idnits 2.17.1 

draft-nir-cfrg-rfc7539bis-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  -- The draft header indicates that this document obsoletes RFC7539, but the
     abstract doesn't seem to directly say this.  It does mention RFC7539
     though, so this could be OK.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == Line 263 has weird spacing: '...db886dc  c9a62...'

  == Line 319 has weird spacing: '...ccccccc  ccccc...'

  == Line 320 has weird spacing: '...kkkkkkk  kkkkk...'

  == Line 321 has weird spacing: '...kkkkkkk  kkkkk...'

  == Line 322 has weird spacing: '...bbbbbbb  nnnnn...'

  == (9 more instances...)

  -- The document date (January 30, 2017) is 2642 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  -- Looks like a reference, but probably isn't: '3' on line 612

  -- Looks like a reference, but probably isn't: '7' on line 613

  -- Looks like a reference, but probably isn't: '11' on line 614

  -- Looks like a reference, but probably isn't: '15' on line 615

  -- Looks like a reference, but probably isn't: '4' on line 616

  -- Looks like a reference, but probably isn't: '8' on line 617

  -- Looks like a reference, but probably isn't: '12' on line 618

  -- Looks like a reference, but probably isn't: '16' on line 610

  == Missing Reference: '0x01' is mentioned on line 677, but not defined

  -- Obsolete informational reference (is this intentional?): RFC 7539
     (Obsoleted by RFC 8439)


     Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 12 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Crypto Forum                                                      Y. Nir
3	Internet-Draft                                               Check Point
4	Obsoletes: 7539 (if approved)                                 A. Langley
5	Intended status: Informational                              Google, Inc.
6	Expires: August 3, 2017                                 January 30, 2017

8	                ChaCha20 and Poly1305 for IETF Protocols
9	                      draft-nir-cfrg-rfc7539bis-01

11	Abstract

13	   This document defines the ChaCha20 stream cipher as well as the use
14	   of the Poly1305 authenticator, both as stand-alone algorithms and as
15	   a "combined mode", or Authenticated Encryption with Associated Data
16	   (AEAD) algorithm.

18	   RFC 7539, the predecessor of this document, was meant to serve as a
19	   stable reference and an implementation guide.  It was a product of
20	   the Crypto Forum Research Group (CFRG).  This document merges the
21	   errata filed against RFC 7539 and adds a little text to the Security
22	   Considerations section.

24	Status of This Memo

26	   This Internet-Draft is submitted in full conformance with the
27	   provisions of BCP 78 and BCP 79.

29	   Internet-Drafts are working documents of the Internet Engineering
30	   Task Force (IETF).  Note that other groups may also distribute
31	   working documents as Internet-Drafts.  The list of current Internet-
32	   Drafts is at http://datatracker.ietf.org/drafts/current/.

34	   Internet-Drafts are draft documents valid for a maximum of six months
35	   and may be updated, replaced, or obsoleted by other documents at any
36	   time.  It is inappropriate to use Internet-Drafts as reference
37	   material or to cite them other than as "work in progress."

39	   This Internet-Draft will expire on August 3, 2017.

41	Copyright Notice

43	   Copyright (c) 2017 IETF Trust and the persons identified as the
44	   document authors.  All rights reserved.

46	   This document is subject to BCP 78 and the IETF Trust's Legal
47	   Provisions Relating to IETF Documents
48	   (http://trustee.ietf.org/license-info) in effect on the date of
49	   publication of this document.  Please review these documents
50	   carefully, as they describe your rights and restrictions with respect
51	   to this document.  Code Components extracted from this document must
52	   include Simplified BSD License text as described in Section 4.e of
53	   the Trust Legal Provisions and are provided without warranty as
54	   described in the Simplified BSD License.

56	Table of Contents

58	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
59	     1.1.  Conventions Used in This Document . . . . . . . . . . . .   4
60	   2.  The Algorithms  . . . . . . . . . . . . . . . . . . . . . . .   4
61	     2.1.  The ChaCha Quarter Round  . . . . . . . . . . . . . . . .   4
62	       2.1.1.  Test Vector for the ChaCha Quarter Round  . . . . . .   5
63	     2.2.  A Quarter Round on the ChaCha State . . . . . . . . . . .   5
64	       2.2.1.  Test Vector for the Quarter Round on the ChaCha State   6
65	     2.3.  The ChaCha20 Block Function . . . . . . . . . . . . . . .   6
66	       2.3.1.  The ChaCha20 Block Function in Pseudocode . . . . . .   8
67	       2.3.2.  Test Vector for the ChaCha20 Block Function . . . . .   8
68	     2.4.  The ChaCha20 Encryption Algorithm . . . . . . . . . . . .  10
69	       2.4.1.  The ChaCha20 Encryption Algorithm in Pseudocode . . .  10
70	       2.4.2.  Example and Test Vector for the ChaCha20 Cipher . . .  11
71	     2.5.  The Poly1305 Algorithm  . . . . . . . . . . . . . . . . .  13
72	       2.5.1.  The Poly1305 Algorithms in Pseudocode . . . . . . . .  15
73	       2.5.2.  Poly1305 Example and Test Vector  . . . . . . . . . .  15
74	     2.6.  Generating the Poly1305 Key Using ChaCha20  . . . . . . .  17
75	       2.6.1.  Poly1305 Key Generation in Pseudocode . . . . . . . .  18
76	       2.6.2.  Poly1305 Key Generation Test Vector . . . . . . . . .  18
77	     2.7.  A Pseudorandom Function for Crypto Suites based on
78	           ChaCha/Poly1305 . . . . . . . . . . . . . . . . . . . . .  18
79	     2.8.  AEAD Construction . . . . . . . . . . . . . . . . . . . .  19
80	       2.8.1.  Pseudocode for the AEAD Construction  . . . . . . . .  21
81	       2.8.2.  Example and Test Vector for AEAD_CHACHA20_POLY1305  .  22
82	   3.  Implementation Advice . . . . . . . . . . . . . . . . . . . .  24
83	   4.  Security Considerations . . . . . . . . . . . . . . . . . . .  24
84	   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  26
85	   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  26
86	     6.1.  Normative References  . . . . . . . . . . . . . . . . . .  26
87	     6.2.  Informative References  . . . . . . . . . . . . . . . . .  26
88	   Appendix A.  Additional Test Vectors  . . . . . . . . . . . . . .  29
89	     A.1.  The ChaCha20 Block Functions  . . . . . . . . . . . . . .  29
90	     A.2.  ChaCha20 Encryption . . . . . . . . . . . . . . . . . . .  32
91	     A.3.  Poly1305 Message Authentication Code  . . . . . . . . . .  34
92	     A.4.  Poly1305 Key Generation Using ChaCha20  . . . . . . . . .  40
93	     A.5.  ChaCha20-Poly1305 AEAD Decryption . . . . . . . . . . . .  41
94	   Appendix B.  Performance Measurements of ChaCha20 . . . . . . . .  44
95	   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  44
96	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  45

98	1.  Introduction

100	   The Advanced Encryption Standard (AES -- [FIPS-197]) has become the
101	   gold standard in encryption.  Its efficient design, widespread
102	   implementation, and hardware support allow for high performance in
103	   many areas.  On most modern platforms, AES is anywhere from four to
104	   ten times as fast as the previous most-used cipher, Triple Data
105	   Encryption Standard (3DES -- [SP800-67]), which makes it not only the
106	   best choice, but the only practical choice.

108	   There are several problems with this.  If future advances in
109	   cryptanalysis reveal a weakness in AES, users will be in an
110	   unenviable position.  With the only other widely supported cipher
111	   being the much slower 3DES, it is not feasible to reconfigure
112	   deployments to use 3DES.  [Standby-Cipher] describes this issue and
113	   the need for a standby cipher in greater detail.  Another problem is
114	   that while AES is very fast on dedicated hardware, its performance on
115	   platforms that lack such hardware is considerably lower.  Yet another
116	   problem is that many AES implementations are vulnerable to cache-
117	   collision timing attacks ([Cache-Collisions]).

119	   This document provides a definition and implementation guide for
120	   three algorithms:

122	   1.  The ChaCha20 cipher.  This is a high-speed cipher first described
123	       in [ChaCha].  It is considerably faster than AES in software-only
124	       implementations, making it around three times as fast on
125	       platforms that lack specialized AES hardware.  See Appendix B for
126	       some hard numbers.  ChaCha20 is also not sensitive to timing
127	       attacks (see the security considerations in Section 4).  This
128	       algorithm is described in Section 2.4

130	   2.  The Poly1305 authenticator.  This is a high-speed message
131	       authentication code.  Implementation is also straightforward and
132	       easy to get right.  The algorithm is described in Section 2.5.

134	   3.  The CHACHA20-POLY1305 Authenticated Encryption with Associated
135	       Data (AEAD) construction, described in Section 2.8.

137	   This document and its predecesor do not introduce these new
138	   algorithms for the first time.  They have been defined in scientific
139	   papers by D. J. Bernstein.  [ChaCha][Poly1305] The purpose of this
140	   document is to serve as a stable reference for IETF documents making
141	   use of these algorithms.

143	   These algorithms have undergone rigorous analysis.  Several papers
144	   discuss the security of Salsa and ChaCha ([LatinDances],
145	   [LatinDances2], [Zhenqing2012]).

147	   This document represents the consensus of the Crypto Forum Research
148	   Group (CFRG).  It replaces [RFC7539].

150	1.1.  Conventions Used in This Document

152	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
153	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
154	   document are to be interpreted as described in [RFC2119].

156	   The description of the ChaCha algorithm will at various time refer to
157	   the ChaCha state as a "vector" or as a "matrix".  This follows the
158	   use of these terms in [ChaCha].  The matrix notation is more visually
159	   convenient and gives a better notion as to why some rounds are called
160	   "column rounds" while others are called "diagonal rounds".  Here's a
161	   diagram of how the matrices relate to vectors (using the C language
162	   convention of zero being the index origin).

164	      0   1   2   3
165	      4   5   6   7
166	      8   9  10  11
167	     12  13  14  15

169	   The elements in this vector or matrix are 32-bit unsigned integers.

171	   The algorithm name is "ChaCha".  "ChaCha20" is a specific instance
172	   where 20 "rounds" (or 80 quarter rounds -- see Section 2.1) are used.
173	   Other variations are defined, with 8 or 12 rounds, but in this
174	   document we only describe the 20-round ChaCha, so the names "ChaCha"
175	   and "ChaCha20" will be used interchangeably.

177	2.  The Algorithms

179	   The subsections below describe the algorithms used and the AEAD
180	   construction.

182	2.1.  The ChaCha Quarter Round

184	   The basic operation of the ChaCha algorithm is the quarter round.  It
185	   operates on four 32-bit unsigned integers, denoted a, b, c, and d.
186	   The operation is as follows (in C-like notation):

188	      a += b; d ^= a; d <<<= 16;
189	      c += d; b ^= c; b <<<= 12;
190	      a += b; d ^= a; d <<<= 8;
191	      c += d; b ^= c; b <<<= 7;

193	   Where "+" denotes integer addition modulo 2^32, "^" denotes a bitwise
194	   Exclusive OR (XOR), and "<<< n" denotes an n-bit left roll (towards
195	   the high bits).

