8d 77 24 e0 3f b8 d8 4a 37  .AY|QWH.w$.?..J7
1004	  048  6a 43 b8 f4 15 18 a1 1c c3 87 b6 69 b2 ee 65 86  jC.........i..e.

1006	  Test Vector #2:
1007	  ==============

1009	  Key:
1010	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1011	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1013	  Nonce:
1014	  000  00 00 00 00 00 00 00 00 00 00 00 00              ............

1016	  Block Counter = 1

1018	    ChaCha State at the end
1019	        bee7079f  7a385155  7c97ba98  0d082d73
1020	        a0290fcb  6965e348  3e53c612  ed7aee32
1021	        7621b729  434ee69c  b03371d5  d539d874
1022	        281fed31  45fb0a51  1f0ae1ac  6f4d794b

1024	  Keystream:
1025	  000  9f 07 e7 be 55 51 38 7a 98 ba 97 7c 73 2d 08 0d  ....UQ8z...|s-..
1026	  016  cb 0f 29 a0 48 e3 65 69 12 c6 53 3e 32 ee 7a ed  ..).H.ei..S>2.z.
1027	  032  29 b7 21 76 9c e6 4e 43 d5 71 33 b0 74 d8 39 d5  ).!v..NC.q3.t.9.
1028	  048  31 ed 1f 28 51 0a fb 45 ac e1 0a 1f 4b 79 4d 6f  1..(Q..E....KyMo
1029	  Test Vector #3:
1030	  ==============

1032	  Key:
1033	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1034	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01  ................

1036	  Nonce:
1037	  000  00 00 00 00 00 00 00 00 00 00 00 00              ............

1039	  Block Counter = 1

1041	    ChaCha State at the end
1042	        2452eb3a  9249f8ec  8d829d9b  ddd4ceb1
1043	        e8252083  60818b01  f38422b8  5aaa49c9
1044	        bb00ca8e  da3ba7b4  c4b592d1  fdf2732f
1045	        4436274e  2561b3c8  ebdd4aa6  a0136c00

1047	  Keystream:
1048	  000  3a eb 52 24 ec f8 49 92 9b 9d 82 8d b1 ce d4 dd  :.R$..I.........
1049	  016  83 20 25 e8 01 8b 81 60 b8 22 84 f3 c9 49 aa 5a  . %....`."...I.Z
1050	  032  8e ca 00 bb b4 a7 3b da d1 92 b5 c4 2f 73 f2 fd  ......;...../s..
1051	  048  4e 27 36 44 c8 b3 61 25 a6 4a dd eb 00 6c 13 a0  N'6D..a%.J...l..

1053	  Test Vector #4:
1054	  ==============

1056	  Key:
1057	  000  00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1058	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1060	  Nonce:
1061	  000  00 00 00 00 00 00 00 00 00 00 00 00              ............

1063	  Block Counter = 2

1065	    ChaCha State at the end
1066	        fb4dd572  4bc42ef1  df922636  327f1394
1067	        a78dea8f  5e269039  a1bebbc1  caf09aae
1068	        a25ab213  48a6b46c  1b9d9bcb  092c5be6
1069	        546ca624  1bec45d5  87f47473  96f0992e

1071	  Keystream:
1072	  000  72 d5 4d fb f1 2e c4 4b 36 26 92 df 94 13 7f 32  r.M....K6&....2
1073	  016  8f ea 8d a7 39 90 26 5e c1 bb be a1 ae 9a f0 ca  ....9.&^........
1074	  032  13 b2 5a a2 6c b4 a6 48 cb 9b 9d 1b e6 5b 2c 09  ..Z.l..H.....[,.
1075	  048  24 a6 6c 54 d5 45 ec 1b 73 74 f4 87 2e 99 f0 96  $.lT.E..st......

1077	  Test Vector #5:
1078	  ==============

1080	  Key:
1081	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1082	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1084	  Nonce:
1085	  000  00 00 00 00 00 00 00 00 00 00 00 02              ............

