Skip to main content

ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: "IETF-Announce" <>
Cc: "Sean Turner" <>,,,, "The IESG" <>,,,
Subject: Protocol Action: 'ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)' to Proposed Standard (draft-ietf-tls-chacha20-poly1305-04.txt)

The IESG has approved the following document:
- 'ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)'
  (draft-ietf-tls-chacha20-poly1305-04.txt) as Proposed Standard

This document is the product of the Transport Layer Security Working

The IESG contact persons are Stephen Farrell and Kathleen Moriarty.

A URL of this Internet Draft is:

Ballot Text

1. Summary

This draft specifies seven (7) chacha20-poly1305 ciphers 
that can be used with TLS and DTLS.  This is the “how to 
do chacha20-poly1305 with TLS” draft, where 
chacha20-poly1305 is defined in RFC 7539. These cipher 
suites are intended to be a back up to the AES-based suites 
in case of compromise.

As far as where you should point your fingers:
- Sean Turner is the document shepherd, and;
- Stephen Farrell is the responsible Area Director.

2. Review and Consensus

There’s probably on the order of 100 messages about this 
draft, and that shouldn’t come as a surprise because this 
draft is really just specifying IANA code points.  The real 
fireworks were on the CFRG list, and we thank them for 
taking that bullet(s).  The cipher suites proposed in the 
individual draft were modified based on WG input.  There 
were two WGLCs for this draft; the first didn’t generate the 
expected amount of review so a second WGLC was issued 
that did.  There was a debate as to whether the PRF digest 
should be changed to SHA-512 from SHA-256, but there 
was no consensus to make this change.

3. Intellectual Property

All disclosed as confirmed by the authors on 20160310.

4. Other Points:

IANA has already assigned the cipher suites and we thank them.

These algorithms are expected to be very widely implemented 
due their high performance in software implementations.  
It’s currently in the deployed branches of BoringSSL GnuTLS, 
OpenSSL, and others.

RFC Editor Note

RFC Editor Note

  1) Please add the following to the end of the abstract: "This
      document updates RFCs 5246 and 6347."

2) Please add a normative reference for SHA256 at the end
of section 3, thusly...


   The pseudorandom function (PRF) for all the cipher suites defined in
   this document is the TLS PRF with SHA-256 as the hash function.


   The pseudorandom function (PRF) for all the cipher suites defined in
   this document is the TLS PRF with SHA-256 [FIPS 180-4] as the hash function.

The reference to add to section 6.1 is:

[FIPS 180-4]  Federal Information Processing Standards Publication
                (FIPS PUB) 180-4, Secure Hash Standard (SHS), August 2015.