197	   For example, let's see the add, XOR, and roll operations from the
198	   fourth line with sample numbers:

200	      a = 0x11111111
201	      b = 0x01020304
202	      c = 0x77777777
203	      d = 0x01234567
204	      c = c + d = 0x77777777 + 0x01234567 = 0x789abcde
205	      b = b ^ c = 0x01020304 ^ 0x789abcde = 0x7998bfda
206	      b = b <<< 7 = 0x7998bfda <<< 7 = 0xcc5fed3c

208	2.1.1.  Test Vector for the ChaCha Quarter Round

210	   For a test vector, we will use the same numbers as in the example,
211	   adding something random for c.

213	      a = 0x11111111
214	      b = 0x01020304
215	      c = 0x9b8d6f43
216	      d = 0x01234567

218	   After running a Quarter Round on these four numbers, we get these:

220	      a = 0xea2a92f4
221	      b = 0xcb1cf8ce
222	      c = 0x4581472e
223	      d = 0x5881c4bb

225	2.2.  A Quarter Round on the ChaCha State

227	   The ChaCha state does not have four integer numbers: it has 16.  So
228	   the quarter-round operation works on only four of them -- hence the
229	   name.  Each quarter round operates on four predetermined numbers in
230	   the ChaCha state.  We will denote by QUARTERROUND(x, y, z, w) a
231	   quarter-round operation on the numbers at indices x, y, z, and w of
232	   the ChaCha state when viewed as a vector.  For example, if we apply
233	   QUARTERROUND(1, 5, 9, 13) to a state, this means running the quarter-
234	   round operation on the elements marked with an asterisk, while
235	   leaving the others alone:

237	      0  *a   2   3
238	      4  *b   6   7
239	      8  *c  10  11
240	     12  *d  14  15

242	   Note that this run of quarter round is part of what is called a
243	   "column round".

245	2.2.1.  Test Vector for the Quarter Round on the ChaCha State

247	   For a test vector, we will use a ChaCha state that was generated
248	   randomly:

250	   Sample ChaCha State

252	       879531e0  c5ecf37d  516461b1  c9a62f8a
253	       44c20ef3  3390af7f  d9fc690b  2a5f714c
254	       53372767  b00a5631  974c541a  359e9963
255	       5c971061  3d631689  2098d9d6  91dbd320

257	   We will apply the QUARTERROUND(2, 7, 8, 13) operation to this state.
258	   For obvious reasons, this one is part of what is called a "diagonal
259	   round":

261	   After applying QUARTERROUND(2, 7, 8, 13)

263	       879531e0  c5ecf37d *bdb886dc  c9a62f8a
264	       44c20ef3  3390af7f  d9fc690b *cfacafd2
265	      *e46bea80  b00a5631  974c541a  359e9963
266	       5c971061 *ccc07c79  2098d9d6  91dbd320

268	   Note that only the numbers in positions 2, 7, 8, and 13 changed.

270	2.3.  The ChaCha20 Block Function

272	   The ChaCha block function transforms a ChaCha state by running
273	   multiple quarter rounds.

275	   The inputs to ChaCha20 are:

277	   o  A 256-bit key, treated as a concatenation of eight 32-bit little-
278	      endian integers.

280	   o  A 96-bit nonce, treated as a concatenation of three 32-bit little-
281	      endian integers.

283	   o  A 32-bit block count parameter, treated as a 32-bit little-endian
284	      integer.

286	   The output is 64 random-looking bytes.

288	   The ChaCha algorithm described here uses a 256-bit key.  The original
289	   algorithm also specified 128-bit keys and 8- and 12-round variants,
290	   but these are out of scope for this document.  In this section, we
291	   describe the ChaCha block function.

293	   Note also that the original ChaCha had a 64-bit nonce and 64-bit
294	   block count.  We have modified this here to be more consistent with
295	   recommendations in Section 3.2 of [RFC5116].  This limits the use of
296	   a single (key,nonce) combination to 2^32 blocks, or 256 GB, but that
297	   is enough for most uses.  In cases where a single key is used by
298	   multiple senders, it is important to make sure that they don't use
299	   the same nonces.  This can be assured by partitioning the nonce space
300	   so that the first 32 bits are unique per sender, while the other 64
301	   bits come from a counter.

303	   The ChaCha20 state is initialized as follows:

305	   o  The first four words (0-3) are constants: 0x61707865, 0x3320646e,
306	      0x79622d32, 0x6b206574.

308	   o  The next eight words (4-11) are taken from the 256-bit key by
309	      reading the bytes in little-endian order, in 4-byte chunks.

311	   o  Word 12 is a block counter.  Since each block is 64-byte, a 32-bit
312	      word is enough for 256 gigabytes of data.

314	   o  Words 13-15 are a nonce, which should not be repeated for the same
315	      key.  The 13th word is the first 32 bits of the input nonce taken
316	      as a little-endian integer, while the 15th word is the last 32
317	      bits.

319	       cccccccc  cccccccc  cccccccc  cccccccc
320	       kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
321	       kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
322	       bbbbbbbb  nnnnnnnn  nnnnnnnn  nnnnnnnn

324	   c=constant k=key b=blockcount n=nonce

326	   ChaCha20 runs 20 rounds, alternating between "column rounds" and
327	   "diagonal rounds".  Each round consists of four quarter-rounds, and
328	   they are run as follows.  Quarter rounds 1-4 are part of a "column"
329	   round, while 5-8 are part of a "diagonal" round:

331	      QUARTERROUND(0, 4, 8, 12)
332	      QUARTERROUND(1, 5, 9, 13)
333	      QUARTERROUND(2, 6, 10, 14)
334	      QUARTERROUND(3, 7, 11, 15)
335	      QUARTERROUND(0, 5, 10, 15)
336	      QUARTERROUND(1, 6, 11, 12)
337	      QUARTERROUND(2, 7, 8, 13)
338	      QUARTERROUND(3, 4, 9, 14)

340	   At the end of 20 rounds (or 10 iterations of the above list), we add
341	   the original input words to the output words, and serialize the
342	   result by sequencing the words one-by-one in little-endian order.

344	   Note: "addition" in the above paragraph is done modulo 2^32.  In some
345	   machine languages, this is called carryless addition on a 32-bit
346	   word.

348	2.3.1.  The ChaCha20 Block Function in Pseudocode

350	   Note: This section and a few others contain pseudocode for the
351	   algorithm explained in a previous section.  Every effort was made for
352	   the pseudocode to accurately reflect the algorithm as described in
353	   the preceding section.  If a conflict is still present, the textual
354	   explanation and the test vectors are normative.

356	      inner_block (state):
357	         Qround(state, 0, 4, 8, 12)
358	         Qround(state, 1, 5, 9, 13)
359	         Qround(state, 2, 6, 10, 14)
360	         Qround(state, 3, 7, 11, 15)
361	         Qround(state, 0, 5, 10, 15)
362	         Qround(state, 1, 6, 11, 12)
363	         Qround(state, 2, 7, 8, 13)
364	         Qround(state, 3, 4, 9, 14)
365	         end

367	      chacha20_block(key, counter, nonce):
368	         state = constants | key | counter | nonce
369	         initial_state = state
370	         for i=1 upto 10
371	            inner_block(working_state)
372	            end
373	         state += initial_state
374	         return serialize(state)
375	         end

377	   Where the pipe character ("|") denotes concatenation.

379	2.3.2.  Test Vector for the ChaCha20 Block Function

381	   For a test vector, we will use the following inputs to the ChaCha20
382	   block function:

384	   o  Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:
385	      14:15:16:17:18:19:1a:1b:1c:1d:1e:1f.  The key is a sequence of
386	      octets with no particular structure before we copy it into the
387	      ChaCha state.

389	   o  Nonce = (00:00:00:09:00:00:00:4a:00:00:00:00)

391	   o  Block Count = 1.

393	   After setting up the ChaCha state, it looks like this:

395	   ChaCha state with the key setup.

397	       61707865  3320646e  79622d32  6b206574
398	       03020100  07060504  0b0a0908  0f0e0d0c
399	       13121110  17161514  1b1a1918  1f1e1d1c
400	       00000001  09000000  4a000000  00000000

402	   After running 20 rounds (10 column rounds interleaved with 10
403	   "diagonal rounds"), the ChaCha state looks like this:

405	   ChaCha state after 20 rounds

407	       837778ab  e238d763  a67ae21e  5950bb2f
408	       c4f2d0c7  fc62bb2f  8fa018fc  3f5ec7b7
409	       335271c2  f29489f3  eabda8fc  82e46ebd
410	       d19c12b4  b04e16de  9e83d0cb  4e3c50a2

412	   Finally, we add the original state to the result (simple vector or
413	   matrix addition), giving this:

415	   ChaCha state at the end of the ChaCha20 operation

417	       e4e7f110  15593bd1  1fdd0f50  c47120a3
418	       c7f4d1c7  0368c033  9aaa2204  4e6cd4c3
419	       466482d2  09aa9f07  05d7c214  a2028bd9
420	       d19c12b5  b94e16de  e883d0cb  4e3c50a2

422	   After we serialize the state, we get this:

424	  Serialized Block:
425	  000  10 f1 e7 e4 d1 3b 59 15 50 0f dd 1f a3 20 71 c4  .....;Y.P.... q.
426	  016  c7 d1 f4 c7 33 c0 68 03 04 22 aa 9a c3 d4 6c 4e  ....3.h.."....lN
427	  032  d2 82 64 46 07 9f aa 09 14 c2 d7 05 d9 8b 02 a2  ..dF............
428	  048  b5 12 9c d1 de 16 4e b9 cb d0 83 e8 a2 50 3c 4e  ......N......P<N

430	2.4.  The ChaCha20 Encryption Algorithm

432	   ChaCha20 is a stream cipher designed by D. J. Bernstein.  It is a
433	   refinement of the Salsa20 algorithm, and it uses a 256-bit key.

435	   ChaCha20 successively calls the ChaCha20 block function, with the
436	   same key and nonce, and with successively increasing block counter
437	   parameters.  ChaCha20 then serializes the resulting state by writing
438	   the numbers in little-endian order, creating a keystream block.
439	   Concatenating the keystream blocks from the successive blocks forms a
440	   keystream.  The ChaCha20 function then performs an XOR of this
441	   keystream with the plaintext.  Alternatively, each keystream block
442	   can be XORed with a plaintext block before proceeding to create the
443	   next block, saving some memory.  There is no requirement for the
444	   plaintext to be an integral multiple of 512 bits.  If there is extra
445	   keystream from the last block, it is discarded.  Specific protocols
446	   MAY require that the plaintext and ciphertext have certain length.
447	   Such protocols need to specify how the plaintext is padded and how
448	   much padding it receives.

450	   The inputs to ChaCha20 are:

452	   o  A 256-bit key

454	   o  A 32-bit initial counter.  This can be set to any number, but will
455	      usually be zero or one.  It makes sense to use one if we use the
456	      zero block for something else, such as generating a one-time
457	      authenticator key as part of an AEAD algorithm.

459	   o  A 96-bit nonce.  In some protocols, this is known as the
460	      Initialization Vector.

462	   o  An arbitrary-length plaintext

464	   The output is an encrypted message, or "ciphertext", of the same
465	   length.

467	   Decryption is done in the same way.  The ChaCha20 block function is
468	   used to expand the key into a keystream, which is XORed with the
469	   ciphertext giving back the plaintext.