1087	  Block Counter = 0

1089	    ChaCha State at the end
1090	        374dc6c2  3736d58c  b904e24a  cd3f93ef
1091	        88228b1a  96a4dfb3  5b76ab72  c727ee54
1092	        0e0e978a  f3145c95  1b748ea8  f786c297
1093	        99c28f5f  628314e8  398a19fa  6ded1b53

1095	  Keystream:
1096	  000  c2 c6 4d 37 8c d5 36 37 4a e2 04 b9 ef 93 3f cd  ..M7..67J.....?.
1097	  016  1a 8b 22 88 b3 df a4 96 72 ab 76 5b 54 ee 27 c7  ..".....r.v[T.'.
1098	  032  8a 97 0e 0e 95 5c 14 f3 a8 8e 74 1b 97 c2 86 f7  .....\....t.....
1099	  048  5f 8f c2 99 e8 14 83 62 fa 19 8a 39 53 1b ed 6d  _......b...9S..m

1101	A.2.  ChaCha20 Encryption
1102	  Test Vector #1:
1103	  ==============

1105	  Key:
1106	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1107	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1109	  Nonce:
1110	  000  00 00 00 00 00 00 00 00 00 00 00 00              ............

1112	  Initial Block Counter = 0

1114	  Plaintext:
1115	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1116	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1117	  032  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1118	  048  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1120	  Ciphertext:
1121	  000  76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28  v.....=.@]j.S..(
1122	  016  bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7  .........6...w..
1123	  032  da 41 59 7c 51 57 48 8d 77 24 e0 3f b8 d8 4a 37  .AY|QWH.w$.?..J7
1124	  048  6a 43 b8 f4 15 18 a1 1c c3 87 b6 69 b2 ee 65 86  jC.........i..e.

1126	  Test Vector #2:
1127	  ==============

1129	  Key:
1130	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1131	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01  ................

1133	  Nonce:
1134	  000  00 00 00 00 00 00 00 00 00 00 00 02              ............

1136	  Initial Block Counter = 1

1138	  Plaintext:
1139	  000  41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74  Any submission t
1140	  016  6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e  o the IETF inten
1141	  032  64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72  ded by the Contr
1142	  048  69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69  ibutor for publi
1143	  064  63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72  cation as all or
1144	  080  20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46   part of an IETF
1145	  096  20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20   Internet-Draft
1146	  112  6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73  or RFC and any s
1147	  128  74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69  tatement made wi
1148	  144  74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74  thin the context
1149	  160  20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69   of an IETF acti
1150	  176  76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72  vity is consider
1151	  192  65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74  ed an "IETF Cont
1152	  208  72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20  ribution". Such
1153	  224  73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75  statements inclu
1154	  240  64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e  de oral statemen
1155	  256  74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69  ts in IETF sessi
1156	  272  6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20  ons, as well as
1157	  288  77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63  written and elec
1158	  304  74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61  tronic communica
1159	  320  74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e  tions made at an
1160	  336  79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c  y time or place,
1161	  352  20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65   which are addre
1162	  368  73 73 65 64 20 74 6f                             ssed to

