ChaCha20 and Poly1305 for IETF protocols
draft-irtf-cfrg-chacha20-poly1305-06

The information below is for an old version of the document
Document Type Active Internet-Draft (cfrg RG)
Last updated 2015-01-14
Replaces draft-nir-cfrg-chacha20-poly1305
Stream IRTF
Intended RFC status Informational
Formats plain text pdf html bibtex
IETF conflict review conflict-review-irtf-cfrg-chacha20-poly1305
Stream IRTF state In IRSG Poll
Consensus Boilerplate Yes
Document shepherd Alexey Melnikov
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to "Alexey Melnikov" <alexey.melnikov@isode.com>
Network Working Group                                             Y. Nir
Internet-Draft                                               Check Point
Intended status: Informational                                A. Langley
Expires: July 18, 2015                                        Google Inc
                                                        January 14, 2015

                ChaCha20 and Poly1305 for IETF protocols
                  draft-irtf-cfrg-chacha20-poly1305-06

Abstract

   This document defines the ChaCha20 stream cipher, as well as the use
   of the Poly1305 authenticator, both as stand-alone algorithms, and as
   a "combined mode", or Authenticated Encryption with Additional Data
   (AEAD) algorithm.

   This document does not introduce any new crypto, but is meant to
   serve as a stable reference and an implementation guide.  It is a
   product of the Crypto Forum Research Group (CFRG)

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 18, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents

Nir & Langley             Expires July 18, 2015                 [Page 1]
Internet-Draft             ChaCha20 & Poly1305              January 2015

   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Conventions Used in This Document . . . . . . . . . . . .   4
   2.  The Algorithms  . . . . . . . . . . . . . . . . . . . . . . .   4
     2.1.  The ChaCha Quarter Round  . . . . . . . . . . . . . . . .   4
       2.1.1.  Test Vector for the ChaCha Quarter Round  . . . . . .   5
     2.2.  A Quarter Round on the ChaCha State . . . . . . . . . . .   5
       2.2.1.  Test Vector for the Quarter Round on the ChaCha state   6
     2.3.  The ChaCha20 block Function . . . . . . . . . . . . . . .   6
       2.3.1.  The ChaCha20 Block Function in Pseudo-Code  . . . . .   8
       2.3.2.  Test Vector for the ChaCha20 Block Function . . . . .   8
     2.4.  The ChaCha20 encryption algorithm . . . . . . . . . . . .   9
       2.4.1.  The ChaCha20 encryption algorithm in Pseudo-Code  . .  10
       2.4.2.  Example and Test Vector for the ChaCha20 Cipher . . .  10
     2.5.  The Poly1305 algorithm  . . . . . . . . . . . . . . . . .  12
       2.5.1.  The Poly1305 Algorithms in Pseudo-Code  . . . . . . .  14
       2.5.2.  Poly1305 Example and Test Vector  . . . . . . . . . .  14
     2.6.  Generating the Poly1305 key using ChaCha20  . . . . . . .  16
       2.6.1.  Poly1305 Key Generation in Pseudo-Code  . . . . . . .  17
       2.6.2.  Poly1305 Key Generation Test Vector . . . . . . . . .  17
     2.7.  A Pseudo-Random Function for ChaCha/Poly-1305 based
           Crypto Suites . . . . . . . . . . . . . . . . . . . . . .  17
     2.8.  AEAD Construction . . . . . . . . . . . . . . . . . . . .  18
       2.8.1.  Pseudo-Code for the AEAD Construction . . . . . . . .  20
       2.8.2.  Example and Test Vector for AEAD_CHACHA20-POLY1305  .  20
   3.  Implementation Advice . . . . . . . . . . . . . . . . . . . .  22
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .  23
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  24
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  24
   7.  Changes from Previous Versions  . . . . . . . . . . . . . . .  25
     7.1.  Changes from version -01 to version -02 . . . . . . . . .  25
     7.2.  Changes from version -00 to version -01 . . . . . . . . .  25
     7.3.  Changes from draft-nir-cfrg to draft-irtf-cfrg  . . . . .  25
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  25
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  25
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  25
   Appendix A.  Additional Test Vectors  . . . . . . . . . . . . . .  27
     A.1.  The ChaCha20 Block Functions  . . . . . . . . . . . . . .  27
     A.2.  ChaCha20 Encryption . . . . . . . . . . . . . . . . . . .  30
Show full document text