471	2.4.1.  The ChaCha20 Encryption Algorithm in Pseudocode
472	     chacha20_encrypt(key, counter, nonce, plaintext):
473	        for j = 0 upto floor(len(plaintext)/64)-1
474	           key_stream = chacha20_block(key, counter+j, nonce)
475	           block = plaintext[(j*64)..(j*64+63)]
476	           encrypted_message +=  block ^ key_stream
477	           end
478	        if ((len(plaintext) % 64) != 0)
479	           j = floor(len(plaintext)/64)
480	           key_stream = chacha20_block(key, counter+j, nonce)
481	           block = plaintext[(j*64)..len(plaintext)-1]
482	           encrypted_message += (block^key_stream)[0..len(plaintext)%64]
483	           end
484	        return encrypted_message
485	        end

487	2.4.2.  Example and Test Vector for the ChaCha20 Cipher

489	   For a test vector, we will use the following inputs to the ChaCha20
490	   block function:

492	   o  Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:
493	      14:15:16:17:18:19:1a:1b:1c:1d:1e:1f.

495	   o  Nonce = (00:00:00:00:00:00:00:4a:00:00:00:00).

497	   o  Initial Counter = 1.

499	   We use the following for the plaintext.  It was chosen to be long
500	   enough to require more than one block, but not so long that it would
501	   make this example cumbersome (so, less than 3 blocks):

503	  Plaintext Sunscreen:
504	  000  4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c  Ladies and Gentl
505	  016  65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73  emen of the clas
506	  032  73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63  s of '99: If I c
507	  048  6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f  ould offer you o
508	  064  6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20  nly one tip for
509	  080  74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73  the future, suns
510	  096  63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69  creen would be i
511	  112  74 2e                                            t.

513	   The following figure shows four ChaCha state matrices:

515	   1.  First block as it is set up.

517	   2.  Second block as it is set up.  Note that these blocks are only
518	       two bits apart -- only the counter in position 12 is different.

520	   3.  Third block is the first block after the ChaCha20 block operation
521	       was applied.

523	   4.  Final block is the second block after the ChaCha20 block
524	       operation was applied.

526	   After that, we show the keystream.

528	   First block setup:
529	       61707865  3320646e  79622d32  6b206574
530	       03020100  07060504  0b0a0908  0f0e0d0c
531	       13121110  17161514  1b1a1918  1f1e1d1c
532	       00000001  00000000  4a000000  00000000

534	   Second block setup:
535	       61707865  3320646e  79622d32  6b206574
536	       03020100  07060504  0b0a0908  0f0e0d0c
537	       13121110  17161514  1b1a1918  1f1e1d1c
538	       00000002  00000000  4a000000  00000000

540	   First block after block operation:
541	       f3514f22  e1d91b40  6f27de2f  ed1d63b8
542	       821f138c  e2062c3d  ecca4f7e  78cff39e
543	       a30a3b8a  920a6072  cd7479b5  34932bed
544	       40ba4c79  cd343ec6  4c2c21ea  b7417df0

546	   Second block after block operation:
547	       9f74a669  410f633f  28feca22  7ec44dec
548	       6d34d426  738cb970  3ac5e9f3  45590cc4
549	       da6e8b39  892c831a  cdea67c1  2b7e1d90
550	       037463f3  a11a2073  e8bcfb88  edc49139

552	   Keystream:
553	   22:4f:51:f3:40:1b:d9:e1:2f:de:27:6f:b8:63:1d:ed:8c:13:1f:82:3d:2c:06
554	   e2:7e:4f:ca:ec:9e:f3:cf:78:8a:3b:0a:a3:72:60:0a:92:b5:79:74:cd:ed:2b
555	   93:34:79:4c:ba:40:c6:3e:34:cd:ea:21:2c:4c:f0:7d:41:b7:69:a6:74:9f:3f
556	   63:0f:41:22:ca:fe:28:ec:4d:c4:7e:26:d4:34:6d:70:b9:8c:73:f3:e9:c5:3a
557	   c4:0c:59:45:39:8b:6e:da:1a:83:2c:89:c1:67:ea:cd:90:1d:7e:2b:f3:63

559	   Finally, we XOR the keystream with the plaintext, yielding the
560	   ciphertext:

562	  Ciphertext Sunscreen:
563	  000  6e 2e 35 9a 25 68 f9 80 41 ba 07 28 dd 0d 69 81  n.5.%h..A..(..i.
564	  016  e9 7e 7a ec 1d 43 60 c2 0a 27 af cc fd 9f ae 0b  .~z..C`..'......
565	  032  f9 1b 65 c5 52 47 33 ab 8f 59 3d ab cd 62 b3 57  ..e.RG3..Y=..b.W
566	  048  16 39 d6 24 e6 51 52 ab 8f 53 0c 35 9f 08 61 d8  .9.$.QR..S.5..a.
567	  064  07 ca 0d bf 50 0d 6a 61 56 a3 8e 08 8a 22 b6 5e  ....P.jaV....".^
568	  080  52 bc 51 4d 16 cc f8 06 81 8c e9 1a b7 79 37 36  R.QM.........y76
569	  096  5a f9 0b bf 74 a3 5b e6 b4 0b 8e ed f2 78 5e 42  Z...t.[......x^B
570	  112  87 4d                                            .M

572	2.5.  The Poly1305 Algorithm

574	   Poly1305 is a one-time authenticator designed by D. J. Bernstein.
575	   Poly1305 takes a 32-byte one-time key and a message and produces a
576	   16-byte tag.  This tag is used to authenticate the message.

578	   The original article ([Poly1305]) is titled "The Poly1305-AES
579	   message-authentication code", and the MAC function there requires a
580	   128-bit AES key, a 128-bit "additional key", and a 128-bit (non-
581	   secret) nonce.  AES is used there for encrypting the nonce, so as to
582	   get a unique (and secret) 128-bit string, but as the paper states,
583	   "There is nothing special about AES here.  One can replace AES with
584	   an arbitrary keyed function from an arbitrary set of nonces to
585	   16-byte strings."

587	   Regardless of how the key is generated, the key is partitioned into
588	   two parts, called "r" and "s".  The pair (r,s) should be unique, and
589	   MUST be unpredictable for each invocation (that is why it was
590	   originally obtained by encrypting a nonce), while "r" MAY be
591	   constant, but needs to be modified as follows before being used: ("r"
592	   is treated as a 16-octet little-endian number):

594	   o  r[3], r[7], r[11], and r[15] are required to have their top four
595	      bits clear (be smaller than 16)

597	   o  r[4], r[8], and r[12] are required to have their bottom two bits
598	      clear (be divisible by 4)

600	   The following sample code clamps "r" to be appropriate:

602	   /*
603	   Adapted from poly1305aes_test_clamp.c version 20050207
604	   D. J. Bernstein
605	   Public domain.
606	   */

608	   #include "poly1305aes_test.h"

610	   void poly1305aes_test_clamp(unsigned char r[16])
611	   {
612	     r[3] &= 15;
613	     r[7] &= 15;
614	     r[11] &= 15;
615	     r[15] &= 15;
616	     r[4] &= 252;
617	     r[8] &= 252;
618	     r[12] &= 252;
619	   }

621	   Where "&=" is the C language bitwise AND assignment operator.

623	   The "s" should be unpredictable, but it is perfectly acceptable to
624	   generate both "r" and "s" uniquely each time.  Because each of them
625	   is 128 bits, pseudorandomly generating them (see Section 2.6) is also
626	   acceptable.

628	   The inputs to Poly1305 are:

630	   o  A 256-bit one-time key

632	   o  An arbitrary length message

634	   The output is a 128-bit tag.

636	   First, the "r" value should be clamped.

638	   Next, set the constant prime "P" be 2^130-5:
639	   3fffffffffffffffffffffffffffffffb.  Also set a variable "accumulator"
640	   to zero.

642	   Next, divide the message into 16-byte blocks.  The last one might be
643	   shorter:

645	   o  Read the block as a little-endian number.

647	   o  Add one bit beyond the number of octets.  For a 16-byte block,
648	      this is equivalent to adding 2^128 to the number.  For the shorter
649	      block, it can be 2^120, 2^112, or any power of two that is evenly
650	      divisible by 8, all the way down to 2^8.

652	   o  If the block is not 17 bytes long (the last block), pad it with
653	      zeros.  This is meaningless if you are treating the blocks as
654	      numbers.

656	   o  Add this number to the accumulator.

658	   o  Multiply by "r".

660	   o  Set the accumulator to the result modulo p.  To summarize: Acc =
661	      ((Acc+block)*r) % p.

663	   Finally, the value of the secret key "s" is added to the accumulator,
664	   and the 128 least significant bits are serialized in little-endian
665	   order to form the tag.

667	2.5.1.  The Poly1305 Algorithms in Pseudocode

669	      clamp(r): r &= 0x0ffffffc0ffffffc0ffffffc0fffffff
670	      poly1305_mac(msg, key):
671	         r = le_bytes_to_num(key[0..15])
672	         clamp(r)
673	         s = le_bytes_to_num(key[16..31])
674	         a = 0  /* a is the accumulator */
675	         p = (1<<130)-5
676	         for i=1 upto ceil(msg length in bytes / 16)
677	            n = le_bytes_to_num(msg[((i-1)*16)..(i*16)] | [0x01])
678	            a += n
679	            a = (r * a) % p
680	            end
681	         a += s
682	         return num_to_16_le_bytes(a)
683	         end

685	2.5.2.  Poly1305 Example and Test Vector

687	   For our example, we will dispense with generating the one-time key
688	   using AES, and assume that we got the following keying material:

690	   o  Key Material: 85:d6:be:78:57:55:6d:33:7f:44:52:fe:42:d5:06:a8:01:0
691	      3:80:8a:fb:0d:b2:fd:4a:bf:f6:af:41:49:f5:1b

693	   o  s as an octet string:
694	      01:03:80:8a:fb:0d:b2:fd:4a:bf:f6:af:41:49:f5:1b

696	   o  s as a 128-bit number: 1bf54941aff6bf4afdb20dfb8a800301
697	   o  r before clamping: 85:d6:be:78:57:55:6d:33:7f:44:52:fe:42:d5:06:a8

699	   o  Clamped r as a number: 806d5400e52447c036d555408bed685

701	   For our message, we'll use a short text:

703	  Message to be Authenticated:
704	  000  43 72 79 70 74 6f 67 72 61 70 68 69 63 20 46 6f  Cryptographic Fo
705	  016  72 75 6d 20 52 65 73 65 61 72 63 68 20 47 72 6f  rum Research Gro
706	  032  75 70                                            up

708	   Since Poly1305 works in 16-byte chunks, the 34-byte message divides
709	   into three blocks.  In the following calculation, "Acc" denotes the
710	   accumulator and "Block" the current block:

712	   Block #1

714	   Acc = 00
715	   Block = 6f4620636968706172676f7470797243
716	   Block with 0x01 byte = 016f4620636968706172676f7470797243
717	   Acc + block = 016f4620636968706172676f7470797243
718	   (Acc+Block) * r =
719	        b83fe991ca66800489155dcd69e8426ba2779453994ac90ed284034da565ecf
720	   Acc = ((Acc+Block)*r) % P = 2c88c77849d64ae9147ddeb88e69c83fc

722	   Block #2

724	   Acc = 2c88c77849d64ae9147ddeb88e69c83fc
725	   Block = 6f7247206863726165736552206d7572
726	   Block with 0x01 byte = 016f7247206863726165736552206d7572
727	   Acc + block = 437febea505c820f2ad5150db0709f96e
728	   (Acc+Block) * r =
729	        21dcc992d0c659ba4036f65bb7f88562ae59b32c2b3b8f7efc8b00f78e548a26
730	   Acc = ((Acc+Block)*r) % P = 2d8adaf23b0337fa7cccfb4ea344b30de

732	   Last Block

734	   Acc = 2d8adaf23b0337fa7cccfb4ea344b30de
735	   Block = 7075
736	   Block with 0x01 byte = 017075
737	   Acc + block = 2d8adaf23b0337fa7cccfb4ea344ca153
738	   (Acc + Block) * r =
739	        16d8e08a0f3fe1de4fe4a15486aca7a270a29f1e6c849221e4a6798b8e45321f
740	   ((Acc + Block) * r) % P = 28d31b7caff946c77c8844335369d03a7

742	   Adding s, we get this number, and serialize if to get the tag:

744	   Acc + s = 2a927010caf8b2bc2c6365130c11d06a8

746	   Tag: a8:06:1d:c1:30:51:36:c6:c2:2b:8b:af:0c:01:27:a9

748	2.6.  Generating the Poly1305 Key Using ChaCha20

750	   As said in Section 2.5, it is acceptable to generate the one-time
751	   Poly1305 key pseudorandomly.  This section defines such a method.

