ChaCha20-Poly1305

ChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code.[1] It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.[1]: §B 

History

The two building blocks of the construction, the algorithms Poly1305 and ChaCha20, were both independently designed, in 2005 and 2008, by Daniel J. Bernstein.[2][3]

In March 2013, a proposal was made to the IETF TLS working group to include Salsa20, a winner of the eSTREAM competition[4] to replace the aging RC4-based ciphersuites. A discussion followed in the IETF TLS mailing list with various enhancement suggestions, including using Chacha20 instead of Salsa20 and using a universal hashing based MAC for performance. The outcome of this process was the adoption of Adam Langley's proposal for a variant of the original ChaCha20 algorithm (using 32-bit counter and 96-bit nonce) and a variant of the original Poly1305 (authenticating 2 strings) being combined in an IETF draft[5][6] to be used in TLS and DTLS,[7] and chosen, for security and performance reasons, as a newly supported cipher.[8] Shortly after IETF's adoption for TLS, ChaCha20, Poly1305 and the combined AEAD mode are added to OpenSSH via the[email protected] authenticated encryption cipher[9][10] but kept the original 64-bit counter and 64-bit nonce for the ChaCha20 algorithm.

In 2015, the AEAD algorithm was standardized in RFC 7539[11] and in RFC 7634[12] to be used in IPsec. The same year, it was integrated by Cloudflare as an alternative ciphersuite.[13]

In 2016 RFC 7905[14] describes how to use it in the TLS 1.2 and DTLS 1.2 protocols.

In June 2018, RFC 7539 was updated and replaced by RFC 8439.[1]

Description

The ChaCha20-Poly1305 algorithm takes as input a 256-bit key and a 96-bit nonce to encrypt a plaintext,[1] with a ciphertext expansion of 128-bit (the tag size). In the ChaCha20-Poly1305 construction, ChaCha20 is used in counter mode to derive a key stream that is XORed with the plaintext. The ciphertext and the associated data is then authenticated using a variant of Poly1305 that first encodes the two strings into one. The way that a cipher and a one time authenticator are combined is precisely identical to AES-GCM construction in how the first block is used to seed the authenticator and how the ciphertext is then authenticated with a 16-byte tag.

The main external difference with ChaCha20 is its 64 byte (512 bit) block size, in comparison to 16 bytes (128 bit) with both AES-128 and AES-256. The larger block size enables higher performance on modern CPUs and allows for larger streams before the 32 bit counter overflows.

ChaCha20-Poly1305 Encryption
ChaCha20-Poly1305 Encryption

Variants

XChaCha20-Poly1305 – extended nonce variant

The XChaCha20-Poly1305 construction is an extended 192-bit nonce variant of the ChaCha20-Poly1305 construction, using XChaCha20 instead of ChaCha20. When choosing nonces at random, the XChaCha20-Poly1305 construction allows for better security than the original construction. The draft attempt to standardize the construction expired in July 2020.[15]

Salsa20-Poly1305 and XSalsa20-Poly1305

Salsa20-Poly1305 and XSalsa20-Poly1305 are variants of the ChaCha20-Poly1305 and XChaCha20-Poly1305 algorithms, using Salsa20 and XSalsa20 in place of ChaCha20 and XChaCha20. They are implemented in NaCl[16] and libsodium[17] but not standardized. The variants using ChaCha are preferred in practice as they provide better diffusion per round than Salsa.[2]

Reduced-round variants

ChaCha20 can be replaced with its reduced-round variants ChaCha12 and ChaCha8, yielding ChaCha12-Poly1305 and ChaCha8-Poly1305. The same modification can be applied to XChaCha20-Poly1305. These are implemented by the RustCrypto team and not standardized.[18]

Use

ChaCha20-Poly1305 is used in IPsec,[1] SSH,[19] TLS 1.2, DTLS 1.2, TLS 1.3,[14][19] WireGuard,[20] S/MIME 4.0,[21] OTRv4[22] and multiple other protocols and implemented in OpenSSL and libsodium. Additionally, the algorithm is used in the backup software Borg[23] in order to provide standard data encryption and in the copy-on-write filesystem Bcachefs for the purpose of optional whole filesystem encryption.[24]

Performance

ChaCha20-Poly1305 usually offers better performance than the more prevalent AES-GCM algorithm, except on systems where the CPU(s) have the AES-NI instruction set extension[1]. As a result, ChaCha20-Poly1305 is sometimes preferred over AES-GCM due to its similar levels of security and in certain use cases involving mobile devices, which mostly use ARM-based CPUs. Because ChaCha20-Poly1305 has less overhead than AES-GCM, ChaCha20-Poly1305 on mobile devices may consume less power than AES-GCM.

Security

The ChaCha20-Poly1305 construction is generally secure in the standard model and the ideal permutation model, for the single- and multi-user setting.[25] However, similarly to GCM, the security relies on choosing a unique nonce for every message encrypted. Compared to AES-GCM, implementations of ChaCha20-Poly1305 are less vulnerable to timing attacks.

To be noted, when the SSH protocol uses ChaCha20-Poly1305 as underlying primitive, it is vulnerable to the Terrapin attack.