1164	  Ciphertext:
1165	  000  a3 fb f0 7d f3 fa 2f de 4f 37 6c a2 3e 82 73 70  ...}../.O7l.>.sp
1166	  016  41 60 5d 9f 4f 4f 57 bd 8c ff 2c 1d 4b 79 55 ec  A`].OOW...,.KyU.
1167	  032  2a 97 94 8b d3 72 29 15 c8 f3 d3 37 f7 d3 70 05  *....r)....7..p.
1168	  048  0e 9e 96 d6 47 b7 c3 9f 56 e0 31 ca 5e b6 25 0d  ....G...V.1.^.%.
1169	  064  40 42 e0 27 85 ec ec fa 4b 4b b5 e8 ea d0 44 0e  @B.'....KK....D.
1170	  080  20 b6 e8 db 09 d8 81 a7 c6 13 2f 42 0e 52 79 50   ........./B.RyP
1171	  096  42 bd fa 77 73 d8 a9 05 14 47 b3 29 1c e1 41 1c  B..ws....G.)..A.
1172	  112  68 04 65 55 2a a6 c4 05 b7 76 4d 5e 87 be a8 5a  h.eU*....vM^...Z
1173	  128  d0 0f 84 49 ed 8f 72 d0 d6 62 ab 05 26 91 ca 66  ...I..r..b..&..f
1174	  144  42 4b c8 6d 2d f8 0e a4 1f 43 ab f9 37 d3 25 9d  BK.m-....C..7.%.
1175	  160  c4 b2 d0 df b4 8a 6c 91 39 dd d7 f7 69 66 e9 28  ......l.9...if.(
1176	  176  e6 35 55 3b a7 6c 5c 87 9d 7b 35 d4 9e b2 e6 2b  .5U;.l\..{5....+
1177	  192  08 71 cd ac 63 89 39 e2 5e 8a 1e 0e f9 d5 28 0f  .q..c.9.^.....(.
1178	  208  a8 ca 32 8b 35 1c 3c 76 59 89 cb cf 3d aa 8b 6c  ..2.5.<vY...=..l
1179	  224  cc 3a af 9f 39 79 c9 2b 37 20 fc 88 dc 95 ed 84  .:..9y.+7 ......
1180	  240  a1 be 05 9c 64 99 b9 fd a2 36 e7 e8 18 b0 4b 0b  ....d....6....K.
1181	  256  c3 9c 1e 87 6b 19 3b fe 55 69 75 3f 88 12 8c c0  ....k.;.Uiu?....
1182	  272  8a aa 9b 63 d1 a1 6f 80 ef 25 54 d7 18 9c 41 1f  ...c..o..%T...A.
1183	  288  58 69 ca 52 c5 b8 3f a3 6f f2 16 b9 c1 d3 00 62  Xi.R..?.o......b
1184	  304  be bc fd 2d c5 bc e0 91 19 34 fd a7 9a 86 f6 e6  ...-.....4......
1185	  320  98 ce d7 59 c3 ff 9b 64 77 33 8f 3d a4 f9 cd 85  ...Y...dw3.=....
1186	  336  14 ea 99 82 cc af b3 41 b2 38 4d d9 02 f3 d1 ab  .......A.8M.....
1187	  352  7a c6 1d d2 9c 6f 21 ba 5b 86 2f 37 30 e3 7c fd  z....o!.[./70.|.
1188	  368  c4 fd 80 6c 22 f2 21                             ...l".!
1189	  Test Vector #3:
1190	  ==============

1192	  Key:
1193	  000  1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0  ..@..U...3......
1194	  016  47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0  G9..@+....\. pu.

1196	  Nonce:
1197	  000  00 00 00 00 00 00 00 00 00 00 00 02              ............

1199	  Initial Block Counter = 42

1201	  Plaintext:
1202	  000  27 54 77 61 73 20 62 72 69 6c 6c 69 67 2c 20 61  'Twas brillig, a
1203	  016  6e 64 20 74 68 65 20 73 6c 69 74 68 79 20 74 6f  nd the slithy to
1204	  032  76 65 73 0a 44 69 64 20 67 79 72 65 20 61 6e 64  ves.Did gyre and
1205	  048  20 67 69 6d 62 6c 65 20 69 6e 20 74 68 65 20 77   gimble in the w
1206	  064  61 62 65 3a 0a 41 6c 6c 20 6d 69 6d 73 79 20 77  abe:.All mimsy w
1207	  080  65 72 65 20 74 68 65 20 62 6f 72 6f 67 6f 76 65  ere the borogove
1208	  096  73 2c 0a 41 6e 64 20 74 68 65 20 6d 6f 6d 65 20  s,.And the mome
1209	  112  72 61 74 68 73 20 6f 75 74 67 72 61 62 65 2e     raths outgrabe.