753	   To generate such a key pair (r,s), we will use the ChaCha20 block
754	   function described in Section 2.3.  This assumes that we have a
755	   256-bit session key specifically for the Message Authentication Code
756	   (MAC) function.  Any document that specifies the use of Poly1305 as a
757	   MAC algorithm for some protocol must specify that 256 bits are
758	   allocated for the integrity key.  Note that in the AEAD construction
759	   defined in Section 2.8, the same key is used for encryption and key
760	   generation.

762	   The method is to call the block function with the following
763	   parameters:

765	   o  The 256-bit session integrity key is used as the ChaCha20 key.

767	   o  The block counter is set to zero.

769	   o  The protocol will specify a 96-bit or 64-bit nonce.  This MUST be
770	      unique per invocation with the same key, so it MUST NOT be
771	      randomly generated.  A counter is a good way to implement this,
772	      but other methods, such as a Linear Feedback Shift Register (LFSR)
773	      are also acceptable.  ChaCha20 as specified here requires a 96-bit
774	      nonce.  So if the provided nonce is only 64-bit, then the first 32
775	      bits of the nonce will be set to a constant number.  This will
776	      usually be zero, but for protocols with multiple senders it may be
777	      different for each sender, but should be the same for all
778	      invocations of the function with the same key by a particular
779	      sender.

781	   After running the block function, we have a 512-bit state.  We take
782	   the first 256 bits of the serialized state, and use those as the one-
783	   time Poly1305 key: the first 128 bits are clamped and form "r", while
784	   the next 128 bits become "s".  The other 256 bits are discarded.

786	   Note that while many protocols have provisions for a nonce for
787	   encryption algorithms (often called Initialization Vectors, or IVs),
788	   they usually don't have such a provision for the MAC function.  In
789	   that case, the per-invocation nonce will have to come from somewhere
790	   else, such as a message counter.

792	2.6.1.  Poly1305 Key Generation in Pseudocode

794	      poly1305_key_gen(key,nonce):
795	         counter = 0
796	         block = chacha20_block(key,counter,nonce)
797	         return block[0..31]
798	         end

800	2.6.2.  Poly1305 Key Generation Test Vector

802	   For this example, we'll set:

804	  Key:
805	  000  80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f  ................
806	  016  90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f  ................

808	   Nonce:
809	   000  00 00 00 00 00 01 02 03 04 05 06 07              ............

811	   The ChaCha state setup with key, nonce, and block counter zero:
812	         61707865  3320646e  79622d32  6b206574
813	         83828180  87868584  8b8a8988  8f8e8d8c
814	         93929190  97969594  9b9a9998  9f9e9d9c
815	         00000000  00000000  03020100  07060504

817	   The ChaCha state after 20 rounds:
818	         8ba0d58a  cc815f90  27405081  7194b24a
819	         37b633a8  a50dfde3  e2b8db08  46a6d1fd
820	         7da03782  9183a233  148ad271  b46773d1
821	         3cc1875a  8607def1  ca5c3086  7085eb87

823	  Output bytes:
824	  000  8a d5 a0 8b 90 5f 81 cc 81 50 40 27 4a b2 94 71  ....._...P@'J..q
825	  016  a8 33 b6 37 e3 fd 0d a5 08 db b8 e2 fd d1 a6 46  .3.7...........F

827	   And that output is also the 32-byte one-time key used for Poly1305.

829	2.7.  A Pseudorandom Function for Crypto Suites based on ChaCha/Poly1305

831	   Some protocols, such as IKEv2 ([RFC7296]), require a Pseudorandom
832	   Function (PRF), mostly for key derivation.  In the IKEv2 definition,
833	   a PRF is a function that accepts a variable-length key and a
834	   variable-length input, and returns a fixed-length output.  Most
835	   commonly, Hashed MAC (HMAC) constructions are used for this purpose,
836	   and often the same function is used for both message authentication
837	   and PRF.

839	   Poly1305 is not a suitable choice for a PRF.  Poly1305 prohibits
840	   using the same key twice, whereas the PRF in IKEv2 is used multiple
841	   times with the same key.  Additionally, unlike HMAC, Poly1305 is
842	   biased, so using it for key derivation would reduce the security of
843	   the symmetric encryption.

845	   Chacha20 could be used as a key-derivation function, by generating an
846	   arbitrarily long keystream.  However, that is not what protocols such
847	   as IKEv2 require.

849	   For this reason, this document does not specify a PRF.

851	2.8.  AEAD Construction

853	   AEAD_CHACHA20_POLY1305 is an authenticated encryption with additional
854	   data algorithm.  The inputs to AEAD_CHACHA20_POLY1305 are:

856	   o  A 256-bit key

858	   o  A 96-bit nonce -- different for each invocation with the same key

860	   o  An arbitrary length plaintext

862	   o  Arbitrary length additional authenticated data (AAD)

864	   Some protocols may have unique per-invocation inputs that are not 96
865	   bits in length.  For example, IPsec may specify a 64-bit nonce.  In
866	   such a case, it is up to the protocol document to define how to
867	   transform the protocol nonce into a 96-bit nonce, for example, by
868	   concatenating a constant value.

870	   The ChaCha20 and Poly1305 primitives are combined into an AEAD that
871	   takes a 256-bit key and 96-bit nonce as follows:

873	   o  First, a Poly1305 one-time key is generated from the 256-bit key
874	      and nonce using the procedure described in Section 2.6.

876	   o  Next, the ChaCha20 encryption function is called to encrypt the
877	      plaintext, using the same key and nonce, and with the initial
878	      counter set to 1.

880	   o  Finally, the Poly1305 function is called with the Poly1305 key
881	      calculated above, and a message constructed as a concatenation of
882	      the following:

884	      *  The AAD
885	      *  padding1 -- the padding is up to 15 zero bytes, and it brings
886	         the total length so far to an integral multiple of 16.  If the
887	         length of the AAD was already an integral multiple of 16 bytes,
888	         this field is zero-length.

890	      *  The ciphertext

892	      *  padding2 -- the padding is up to 15 zero bytes, and it brings
893	         the total length so far to an integral multiple of 16.  If the
894	         length of the ciphertext was already an integral multiple of 16
895	         bytes, this field is zero-length.

897	      *  The length of the additional data in octets (as a 64-bit
898	         little-endian integer).

900	      *  The length of the ciphertext in octets (as a 64-bit little-
901	         endian integer).

903	   The output from the AEAD is the concatenation of:

905	   o  A ciphertext of the same length as the plaintext.

907	   o  A 128-bit tag, which is the output of the Poly1305 function.

909	   Decryption is similar with the following differences:

911	   o  The roles of ciphertext and plaintext are reversed, so the
912	      ChaCha20 encryption function is applied to the ciphertext,
913	      producing the plaintext.

915	   o  The Poly1305 function is still run on the AAD and the ciphertext,
916	      not the plaintext.

918	   o  The calculated tag is bitwise compared to the received tag.  The
919	      message is authenticated if and only if the tags match.

921	   A few notes about this design:

923	   1.  The amount of encrypted data possible in a single invocation is
924	       2^32-1 blocks of 64 bytes each, because of the size of the block
925	       counter field in the ChaCha20 block function.  This gives a total
926	       of 274,877,906,880 bytes, or nearly 256 GB.  This should be
927	       enough for traffic protocols such as IPsec and TLS, but may be
928	       too small for file and/or disk encryption.  For such uses, we can
929	       return to the original design, reduce the nonce to 64 bits, and
930	       use the integer at position 13 as the top 32 bits of a 64-bit
931	       block counter, increasing the total message size to over a
932	       million petabytes (1,180,591,620,717,411,303,360 bytes to be
933	       exact).

935	   2.  Despite the previous item, the ciphertext length field in the
936	       construction of the buffer on which Poly1305 runs limits the
937	       ciphertext (and hence, the plaintext) size to 2^64 bytes, or
938	       sixteen thousand petabytes (18,446,744,073,709,551,616 bytes to
939	       be exact).

941	   The AEAD construction in this section is a novel composition of
942	   ChaCha20 and Poly1305.  A security analysis of this composition is
943	   given in [Procter].

945	   Here is a list of the parameters for this construction as defined in
946	   Section 4 of RFC 5116:

948	   o  K_LEN (key length) is 32 octets.

950	   o  P_MAX (maximum size of the plaintext) is 247,877,906,880 bytes, or
951	      nearly 256 GB.

953	   o  A_MAX (maximum size of the associated data) is set to 2^64-1
954	      octets by the length field for associated data.

956	   o  N_MIN = N_MAX = 12 octets.

958	   o  C_MAX = P_MAX + tag length = 274,877,906,896 octets.

960	   Distinct AAD inputs (as described in Section 3.3 of RFC 5116) shall
961	   be concatenated into a single input to AEAD_CHACHA20_POLY1305.  It is
962	   up to the application to create a structure in the AAD input if it is
963	   needed.

965	2.8.1.  Pseudocode for the AEAD Construction

967	      pad16(x):
968	         if (len(x) % 16)==0
969	            then return NULL
970	            else return copies(0, 16-(len(x)%16))
971	         end

973	      chacha20_aead_encrypt(aad, key, iv, constant, plaintext):
974	         nonce = constant | iv
975	         otk = poly1305_key_gen(key, nonce)
976	         ciphertext = chacha20_encrypt(key, 1, nonce, plaintext)
977	         mac_data = aad | pad16(aad)
978	         mac_data |= ciphertext | pad16(ciphertext)
979	         mac_data |= num_to_8_le_bytes(aad.length)
980	         mac_data |= num_to_8_le_bytes(ciphertext.length)
981	         tag = poly1305_mac(mac_data, otk)
982	         return (ciphertext, tag)

984	2.8.2.  Example and Test Vector for AEAD_CHACHA20_POLY1305

986	   For a test vector, we will use the following inputs to the
987	   AEAD_CHACHA20_POLY1305 function:

989	  Plaintext:
990	  000  4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c  Ladies and Gentl
991	  016  65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73  emen of the clas
992	  032  73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63  s of '99: If I c
993	  048  6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f  ould offer you o
994	  064  6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20  nly one tip for
995	  080  74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73  the future, suns
996	  096  63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69  creen would be i
997	  112  74 2e                                            t.