See also

  • Josefsson, Simon (2013-03-17). "Salsa20 stream cipher in TLS". mailarchive.ietf.org. IETF. Retrieved 2024-07-31. FYI, we have published -00 of a draft that describes how the Salsa20 stream cipher

References

  1. ^ a b c d e f Y. Nir; A. Langley (June 2018). ChaCha20 and Poly1305 for IETF Protocols. Internet Research Task Force. doi:10.17487/RFC8439. ISSN 2070-1721. RFC 8439. Informational. Obsoletes RFC 7539.
  2. ^ a b Bernstein, D. J. (January 2008). ChaCha, a variant of Salsa20 (PDF). The State of the Art of Stream Ciphers. Vol. 8. pp. 3–5.
  3. ^ Bernstein, Daniel J. (2005), "The Poly1305-AES Message-Authentication Code", Fast Software Encryption, Lecture Notes in Computer Science, vol. 3557, Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 32–49, doi:10.1007/11502760_3, ISBN 978-3-540-26541-2
  4. ^ Josefsson, Simon (March 2013). The Salsa20 Stream Cipher for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). I-D draft-josefsson-salsa20-tls-00.
  5. ^ Langley, Adam (September 2013). ChaCha20 and Poly1305 based Cipher Suites for TLS. I-D draft-agl-tls-chacha20poly1305-00.
  6. ^ Nir, Yoav (27 January 2014). ChaCha20 and Poly1305 for IETF protocols. I-D draft-nir-cfrg-chacha20-poly1305-00.
  7. ^ Langley, Adam; Chang, Wan-Teh; Mavrogiannopoulos, Nikos; Strombergson, Joachim; Josefsson, Simon (24 January 2014). The ChaCha Stream Cipher for Transport Layer Security. I-D draft-mavrogiannopoulos-chacha-tls-01.
  8. ^ Bursztein, Elie (24 April 2014). "Speeding up and strengthening HTTPS connections for Chrome on Android". Google Online Security Blog. Archived from the original on 2016-09-28. Retrieved 2021-12-27.
  9. ^ Miller, Damien. "Super User's BSD Cross Reference: /OpenBSD/usr.bin/ssh/PROTOCOL.chacha20poly1305". bxr.su. Archived from the original on 2013-12-13. Retrieved 2021-12-28.
  10. ^ Miller, Damien (29 November 2013). "ChaCha20 and Poly1305 in OpenSSH". Archived from the original on 2013-12-13. Retrieved 2021-12-28.
  11. ^ Y. Nir; A. Langley (May 2015). ChaCha20 and Poly1305 for IETF Protocols. Internet Engineering Task Force. doi:10.17487/RFC7539. ISSN 2070-1721. RFC 7539. Obsolete. Obsoleted by RFC 8439.
  12. ^ Y. Nir, ed. (August 2015). ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec. Internet Engineering Task Force. doi:10.17487/RFC7634. ISSN 2070-1721. RFC 7634. Proposed Standard.
  13. ^ "Do the ChaCha: better mobile performance with cryptography". The Cloudflare Blog. 2015-02-23. Retrieved 2021-12-28.
  14. ^ a b A. Langley; W. Chang; N. Mavrogiannopoulos; J. Strombergson; S. Josefsson (June 2016). ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS). Internet Engineering Task Force. doi:10.17487/RFC7905. ISSN 2070-1721. RFC 7905. Proposed Standard. Updates RFC 6347 and 5246.
  15. ^ Arciszewski, Scott (10 January 2020). XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305. I-D draft-irtf-cfrg-xchacha.
  16. ^ "NaCl: Networking and Cryptography library - Secret-key authenticated encryption". Archived from the original on 2009-06-30.
  17. ^ "libsodium - Authenticated encryption". Archived from the original on 2020-08-04.
  18. ^ "chacha20poly1305 - Rust". docs.rs. ChaCha8Poly1305 / ChaCha12Poly1305 - non-standard, reduced-round variants (gated under the reduced-round Cargo feature). See the Too Much Crypto paper for background and rationale on when these constructions could be used. When in doubt, prefer ChaCha20Poly1305. XChaCha8Poly1305 / XChaCha12Poly1305 - same as above, but with an extended 192-bit (24-byte) nonce.
  19. ^ a b M. Thomson; S. Turner, eds. (May 2021). Using TLS to Secure QUIC. Internet Engineering Task Force. doi:10.17487/RFC9001. ISSN 2070-1721. RFC 9001. Proposed Standard.
  20. ^ Donenfeld, Jason A. "Protocol & Cryptography - WireGuard". www.wireguard.com. Retrieved 2021-12-28.
  21. ^ R. Housley (February 2017). Using ChaCha20-Poly1305 Authenticated Encryption in the Cryptographic Message Syntax (CMS). Internet Engineering Task Force. doi:10.17487/RFC8103. ISSN 2070-1721. RFC 8103. Proposed Standard.
  22. ^ OTRv4, OTRv4, 2021-12-25, retrieved 2021-12-28
  23. ^ borg rcreate, borgbackup, 2022-08-03, retrieved 2023-01-28
  24. ^ Overstreet, Kent (September 11, 2024). "Encryption". bcachefs. Archived from the original on May 26, 2024. Retrieved June 8, 2024.
  25. ^ Degabriele, Jean Paul; Govinden, Jérôme; Günther, Felix; Paterson, Kenneth G. (2021-11-12), "The Security of ChaCha20-Poly1305 in the Multi-User Setting", Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA: Association for Computing Machinery, pp. 1981–2003, doi:10.1145/3460120.3484814, ISBN 978-1-4503-8454-4, S2CID 244077782, retrieved 2021-12-27