1211	  Ciphertext:
1212	  000  62 e6 34 7f 95 ed 87 a4 5f fa e7 42 6f 27 a1 df  b.4...._..Bo'..
1213	  016  5f b6 91 10 04 4c 0d 73 11 8e ff a9 5b 01 e5 cf  _....L.s....[...
1214	  032  16 6d 3d f2 d7 21 ca f9 b2 1e 5f b1 4c 61 68 71  .m=..!...._.Lahq
1215	  048  fd 84 c5 4f 9d 65 b2 83 19 6c 7f e4 f6 05 53 eb  ...O.e...l...S.
1216	  064  f3 9c 64 02 c4 22 34 e3 2a 35 6b 3e 76 43 12 a6  ..d.."4.*5k>vC..
1217	  080  1a 55 32 05 57 16 ea d6 96 25 68 f8 7d 3f 3f 77  .U2.W....%h.}??w
1218	  096  04 c6 a8 d1 bc d1 bf 4d 50 d6 15 4b 6d a7 31 b1  .......MP..Km.1.
1219	  112  87 b5 8d fd 72 8a fa 36 75 7a 79 7a c1 88 d1     ....r..6uzyz...

1221	A.3.  Poly1305 Message Authentication Code

1223	   Notice how in test vector #2 r is equal to zero.  The part of the
1224	   Poly1305 algorithm where the accumulator is multiplied by r means
1225	   that with r equal zero, the tag will be equal to s regardless of the
1226	   content of the Text.  Fortunately, all the proposed methods of
1227	   generating r are such that getting this particular weak key is very
1228	   unlikely.

1230	  Test Vector #1:
1231	  ==============

1233	  One-time Poly1305 Key:
1234	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1235	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1237	  Text to MAC:
1238	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1239	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1240	  032  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1241	  048  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1243	  Tag:
1244	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1246	  Test Vector #2:
1247	  ==============

1249	  One-time Poly1305 Key:
1250	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1251	  016  36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e  6.....`p...."z.>

1253	  Text to MAC:
1254	  000  41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74  Any submission t
1255	  016  6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e  o the IETF inten
1256	  032  64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72  ded by the Contr
1257	  048  69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69  ibutor for publi
1258	  064  63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72  cation as all or
1259	  080  20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46   part of an IETF
1260	  096  20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20   Internet-Draft
1261	  112  6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73  or RFC and any s
1262	  128  74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69  tatement made wi
1263	  144  74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74  thin the context
1264	  160  20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69   of an IETF acti
1265	  176  76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72  vity is consider
1266	  192  65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74  ed an "IETF Cont
1267	  208  72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20  ribution". Such
1268	  224  73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75  statements inclu
1269	  240  64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e  de oral statemen
1270	  256  74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69  ts in IETF sessi
1271	  272  6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20  ons, as well as
1272	  288  77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63  written and elec
1273	  304  74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61  tronic communica
1274	  320  74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e  tions made at an
1275	  336  79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c  y time or place,
1276	  352  20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65   which are addre
1277	  368  73 73 65 64 20 74 6f                             ssed to

1279	  Tag:
1280	  000  36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e  6.....`p...."z.>
1281	  Test Vector #3:
1282	  ==============

1284	  One-time Poly1305 Key:
1285	  000  36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e  6.....`p...."z.>
1286	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1288	  Text to MAC:
1289	  000  41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74  Any submission t
1290	  016  6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e  o the IETF inten
1291	  032  64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72  ded by the Contr
1292	  048  69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69  ibutor for publi
1293	  064  63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72  cation as all or
1294	  080  20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46   part of an IETF
1295	  096  20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20   Internet-Draft
1296	  112  6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73  or RFC and any s
1297	  128  74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69  tatement made wi
1298	  144  74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74  thin the context
1299	  160  20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69   of an IETF acti
1300	  176  76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72  vity is consider
1301	  192  65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74  ed an "IETF Cont
1302	  208  72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20  ribution". Such
1303	  224  73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75  statements inclu
1304	  240  64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e  de oral statemen
1305	  256  74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69  ts in IETF sessi
1306	  272  6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20  ons, as well as
1307	  288  77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63  written and elec
1308	  304  74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61  tronic communica
1309	  320  74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e  tions made at an
1310	  336  79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c  y time or place,
1311	  352  20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65   which are addre
1312	  368  73 73 65 64 20 74 6f                             ssed to