999	   AAD:
1000	   000  50 51 52 53 c0 c1 c2 c3 c4 c5 c6 c7              PQRS........

1002	  Key:
1003	  000  80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f  ................
1004	  016  90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f  ................

1006	   IV:
1007	   000  40 41 42 43 44 45 46 47                          @ABCDEFG

1009	   32-bit fixed-common part:
1010	   000  07 00 00 00                                      ....

1012	   Setup for generating Poly1305 one-time key (sender id=7):
1013	       61707865  3320646e  79622d32  6b206574
1014	       83828180  87868584  8b8a8988  8f8e8d8c
1015	       93929190  97969594  9b9a9998  9f9e9d9c
1016	       00000000  00000007  43424140  47464544

1018	   After generating Poly1305 one-time key:
1019	       252bac7b  af47b42d  557ab609  8455e9a4
1020	       73d6e10a  ebd97510  7875932a  ff53d53e
1021	       decc7ea2  b44ddbad  e49c17d1  d8430bc9
1022	       8c94b7bc  8b7d4b4b  3927f67d  1669a432

1024	  Poly1305 Key:
1025	  000  7b ac 2b 25 2d b4 47 af 09 b6 7a 55 a4 e9 55 84  {.+%-.G...zU..U.
1026	  016  0a e1 d6 73 10 75 d9 eb 2a 93 75 78 3e d5 53 ff  ...s.u..*.ux>.S.

1028	  Poly1305 r =  455e9a4057ab6080f47b42c052bac7b
1029	  Poly1305 s = ff53d53e7875932aebd9751073d6e10a

1031	   keystream bytes:
1032	   9f:7b:e9:5d:01:fd:40:ba:15:e2:8f:fb:36:81:0a:ae:
1033	   c1:c0:88:3f:09:01:6e:de:dd:8a:d0:87:55:82:03:a5:
1034	   4e:9e:cb:38:ac:8e:5e:2b:b8:da:b2:0f:fa:db:52:e8:
1035	   75:04:b2:6e:be:69:6d:4f:60:a4:85:cf:11:b8:1b:59:
1036	   fc:b1:c4:5f:42:19:ee:ac:ec:6a:de:c3:4e:66:69:78:
1037	   8e:db:41:c4:9c:a3:01:e1:27:e0:ac:ab:3b:44:b9:cf:
1038	   5c:86:bb:95:e0:6b:0d:f2:90:1a:b6:45:e4:ab:e6:22:
1039	   15:38

1041	  Ciphertext:
1042	  000  d3 1a 8d 34 64 8e 60 db 7b 86 af bc 53 ef 7e c2  ...4d.`.{...S.~.
1043	  016  a4 ad ed 51 29 6e 08 fe a9 e2 b5 a7 36 ee 62 d6  ...Q)n......6.b.
1044	  032  3d be a4 5e 8c a9 67 12 82 fa fb 69 da 92 72 8b  =..^..g....i..r.
1045	  048  1a 71 de 0a 9e 06 0b 29 05 d6 a5 b6 7e cd 3b 36  .q.....)....~.;6
1046	  064  92 dd bd 7f 2d 77 8b 8c 98 03 ae e3 28 09 1b 58  ....-w......(..X
1047	  080  fa b3 24 e4 fa d6 75 94 55 85 80 8b 48 31 d7 bc  ..$...u.U...H1..
1048	  096  3f f4 de f0 8e 4b 7a 9d e5 76 d2 65 86 ce c6 4b  ?....Kz..v.e...K
1049	  112  61 16                                            a.

1051	  AEAD Construction for Poly1305:
1052	  000  50 51 52 53 c0 c1 c2 c3 c4 c5 c6 c7 00 00 00 00  PQRS............
1053	  016  d3 1a 8d 34 64 8e 60 db 7b 86 af bc 53 ef 7e c2  ...4d.`.{...S.~.
1054	  032  a4 ad ed 51 29 6e 08 fe a9 e2 b5 a7 36 ee 62 d6  ...Q)n......6.b.
1055	  048  3d be a4 5e 8c a9 67 12 82 fa fb 69 da 92 72 8b  =..^..g....i..r.
1056	  064  1a 71 de 0a 9e 06 0b 29 05 d6 a5 b6 7e cd 3b 36  .q.....)....~.;6
1057	  080  92 dd bd 7f 2d 77 8b 8c 98 03 ae e3 28 09 1b 58  ....-w......(..X
1058	  096  fa b3 24 e4 fa d6 75 94 55 85 80 8b 48 31 d7 bc  ..$...u.U...H1..
1059	  112  3f f4 de f0 8e 4b 7a 9d e5 76 d2 65 86 ce c6 4b  ?....Kz..v.e...K
1060	  128  61 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00  a...............
1061	  144  0c 00 00 00 00 00 00 00 72 00 00 00 00 00 00 00  ........r.......

1063	   Note the four zero bytes in line 000 and the 14 zero bytes in line
1064	   128
1065	   Tag:
1066	   1a:e1:0b:59:4f:09:e2:6a:7e:90:2e:cb:d0:60:06:91

1068	3.  Implementation Advice

1070	   Each block of ChaCha20 involves 16 move operations and one increment
1071	   operation for loading the state, 80 each of XOR, addition and roll
1072	   operations for the rounds, 16 more add operations and 16 XOR
1073	   operations for protecting the plaintext.  Section 2.3 describes the
1074	   ChaCha block function as "adding the original input words".  This
1075	   implies that before starting the rounds on the ChaCha state, we copy
1076	   it aside, only to add it in later.  This is correct, but we can save
1077	   a few operations if we instead copy the state and do the work on the
1078	   copy.  This way, for the next block you don't need to recreate the
1079	   state, but only to increment the block counter.  This saves
1080	   approximately 5.5% of the cycles.

1082	   It is not recommended to use a generic big number library such as the
1083	   one in OpenSSL for the arithmetic operations in Poly1305.  Such
1084	   libraries use dynamic allocation to be able to handle an integer of
1085	   any size, but that flexibility comes at the expense of performance as
1086	   well as side-channel security.  More efficient implementations that
1087	   run in constant time are available, one of them in D. J. Bernstein's
1088	   own library, NaCl ([NaCl]).  A constant-time but not optimal approach
1089	   would be to naively implement the arithmetic operations for 288-bit
1090	   integers, because even a naive implementation will not exceed 2^288
1091	   in the multiplication of (acc+block) and r.  An efficient constant-
1092	   time implementation can be found in the public domain library
1093	   poly1305-donna ([Poly1305_Donna]).

1095	4.  Security Considerations

1097	   The ChaCha20 cipher is designed to provide 256-bit security.

1099	   The Poly1305 authenticator is designed to ensure that forged messages
1100	   are rejected with a probability of 1-(n/(2^102)) for a 16n-byte
1101	   message, even after sending 2^64 legitimate messages, so it is
1102	   SUF-CMA (strong unforgeability against chosen-message attacks) in the
1103	   terminology of [AE].

1105	   Proving the security of either of these is beyond the scope of this
1106	   document.  Such proofs are available in the referenced academic
1107	   papers ([ChaCha], [Poly1305], [LatinDances], [LatinDances2], and
1108	   [Zhenqing2012]).

1110	   The most important security consideration in implementing this
1111	   document is the uniqueness of the nonce used in ChaCha20.  Counters
1112	   and LFSRs are both acceptable ways of generating unique nonces, as is
1113	   encrypting a counter using a block cipher with a 64-bit block size
1114	   such as DES.  Note that it is not acceptable to use a truncation of a
1115	   counter encrypted with block ciphers with 128-bit or 256-bit blocks,
1116	   because such a truncation may repeat after a short time.

1118	   Consequences of repeating a nonce: If a nonce is repeated, then both
1119	   the one-time Poly1305 key and the keystream are identical between the
1120	   messages.  This reveals the XOR of the plaintexts, because the XOR of
1121	   the plaintexts is equal to the XOR of the ciphertexts.

1123	   The Poly1305 key MUST be unpredictable to an attacker.  Randomly
1124	   generating the key would fulfill this requirement, except that
1125	   Poly1305 is often used in communications protocols, so the receiver
1126	   should know the key.  Pseudorandom number generation such as by
1127	   encrypting a counter is acceptable.  Using ChaCha with a secret key
1128	   and a nonce is also acceptable.

1130	   The algorithms presented here were designed to be easy to implement
1131	   in constant time to avoid side-channel vulnerabilities.  The
1132	   operations used in ChaCha20 are all additions, XORs, and fixed rolls.
1133	   All of these can and should be implemented in constant time.  Access
1134	   to offsets into the ChaCha state and the number of operations do not
1135	   depend on any property of the key, eliminating the chance of
1136	   information about the key leaking through the timing of cache misses.

1138	   For Poly1305, the operations are addition, multiplication. and
1139	   modulus, all on numbers with greater than 128 bits.  This can be done
1140	   in constant time, but a naive implementation (such as using some
1141	   generic big number library) will not be constant time.  For example,
1142	   if the multiplication is performed as a separate operation from the
1143	   modulus, the result will sometimes be under 2^256 and sometimes be
1144	   above 2^256.  Implementers should be careful about timing side-
1145	   channels for Poly1305 by using the appropriate implementation of
1146	   these operations.

1148	   Validating the authenticity of a message involves a bitwise
1149	   comparison of the calculated tag with the received tag.  In most use
1150	   cases, nonces and AAD contents are not "used up" until a valid
1151	   message is received.  This allows an attacker to send multiple
1152	   identical messages with different tags until one passes the tag
1153	   comparison.  This is hard if the attacker has to try all 2^128
1154	   possible tags one by one.  However, if the timing of the tag
1155	   comparison operation reveals how long a prefix of the calculated and
1156	   received tags is identical, the number of messages can be reduced
1157	   significantly.  For this reason, with online protocols,
1158	   implementation MUST use a constant-time comparison function rather
1159	   than relying on optimized but insecure library functions such as the
1160	   C language's memcmp().

1162	   Additionally, any protocol using this algorithm MUST include the
1163	   complete tag to minimize the opportunity for forgery.  Tag truncation
1164	   MUST NOT be done.

1166	5.  IANA Considerations

1168	   IANA has assigned an entry in the "Authenticated Encryption with
1169	   Associated Data (AEAD) Parameters" registry with 29 as the Numeric
1170	   ID, "AEAD_CHACHA20_POLY1305" as the name, and RFC 7539 as reference.

1172	   IANA is requested to modify the registry by using this document as
1173	   reference.

1175	6.  References

1177	6.1.  Normative References

1179	   [ChaCha]   Bernstein, D., "ChaCha, a variant of Salsa20", January
1180	              2008, <http://cr.yp.to/chacha/chacha-20080128.pdf>.

1182	   [Poly1305]
1183	              Bernstein, D., "The Poly1305-AES message-authentication
1184	              code", March 2005,
1185	              <http://cr.yp.to/mac/poly1305-20050329.pdf>.

1187	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
1188	              Requirement Levels", BCP 14, RFC 2119,
1189	              DOI 10.17487/RFC2119, March 1997,
1190	              <http://www.rfc-editor.org/info/rfc2119>.

1192	6.2.  Informative References

1194	   [AE]       Bellare, M. and C. Namprempre, "Authenticated Encryption:
1195	              Relations among notions and analysis of the generic
1196	              composition paradigm", September 2008,
1197	              <http://dl.acm.org/citation.cfm?id=1410269>.

1199	   [Cache-Collisions]
1200	              Bonneau, J. and I. Mironov, "Cache-Collision Timing
1201	              Attacks Against AES", 2006,
1202	              <http://research.microsoft.com/pubs/64024/aes-timing.pdf>.

1204	   [FIPS-197]
1205	              National Institute of Standards and Technology, "Advanced
1206	              Encryption Standard (AES)", FIPS PUB 197, November 2001,
1207	              <http://csrc.nist.gov/publications/fips/fips197/
1208	              fips-197.pdf>.

1210	   [LatinDances]
1211	              Aumasson, J., Fischer, S., Khazaei, S., Meier, W., and C.
1212	              Rechberger, "New Features of Latin Dances: Analysis of
1213	              Salsa, ChaCha, and Rumba", December 2007,
1214	              <http://cr.yp.to/rumba20/newfeatures-20071218.pdf>.

1216	   [LatinDances2]
1217	              Ishiguro, T., Kiyomoto, S., and Y. Miyake, "Modified
1218	              version of 'Latin Dances Revisited: New Analytic Results
1219	              of Salsa20 and ChaCha'", February 2012,
1220	              <https://eprint.iacr.org/2012/065.pdf>.

1222	   [NaCl]     Bernstein, D., Lange, T., and P. Schwabe, "NaCl:
1223	              Networking and Cryptography library", July 2012,
1224	              <http://nacl.cr.yp.to>.

1226	   [Poly1305_Donna]
1227	              Floodyberry, A., "poly1305-donna", February 2014,
1228	              <https://github.com/floodyberry/poly1305-donna>.

1230	   [Procter]  Procter, G., "A Security Analysis of the Composition of
1231	              ChaCha20 and Poly1305", August 2014,
1232	              <http://eprint.iacr.org/2014/613.pdf>.

1234	   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated
1235	              Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
1236	              <http://www.rfc-editor.org/info/rfc5116>.

1238	   [RFC7296]  Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
1239	              Kivinen, "Internet Key Exchange Protocol Version 2
1240	              (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
1241	              2014, <http://www.rfc-editor.org/info/rfc7296>.

1243	   [RFC7539]  Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
1244	              Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015,
1245	              <http://www.rfc-editor.org/info/rfc7539>.

1247	   [SP800-67]
1248	              National Institute of Standards and Technology,
1249	              "Recommendation for the Triple Data Encryption Algorithm
1250	              (TDEA) Block Cipher", NIST 800-67, January 2012,
1251	              <http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/
1252	              SP-800-67-Rev1.pdf>.

1254	   [Standby-Cipher]
1255	              McGrew, D., Grieco, A., and Y. Sheffer, "Selection of
1256	              Future Cryptographic Standards", Work in Progress, draft-
1257	              mcgrew-standby-cipher-00, January 2013.

1259	   [Zhenqing2012]
1260	              Zhenqing, S., Bin, Z., Dengguo, F., and W. Wenling,
1261	              "Improved Key Recovery Attacks on Reduced-Round Salsa20
1262	              and ChaCha*", 2012.

1264	Appendix A.  Additional Test Vectors

1266	   The subsections of this appendix contain more test vectors for the
1267	   algorithms in the sub-sections of Section 2.

1269	A.1.  The ChaCha20 Block Functions

1271	  Test Vector #1:
1272	  ==============

1274	  Key:
1275	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1276	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1278	  Nonce:
1279	  000  00 00 00 00 00 00 00 00 00 00 00 00              ............

1281	  Block Counter = 0

1283	    ChaCha state at the end
1284	        ade0b876  903df1a0  e56a5d40  28bd8653
1285	        b819d2bd  1aed8da0  ccef36a8  c70d778b
1286	        7c5941da  8d485751  3fe02477  374ad8b8
1287	        f4b8436a  1ca11815  69b687c3  8665eeb2

1289	  Keystream:
1290	  000  76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28  v.....=.@]j.S..(
1291	  016  bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7  .........6...w..
1292	  032  da 41 59 7c 51 57 48 8d 77 24 e0 3f b8 d8 4a 37  .AY|QWH.w$.?..J7
1293	  048  6a 43 b8 f4 15 18 a1 1c c3 87 b6 69 b2 ee 65 86  jC.........i..e.

1295	  Test Vector #2:
1296	  ==============

1298	  Key:
1299	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1300	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1302	  Nonce:
1303	  000  00 00 00 00 00 00 00 00 00 00 00 00              ............

1305	  Block Counter = 1

1307	    ChaCha state at the end
1308	        bee7079f  7a385155  7c97ba98  0d082d73
1309	        a0290fcb  6965e348  3e53c612  ed7aee32
1310	        7621b729  434ee69c  b03371d5  d539d874
1311	        281fed31  45fb0a51  1f0ae1ac  6f4d794b

1313	  Keystream:
1314	  000  9f 07 e7 be 55 51 38 7a 98 ba 97 7c 73 2d 08 0d  ....UQ8z...|s-..
1315	  016  cb 0f 29 a0 48 e3 65 69 12 c6 53 3e 32 ee 7a ed  ..).H.ei..S>2.z.
1316	  032  29 b7 21 76 9c e6 4e 43 d5 71 33 b0 74 d8 39 d5  ).!v..NC.q3.t.9.
1317	  048  31 ed 1f 28 51 0a fb 45 ac e1 0a 1f 4b 79 4d 6f  1..(Q..E....KyMo

1319	  Test Vector #3:
1320	  ==============

1322	  Key:
1323	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1324	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01  ................

1326	  Nonce:
1327	  000  00 00 00 00 00 00 00 00 00 00 00 00              ............

1329	  Block Counter = 1

1331	    ChaCha state at the end
1332	        2452eb3a  9249f8ec  8d829d9b  ddd4ceb1
1333	        e8252083  60818b01  f38422b8  5aaa49c9
1334	        bb00ca8e  da3ba7b4  c4b592d1  fdf2732f
1335	        4436274e  2561b3c8  ebdd4aa6  a0136c00

1337	  Keystream:
1338	  000  3a eb 52 24 ec f8 49 92 9b 9d 82 8d b1 ce d4 dd  :.R$..I.........
1339	  016  83 20 25 e8 01 8b 81 60 b8 22 84 f3 c9 49 aa 5a  . %....`."...I.Z
1340	  032  8e ca 00 bb b4 a7 3b da d1 92 b5 c4 2f 73 f2 fd  ......;...../s..
1341	  048  4e 27 36 44 c8 b3 61 25 a6 4a dd eb 00 6c 13 a0  N'6D..a%.J...l..

1343	  Test Vector #4:
1344	  ==============

1346	  Key:
1347	  000  00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1348	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1350	  Nonce:
1351	  000  00 00 00 00 00 00 00 00 00 00 00 00              ............

1353	  Block Counter = 2

1355	    ChaCha state at the end
1356	        fb4dd572  4bc42ef1  df922636  327f1394
1357	        a78dea8f  5e269039  a1bebbc1  caf09aae
1358	        a25ab213  48a6b46c  1b9d9bcb  092c5be6
1359	        546ca624  1bec45d5  87f47473  96f0992e

1361	  Keystream:
1362	  000  72 d5 4d fb f1 2e c4 4b 36 26 92 df 94 13 7f 32  r.M....K6&.....2
1363	  016  8f ea 8d a7 39 90 26 5e c1 bb be a1 ae 9a f0 ca  ....9.&^........
1364	  032  13 b2 5a a2 6c b4 a6 48 cb 9b 9d 1b e6 5b 2c 09  ..Z.l..H.....[,.
1365	  048  24 a6 6c 54 d5 45 ec 1b 73 74 f4 87 2e 99 f0 96  $.lT.E..st......

1367	  Test Vector #5:
1368	  ==============

1370	  Key:
1371	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1372	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1374	  Nonce:
1375	  000  00 00 00 00 00 00 00 00 00 00 00 02              ............

1377	  Block Counter = 0

1379	    ChaCha state at the end
1380	        374dc6c2  3736d58c  b904e24a  cd3f93ef
1381	        88228b1a  96a4dfb3  5b76ab72  c727ee54
1382	        0e0e978a  f3145c95  1b748ea8  f786c297
1383	        99c28f5f  628314e8  398a19fa  6ded1b53

1385	  Keystream:
1386	  000  c2 c6 4d 37 8c d5 36 37 4a e2 04 b9 ef 93 3f cd  ..M7..67J.....?.
1387	  016  1a 8b 22 88 b3 df a4 96 72 ab 76 5b 54 ee 27 c7  ..".....r.v[T.'.
1388	  032  8a 97 0e 0e 95 5c 14 f3 a8 8e 74 1b 97 c2 86 f7  .....\....t.....
1389	  048  5f 8f c2 99 e8 14 83 62 fa 19 8a 39 53 1b ed 6d  _......b...9S..m

1391	A.2.  ChaCha20 Encryption

1393	  Test Vector #1:
1394	  ==============

1396	  Key:
1397	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1398	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1400	  Nonce:
1401	  000  00 00 00 00 00 00 00 00 00 00 00 00              ............

1403	  Initial Block Counter = 0

1405	  Plaintext:
1406	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1407	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1408	  032  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1409	  048  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1411	  Ciphertext:
1412	  000  76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28  v.....=.@]j.S..(
1413	  016  bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7  .........6...w..
1414	  032  da 41 59 7c 51 57 48 8d 77 24 e0 3f b8 d8 4a 37  .AY|QWH.w$.?..J7
1415	  048  6a 43 b8 f4 15 18 a1 1c c3 87 b6 69 b2 ee 65 86  jC.........i..e.

1417	  Test Vector #2:
1418	  ==============

1420	  Key:
1421	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1422	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01  ................

1424	  Nonce:
1425	  000  00 00 00 00 00 00 00 00 00 00 00 02              ............

1427	  Initial Block Counter = 1

1429	  Plaintext:
1430	  000  41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74  Any submission t
1431	  016  6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e  o the IETF inten
1432	  032  64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72  ded by the Contr
1433	  048  69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69  ibutor for publi
1434	  064  63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72  cation as all or
1435	  080  20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46   part of an IETF
1436	  096  20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20   Internet-Draft
1437	  112  6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73  or RFC and any s
1438	  128  74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69  tatement made wi
1439	  144  74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74  thin the context
1440	  160  20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69   of an IETF acti
1441	  176  76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72  vity is consider
1442	  192  65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74  ed an "IETF Cont
1443	  208  72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20  ribution". Such
1444	  224  73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75  statements inclu
1445	  240  64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e  de oral statemen
1446	  256  74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69  ts in IETF sessi
1447	  272  6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20  ons, as well as
1448	  288  77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63  written and elec
1449	  304  74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61  tronic communica
1450	  320  74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e  tions made at an
1451	  336  79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c  y time or place,
1452	  352  20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65   which are addre
1453	  368  73 73 65 64 20 74 6f                             ssed to