1314	  Tag:
1315	  000  f3 47 7e 7c d9 54 17 af 89 a6 b8 79 4c 31 0c f0  .G~|.T.....yL1..

1317	  Test Vector #4:
1318	  ==============

1320	  One-time Poly1305 Key:
1321	  000  1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0  ..@..U...3......
1322	  016  47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0  G9..@+....\. pu.

1324	  Text to MAC:
1325	  000  27 54 77 61 73 20 62 72 69 6c 6c 69 67 2c 20 61  'Twas brillig, a
1326	  016  6e 64 20 74 68 65 20 73 6c 69 74 68 79 20 74 6f  nd the slithy to
1327	  032  76 65 73 0a 44 69 64 20 67 79 72 65 20 61 6e 64  ves.Did gyre and
1328	  048  20 67 69 6d 62 6c 65 20 69 6e 20 74 68 65 20 77   gimble in the w
1329	  064  61 62 65 3a 0a 41 6c 6c 20 6d 69 6d 73 79 20 77  abe:.All mimsy w
1330	  080  65 72 65 20 74 68 65 20 62 6f 72 6f 67 6f 76 65  ere the borogove
1331	  096  73 2c 0a 41 6e 64 20 74 68 65 20 6d 6f 6d 65 20  s,.And the mome
1332	  112  72 61 74 68 73 20 6f 75 74 67 72 61 62 65 2e     raths outgrabe.

1334	  Tag:
1335	  000  45 41 66 9a 7e aa ee 61 e7 08 dc 7c bc c5 eb 62  EAf.~..a...|...b

1337	A.4.  Poly1305 Key Generation Using ChaCha20

1339	  Test Vector #1:
1340	  ==============

1342	  The key:
1343	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1344	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1346	  The nonce:
1347	  000  00 00 00 00 00 00 00 00 00 00 00 00              ............

1349	  Poly1305 one-time key:
1350	  000  76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28  v.....=.@]j.S..(
1351	  016  bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7  .........6...w..

1353	  Test Vector #2:
1354	  ==============

1356	  The key:
1357	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1358	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01  ................

1360	  The nonce:
1361	  000  00 00 00 00 00 00 00 00 00 00 00 02              ............

1363	  Poly1305 one-time key:
1364	  000  ec fa 25 4f 84 5f 64 74 73 d3 cb 14 0d a9 e8 76  ..%O._dts......v
1365	  016  06 cb 33 06 6c 44 7b 87 bc 26 66 dd e3 fb b7 39  ..3.lD{..&f....9

1367	  Test Vector #3:
1368	  ==============

1370	  The key:
1371	  000  1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0  ..@..U...3......
1372	  016  47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0  G9..@+....\. pu.

1374	  The nonce:
1375	  000  00 00 00 00 00 00 00 00 00 00 00 02              ............

1377	  Poly1305 one-time key:
1378	  000  96 5e 3b c6 f9 ec 7e d9 56 08 08 f4 d2 29 f9 4b  .^;...~.V....).K
1379	  016  13 7f f2 75 ca 9b 3f cb dd 59 de aa d2 33 10 ae  ..u..?..Y...3..

1381	Authors' Addresses

1383	   Yoav Nir
1384	   Check Point Software Technologies Ltd.
1385	   5 Hasolelim st.
1386	   Tel Aviv  6789735
1387	   Israel

1389	   Email: ynir.ietf@gmail.com

1391	   Adam Langley
1392	   Google Inc

1394	   Email: agl@google.com