1455	  Ciphertext:
1456	  000  a3 fb f0 7d f3 fa 2f de 4f 37 6c a2 3e 82 73 70  ...}../.O7l.>.sp
1457	  016  41 60 5d 9f 4f 4f 57 bd 8c ff 2c 1d 4b 79 55 ec  A`].OOW...,.KyU.
1458	  032  2a 97 94 8b d3 72 29 15 c8 f3 d3 37 f7 d3 70 05  *....r)....7..p.
1459	  048  0e 9e 96 d6 47 b7 c3 9f 56 e0 31 ca 5e b6 25 0d  ....G...V.1.^.%.
1460	  064  40 42 e0 27 85 ec ec fa 4b 4b b5 e8 ea d0 44 0e  @B.'....KK....D.
1461	  080  20 b6 e8 db 09 d8 81 a7 c6 13 2f 42 0e 52 79 50   ........./B.RyP
1462	  096  42 bd fa 77 73 d8 a9 05 14 47 b3 29 1c e1 41 1c  B..ws....G.)..A.
1463	  112  68 04 65 55 2a a6 c4 05 b7 76 4d 5e 87 be a8 5a  h.eU*....vM^...Z
1464	  128  d0 0f 84 49 ed 8f 72 d0 d6 62 ab 05 26 91 ca 66  ...I..r..b..&..f
1465	  144  42 4b c8 6d 2d f8 0e a4 1f 43 ab f9 37 d3 25 9d  BK.m-....C..7.%.
1466	  160  c4 b2 d0 df b4 8a 6c 91 39 dd d7 f7 69 66 e9 28  ......l.9...if.(
1467	  176  e6 35 55 3b a7 6c 5c 87 9d 7b 35 d4 9e b2 e6 2b  .5U;.l\..{5....+
1468	  192  08 71 cd ac 63 89 39 e2 5e 8a 1e 0e f9 d5 28 0f  .q..c.9.^.....(.
1469	  208  a8 ca 32 8b 35 1c 3c 76 59 89 cb cf 3d aa 8b 6c  ..2.5.<vY...=..l
1470	  224  cc 3a af 9f 39 79 c9 2b 37 20 fc 88 dc 95 ed 84  .:..9y.+7 ......
1471	  240  a1 be 05 9c 64 99 b9 fd a2 36 e7 e8 18 b0 4b 0b  ....d....6....K.
1472	  256  c3 9c 1e 87 6b 19 3b fe 55 69 75 3f 88 12 8c c0  ....k.;.Uiu?....
1473	  272  8a aa 9b 63 d1 a1 6f 80 ef 25 54 d7 18 9c 41 1f  ...c..o..%T...A.
1474	  288  58 69 ca 52 c5 b8 3f a3 6f f2 16 b9 c1 d3 00 62  Xi.R..?.o......b
1475	  304  be bc fd 2d c5 bc e0 91 19 34 fd a7 9a 86 f6 e6  ...-.....4......
1476	  320  98 ce d7 59 c3 ff 9b 64 77 33 8f 3d a4 f9 cd 85  ...Y...dw3.=....
1477	  336  14 ea 99 82 cc af b3 41 b2 38 4d d9 02 f3 d1 ab  .......A.8M.....
1478	  352  7a c6 1d d2 9c 6f 21 ba 5b 86 2f 37 30 e3 7c fd  z....o!.[./70.|.
1479	  368  c4 fd 80 6c 22 f2 21                             ...l".!
1480	  Test Vector #3:
1481	  ==============

1483	  Key:
1484	  000  1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0  ..@..U...3......
1485	  016  47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0  G9..@+....\. pu.

1487	  Nonce:
1488	  000  00 00 00 00 00 00 00 00 00 00 00 02              ............

1490	  Initial Block Counter = 42

1492	  Plaintext:
1493	  000  27 54 77 61 73 20 62 72 69 6c 6c 69 67 2c 20 61  'Twas brillig, a
1494	  016  6e 64 20 74 68 65 20 73 6c 69 74 68 79 20 74 6f  nd the slithy to
1495	  032  76 65 73 0a 44 69 64 20 67 79 72 65 20 61 6e 64  ves.Did gyre and
1496	  048  20 67 69 6d 62 6c 65 20 69 6e 20 74 68 65 20 77   gimble in the w
1497	  064  61 62 65 3a 0a 41 6c 6c 20 6d 69 6d 73 79 20 77  abe:.All mimsy w
1498	  080  65 72 65 20 74 68 65 20 62 6f 72 6f 67 6f 76 65  ere the borogove
1499	  096  73 2c 0a 41 6e 64 20 74 68 65 20 6d 6f 6d 65 20  s,.And the mome
1500	  112  72 61 74 68 73 20 6f 75 74 67 72 61 62 65 2e     raths outgrabe.

1502	  Ciphertext:
1503	  000  62 e6 34 7f 95 ed 87 a4 5f fa e7 42 6f 27 a1 df  b.4....._..Bo'..
1504	  016  5f b6 91 10 04 4c 0d 73 11 8e ff a9 5b 01 e5 cf  _....L.s....[...
1505	  032  16 6d 3d f2 d7 21 ca f9 b2 1e 5f b1 4c 61 68 71  .m=..!...._.Lahq
1506	  048  fd 84 c5 4f 9d 65 b2 83 19 6c 7f e4 f6 05 53 eb  ...O.e...l....S.
1507	  064  f3 9c 64 02 c4 22 34 e3 2a 35 6b 3e 76 43 12 a6  ..d.."4.*5k>vC..
1508	  080  1a 55 32 05 57 16 ea d6 96 25 68 f8 7d 3f 3f 77  .U2.W....%h.}??w
1509	  096  04 c6 a8 d1 bc d1 bf 4d 50 d6 15 4b 6d a7 31 b1  .......MP..Km.1.
1510	  112  87 b5 8d fd 72 8a fa 36 75 7a 79 7a c1 88 d1     ....r..6uzyz...

1512	A.3.  Poly1305 Message Authentication Code

1514	   Notice how, in test vector #2, r is equal to zero.  The part of the
1515	   Poly1305 algorithm where the accumulator is multiplied by r means
1516	   that with r equal zero, the tag will be equal to s regardless of the
1517	   content of the text.  Fortunately, all the proposed methods of
1518	   generating r are such that getting this particular weak key is very
1519	   unlikely.

1521	  Test Vector #1:
1522	  ==============

1524	  One-time Poly1305 Key:
1525	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1526	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1528	  Text to MAC:
1529	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1530	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1531	  032  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1532	  048  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1534	  Tag:
1535	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1537	  Test Vector #2:
1538	  ==============

1540	  One-time Poly1305 Key:
1541	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1542	  016  36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e  6.....`p...."z.>

1544	  Text to MAC:
1545	  000  41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74  Any submission t
1546	  016  6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e  o the IETF inten
1547	  032  64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72  ded by the Contr
1548	  048  69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69  ibutor for publi
1549	  064  63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72  cation as all or
1550	  080  20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46   part of an IETF
1551	  096  20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20   Internet-Draft
1552	  112  6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73  or RFC and any s
1553	  128  74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69  tatement made wi
1554	  144  74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74  thin the context
1555	  160  20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69   of an IETF acti
1556	  176  76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72  vity is consider
1557	  192  65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74  ed an "IETF Cont
1558	  208  72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20  ribution". Such
1559	  224  73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75  statements inclu
1560	  240  64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e  de oral statemen
1561	  256  74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69  ts in IETF sessi
1562	  272  6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20  ons, as well as
1563	  288  77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63  written and elec
1564	  304  74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61  tronic communica
1565	  320  74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e  tions made at an
1566	  336  79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c  y time or place,
1567	  352  20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65   which are addre
1568	  368  73 73 65 64 20 74 6f                             ssed to

1570	  Tag:
1571	  000  36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e  6.....`p...."z.>
1572	  Test Vector #3:
1573	  ==============

1575	  One-time Poly1305 Key:
1576	  000  36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e  6.....`p...."z.>
1577	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1579	  Text to MAC:
1580	  000  41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74  Any submission t
1581	  016  6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e  o the IETF inten
1582	  032  64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72  ded by the Contr
1583	  048  69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69  ibutor for publi
1584	  064  63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72  cation as all or
1585	  080  20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46   part of an IETF
1586	  096  20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20   Internet-Draft
1587	  112  6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73  or RFC and any s
1588	  128  74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69  tatement made wi
1589	  144  74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74  thin the context
1590	  160  20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69   of an IETF acti
1591	  176  76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72  vity is consider
1592	  192  65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74  ed an "IETF Cont
1593	  208  72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20  ribution". Such
1594	  224  73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75  statements inclu
1595	  240  64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e  de oral statemen
1596	  256  74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69  ts in IETF sessi
1597	  272  6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20  ons, as well as
1598	  288  77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63  written and elec
1599	  304  74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61  tronic communica
1600	  320  74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e  tions made at an
1601	  336  79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c  y time or place,
1602	  352  20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65   which are addre
1603	  368  73 73 65 64 20 74 6f                             ssed to

1605	  Tag:
1606	  000  f3 47 7e 7c d9 54 17 af 89 a6 b8 79 4c 31 0c f0  .G~|.T.....yL1..

1608	  Test Vector #4:
1609	  ==============

1611	  One-time Poly1305 Key:
1612	  000  1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0  ..@..U...3......
1613	  016  47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0  G9..@+....\. pu.

1615	  Text to MAC:
1616	  000  27 54 77 61 73 20 62 72 69 6c 6c 69 67 2c 20 61  'Twas brillig, a
1617	  016  6e 64 20 74 68 65 20 73 6c 69 74 68 79 20 74 6f  nd the slithy to
1618	  032  76 65 73 0a 44 69 64 20 67 79 72 65 20 61 6e 64  ves.Did gyre and
1619	  048  20 67 69 6d 62 6c 65 20 69 6e 20 74 68 65 20 77   gimble in the w
1620	  064  61 62 65 3a 0a 41 6c 6c 20 6d 69 6d 73 79 20 77  abe:.All mimsy w
1621	  080  65 72 65 20 74 68 65 20 62 6f 72 6f 67 6f 76 65  ere the borogove
1622	  096  73 2c 0a 41 6e 64 20 74 68 65 20 6d 6f 6d 65 20  s,.And the mome
1623	  112  72 61 74 68 73 20 6f 75 74 67 72 61 62 65 2e     raths outgrabe.

1625	  Tag:
1626	  000  45 41 66 9a 7e aa ee 61 e7 08 dc 7c bc c5 eb 62  EAf.~..a...|...b

1628	   Test Vector #5: If one uses 130-bit partial reduction, does the code
1629	   handle the case where partially reduced final result is not fully
1630	   reduced?

1632	   R:
1633	   02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1634	   S:
1635	   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1636	   data:
1637	   FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
1638	   tag:
1639	   03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

1641	   Test Vector #6: What happens if addition of s overflows modulo 2^128?

1643	   R:
1644	   02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1645	   S:
1646	   FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
1647	   data:
1648	   02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1649	   tag:
1650	   03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1651	   Test Vector #7: What happens if data limb is all ones and there is
1652	   carry from lower limb?

1654	   R:
1655	   01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1656	   S:
1657	   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1658	   data:
1659	   FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
1660	   F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
1661	   11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1662	   tag:
1663	   05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

1665	   Test Vector #8: What happens if final result from polynomial part is
1666	   exactly 2^130-5?

1668	   R:
1669	   01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1670	   S:
1671	   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1672	   data:
1673	   FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
1674	   FB FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE
1675	   01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
1676	   tag:
1677	   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

1679	   Test Vector #9: What happens if final result from polynomial part is
1680	   exactly 2^130-6?

1682	   R:
1683	   02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1684	   S:
1685	   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1686	   data:
1687	   FD FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
1688	   tag:
1689	   FA FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
1690	   Test Vector #10: What happens if 5*H+L-type reduction produces
1691	   131-bit intermediate result?

1693	   R:
1694	   01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00
1695	   S:
1696	   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1697	   data:
1698	   E3 35 94 D7 50 5E 43 B9 00 00 00 00 00 00 00 00
1699	   33 94 D7 50 5E 43 79 CD 01 00 00 00 00 00 00 00
1700	   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1701	   01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1702	   tag:
1703	   14 00 00 00 00 00 00 00 55 00 00 00 00 00 00 00

1705	   Test Vector #11: What happens if 5*H+L-type reduction produces
1706	   131-bit final result?

1708	   R:
1709	   01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00
1710	   S:
1711	   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1712	   data:
1713	   E3 35 94 D7 50 5E 43 B9 00 00 00 00 00 00 00 00
1714	   33 94 D7 50 5E 43 79 CD 01 00 00 00 00 00 00 00
1715	   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1716	   tag:
1717	   13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

1719	A.4.  Poly1305 Key Generation Using ChaCha20

1721	  Test Vector #1:
1722	  ==============

1724	  The ChaCha20 Key:
1725	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1726	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

1728	  The nonce:
1729	  000  00 00 00 00 00 00 00 00 00 00 00 00              ............

1731	  Poly1305 one-time key:
1732	  000  76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28  v.....=.@]j.S..(
1733	  016  bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7  .........6...w..

1735	  Test Vector #2:
1736	  ==============

1738	  The ChaCha20 Key
1739	  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
1740	  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01  ................

1742	  The nonce:
1743	  000  00 00 00 00 00 00 00 00 00 00 00 02              ............

1745	  Poly1305 one-time key:
1746	  000  ec fa 25 4f 84 5f 64 74 73 d3 cb 14 0d a9 e8 76  ..%O._dts......v
1747	  016  06 cb 33 06 6c 44 7b 87 bc 26 66 dd e3 fb b7 39  ..3.lD{..&f....9

1749	  Test Vector #3:
1750	  ==============

1752	  The ChaCha20 Key
1753	  000  1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0  ..@..U...3......
1754	  016  47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0  G9..@+....\. pu.

1756	  The nonce:
1757	  000  00 00 00 00 00 00 00 00 00 00 00 02              ............

1759	  Poly1305 one-time key:
1760	  000  96 5e 3b c6 f9 ec 7e d9 56 08 08 f4 d2 29 f9 4b  .^;...~.V....).K
1761	  016  13 7f f2 75 ca 9b 3f cb dd 59 de aa d2 33 10 ae  ...u..?..Y...3..

1763	A.5.  ChaCha20-Poly1305 AEAD Decryption

1765	   Below we see decrypting a message.  We receive a ciphertext, a nonce,
1766	   and a tag.  We know the key.  We will check the tag and then
1767	   (assuming that it validates) decrypt the ciphertext.  In this
1768	   particular protocol, we'll assume that there is no padding of the
1769	   plaintext.

1771	  The ChaCha20 Key
1772	  000  1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0  ..@..U...3......
1773	  016  47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0  G9..@+....\. pu.

1775	  Ciphertext:
1776	  000  64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd  d...u...`.b...C.
1777	  016  5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2  ^.\.4\....g..l..
1778	  032  4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0  Ll..u]C....N8-&.
1779	  048  bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf  ...<2.....;.5X..
1780	  064  33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81  3/..q......J....
1781	  080  14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55  ...n..3.`....7.U
1782	  096  97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38  ...n...a..2N+5.8
1783	  112  36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4  6..{j|.....{S.g.
1784	  128  b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9  ..lv{.MF..R.....
1785	  144  90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e  .@...3"^.....lR>
1786	  160  af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a  .E4..?..[.Gq..Tj
1787	  176  0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a  ..+..VN..B"s.H'.
1788	  192  0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e  ..1`S.v..U..1YCN
1789	  208  ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10  ..NFm.Z.s.rv'.z.
1790	  224  49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30  I....6...h..w.q0
1791	  240  30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29  0[.......{qMlo,)
1792	  256  a6 ad 5c b4 02 2b 02 70 9b                       ..\..+.p.

1794	  The nonce:
1795	  000  00 00 00 00 01 02 03 04 05 06 07 08              ............

1797	  The AAD:
1798	  000  f3 33 88 86 00 00 00 00 00 00 4e 91              .3........N.

1800	  Received Tag:
1801	  000  ee ad 9d 67 89 0c bb 22 39 23 36 fe a1 85 1f 38  ...g..."9#6....8
1802	   First, we calculate the one-time Poly1305 key

1804	    ChaCha state with key setup
1805	        61707865  3320646e  79622d32  6b206574
1806	        a540921c  8ad355eb  868833f3  f0b5f604
1807	        c1173947  09802b40  bc5cca9d  c0757020
1808	        00000000  00000000  04030201  08070605

1810	    ChaCha state after 20 rounds
1811	        a94af0bd  89dee45c  b64bb195  afec8fa1
1812	        508f4726  63f554c0  1ea2c0db  aa721526
1813	        11b1e514  a0bacc0f  828a6015  d7825481
1814	        e8a4a850  d9dcbbd6  4c2de33a  f8ccd912

1816	   out bytes:
1817	  bd:f0:4a:a9:5c:e4:de:89:95:b1:4b:b6:a1:8f:ec:af:
1818	  26:47:8f:50:c0:54:f5:63:db:c0:a2:1e:26:15:72:aa

1820	  Poly1305 one-time key:
1821	  000  bd f0 4a a9 5c e4 de 89 95 b1 4b b6 a1 8f ec af  ..J.\.....K.....
1822	  016  26 47 8f 50 c0 54 f5 63 db c0 a2 1e 26 15 72 aa  &G.P.T.c....&.r.

1824	   Next, we construct the AEAD buffer

1826	  Poly1305 Input:
1827	  000  f3 33 88 86 00 00 00 00 00 00 4e 91 00 00 00 00  .3........N.....
1828	  016  64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd  d...u...`.b...C.
1829	  032  5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2  ^.\.4\....g..l..
1830	  048  4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0  Ll..u]C....N8-&.
1831	  064  bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf  ...<2.....;.5X..
1832	  080  33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81  3/..q......J....
1833	  096  14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55  ...n..3.`....7.U
1834	  112  97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38  ...n...a..2N+5.8
1835	  128  36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4  6..{j|.....{S.g.
1836	  144  b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9  ..lv{.MF..R.....
1837	  160  90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e  .@...3"^.....lR>
1838	  176  af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a  .E4..?..[.Gq..Tj
1839	  192  0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a  ..+..VN..B"s.H'.
1840	  208  0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e  ..1`S.v..U..1YCN
1841	  224  ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10  ..NFm.Z.s.rv'.z.
1842	  240  49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30  I....6...h..w.q0
1843	  256  30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29  0[.......{qMlo,)
1844	  272  a6 ad 5c b4 02 2b 02 70 9b 00 00 00 00 00 00 00  ..\..+.p........
1845	  288  0c 00 00 00 00 00 00 00 09 01 00 00 00 00 00 00  ................

1847	   We calculate the Poly1305 tag and find that it matches

1849	  Calculated Tag:
1850	  000  ee ad 9d 67 89 0c bb 22 39 23 36 fe a1 85 1f 38  ...g..."9#6....8

1852	   Finally, we decrypt the ciphertext

1854	  Plaintext::
1855	  000  49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 73 20  Internet-Drafts
1856	  016  61 72 65 20 64 72 61 66 74 20 64 6f 63 75 6d 65  are draft docume
1857	  032  6e 74 73 20 76 61 6c 69 64 20 66 6f 72 20 61 20  nts valid for a
1858	  048  6d 61 78 69 6d 75 6d 20 6f 66 20 73 69 78 20 6d  maximum of six m
1859	  064  6f 6e 74 68 73 20 61 6e 64 20 6d 61 79 20 62 65  onths and may be
1860	  080  20 75 70 64 61 74 65 64 2c 20 72 65 70 6c 61 63   updated, replac
1861	  096  65 64 2c 20 6f 72 20 6f 62 73 6f 6c 65 74 65 64  ed, or obsoleted
1862	  112  20 62 79 20 6f 74 68 65 72 20 64 6f 63 75 6d 65   by other docume
1863	  128  6e 74 73 20 61 74 20 61 6e 79 20 74 69 6d 65 2e  nts at any time.
1864	  144  20 49 74 20 69 73 20 69 6e 61 70 70 72 6f 70 72   It is inappropr
1865	  160  69 61 74 65 20 74 6f 20 75 73 65 20 49 6e 74 65  iate to use Inte
1866	  176  72 6e 65 74 2d 44 72 61 66 74 73 20 61 73 20 72  rnet-Drafts as r
1867	  192  65 66 65 72 65 6e 63 65 20 6d 61 74 65 72 69 61  eference materia
1868	  208  6c 20 6f 72 20 74 6f 20 63 69 74 65 20 74 68 65  l or to cite the
1869	  224  6d 20 6f 74 68 65 72 20 74 68 61 6e 20 61 73 20  m other than as
1870	  240  2f e2 80 9c 77 6f 72 6b 20 69 6e 20 70 72 6f 67  /...work in prog
1871	  256  72 65 73 73 2e 2f e2 80 9d                       ress./...

1873	Appendix B.  Performance Measurements of ChaCha20

1875	   The following measurements were made by Adam Langley for a blog post
1876	   published on February 27th, 2014.  The original blog post was
1877	   available at the time of this writing at
1878	   <https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html>.

1880	     +----------------------------+-------------+-------------------+
1881	     | Chip                       | AES-128-GCM | ChaCha20-Poly1305 |
1882	     +----------------------------+-------------+-------------------+
1883	     | OMAP 4460                  |  24.1 MB/s  |     75.3 MB/s     |
1884	     | Snapdragon S4 Pro          |  41.5 MB/s  |     130.9 MB/s    |
1885	     | Sandy Bridge Xeon (AES-NI) |   900 MB/s  |      500 MB/s     |
1886	     +----------------------------+-------------+-------------------+

1888	                         Table 1: Speed Comparison

1890	Acknowledgements

1892	   ChaCha20 and Poly1305 were invented by Daniel J. Bernstein.  The AEAD
1893	   construction and the method of creating the one-time Poly1305 key
1894	   were invented by Adam Langley.

1896	   Thanks to Robert Ransom, Watson Ladd, Stefan Buhler, Dan Harkins, and
1897	   Kenny Paterson for their helpful comments and explanations.  Thanks
1898	   to Niels Moller for suggesting the more efficient AEAD construction
1899	   in this document.  Special thanks to Ilari Liusvaara for providing
1900	   extra test vectors, helpful comments, and for being the first to
1901	   attempt an implementation from this document.  Thanks to Sean
1902	   Parkinson for suggesting improvements to the examples and the
1903	   pseudocode.  Thanks to David Ireland for pointing out a bug in the
1904	   pseudocode, and to Stephen Farrell and Alyssa Rowan for pointing out
1905	   missing advise in the security considerations.

1907	   Special thanks goes to Gordon Procter for performing a security
1908	   analysis of the composition and publishing [Procter].

1910	   Jim Schaad and John Mattson provided feedback on tag truncation, and
1911	   Russ Housley, Stanislav Smyshlyaev and John Mattson each provided a
1912	   review of this version.

1914	Authors' Addresses

1916	   Yoav Nir
1917	   Check Point Software Technologies, Ltd.
1918	   5 Hasolelim St.
1919	   Tel Aviv  6789735
1920	   Israel

1922	   EMail: ynir.ietf@gmail.com

1924	   Adam Langley
1925	   Google, Inc.

1927	   EMail: agl@google.com