ChaCha20-Poly1305#Salsa20-Poly1305 and XSalsa20-Poly1305

{{Short description|Authenticated encryption with associated data algorithm}}

ChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code.{{Ref RFC|8439}} It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.{{Ref RFC|8439|rsection=B}}

History

The two building blocks of the construction, the algorithms Poly1305 and ChaCha20, were both independently designed, in 2005 and 2008, by Daniel J. Bernstein.{{Cite conference |last=Bernstein |first=D. J. |date=January 2008 |title=ChaCha, a variant of Salsa20 |url=https://cr.yp.to/chacha/chacha-20080120.pdf |conference=The State of the Art of Stream Ciphers |volume=8 |pages=3–5}}{{Citation |last=Bernstein |first=Daniel J. |title=The Poly1305-AES Message-Authentication Code |date=2005 |work=Fast Software Encryption |series=Lecture Notes in Computer Science |volume=3557 |pages=32–49 |place=Berlin, Heidelberg |publisher=Springer Berlin Heidelberg |doi=10.1007/11502760_3 |isbn=978-3-540-26541-2|doi-access=free }}

In March 2013, a proposal was made to the IETF TLS working group to include Salsa20, a winner of the eSTREAM competition{{Cite IETF|last=Josefsson|first=Simon|date=March 2013|title=The Salsa20 Stream Cipher for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)|draft=draft-josefsson-salsa20-tls-00}} to replace the aging RC4-based ciphersuites. A discussion followed in the IETF TLS mailing list with various enhancement suggestions, including using Chacha20 instead of Salsa20 and using a universal hashing based MAC for performance. The outcome of this process was the adoption of Adam Langley's proposal for a variant of the original ChaCha20 algorithm (using 32-bit counter and 96-bit nonce) and a variant of the original Poly1305 (authenticating 2 strings) being combined in an IETF draft{{Cite IETF|last=Langley|first=Adam|date=September 2013|title=ChaCha20 and Poly1305 based Cipher Suites for TLS|draft=draft-agl-tls-chacha20poly1305-00}}{{Cite IETF|last=Nir|first=Yoav|date=27 January 2014|title=ChaCha20 and Poly1305 for IETF protocols|draft=draft-nir-cfrg-chacha20-poly1305-00}} to be used in TLS and DTLS,{{Cite IETF|last1=Langley|first1=Adam|last2=Chang|first2=Wan-Teh|last3=Mavrogiannopoulos|first3=Nikos|last4=Strombergson|first4=Joachim|last5=Josefsson|first5=Simon|date=24 January 2014|title=The ChaCha Stream Cipher for Transport Layer Security|draft=draft-mavrogiannopoulos-chacha-tls-01}} and chosen, for security and performance reasons, as a newly supported cipher.{{Cite web|last=Bursztein|first=Elie|date=24 April 2014|title=Speeding up and strengthening HTTPS connections for Chrome on Android|url=https://security.googleblog.com/2014/04/speeding-up-and-strengthening-https.html|url-status=live|access-date=2021-12-27|website=Google Online Security Blog|language=en|archive-url=https://web.archive.org/web/20160928013932/https://security.googleblog.com/2014/04/speeding-up-and-strengthening-https.html |archive-date=2016-09-28 }} Shortly after IETF's adoption for TLS, ChaCha20, Poly1305 and the combined AEAD mode are added to OpenSSH via thechacha20-poly1305@openssh.com authenticated encryption cipher{{Cite web|last=Miller|first=Damien|title=Super User's BSD Cross Reference: /OpenBSD/usr.bin/ssh/PROTOCOL.chacha20poly1305|url=http://bxr.su/OpenBSD/usr.bin/ssh/PROTOCOL.chacha20poly1305|url-status=live|access-date=2021-12-28|website=bxr.su|archive-url=https://web.archive.org/web/20131213160907/http://bxr.su:80/OpenBSD/usr.bin/ssh/PROTOCOL.chacha20poly1305 |archive-date=2013-12-13 }}{{Cite web|last=Miller|first=Damien|date=29 November 2013|title=ChaCha20 and Poly1305 in OpenSSH|url=http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html|url-status=live|access-date=2021-12-28|language=en-GB|archive-url=https://web.archive.org/web/20131213215903/http://blog.djm.net.au:80/2013/11/chacha20-and-poly1305-in-openssh.html |archive-date=2013-12-13 }} but kept the original 64-bit counter and 64-bit nonce for the ChaCha20 algorithm.

In 2015, the AEAD algorithm was standardized in RFC 7539{{Ref RFC|7539}} and in RFC 7634{{Ref RFC|7634}} to be used in IPsec. The same year, it was integrated by Cloudflare as an alternative ciphersuite.{{Cite web|date=2015-02-23|title=Do the ChaCha: better mobile performance with cryptography|url=http://blog.cloudflare.com/do-the-chacha-better-mobile-performance-with-cryptography/|access-date=2021-12-28|website=The Cloudflare Blog|language=en}}

In 2016 RFC 7905{{Ref RFC|7905}} describes how to use it in the TLS 1.2 and DTLS 1.2 protocols.

In June 2018, RFC 7539 was updated and replaced by RFC 8439.{{Ref RFC|8439}}

Description

The ChaCha20-Poly1305 algorithm takes as input a 256-bit key and a 96-bit nonce to encrypt a plaintext,{{Ref RFC|8439}} with a ciphertext expansion of 128-bit (the tag size). In the ChaCha20-Poly1305 construction, ChaCha20 is used in counter mode to derive a key stream that is XORed with the plaintext. The ciphertext and the associated data is then authenticated using a variant of Poly1305 that first encodes the two strings into one. The way that a cipher and a one time authenticator are combined is precisely identical to AES-GCM construction in how the first block is used to seed the authenticator and how the ciphertext is then authenticated with a 16-byte tag.

The main external difference with ChaCha20 is its 64 byte (512 bit) block size, in comparison to 16 bytes (128 bit) with both AES-128 and AES-256. The larger block size enables higher performance on modern CPUs and allows for larger streams before the 32 bit counter overflows.

File:ChaCha20-Poly1305 Encryption.svg

Variants

= XChaCha20-Poly1305 – extended nonce variant =

The XChaCha20-Poly1305 construction is an extended 192-bit nonce variant of the ChaCha20-Poly1305 construction, using XChaCha20 instead of ChaCha20. When choosing nonces at random, the XChaCha20-Poly1305 construction allows for better security than the original construction. The draft attempt to standardize the construction expired in July 2020.{{Cite IETF|last=Arciszewski|first=Scott|date=10 January 2020|title=XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305|draft=draft-irtf-cfrg-xchacha}}

= Salsa20-Poly1305 and XSalsa20-Poly1305 =

Salsa20-Poly1305 and XSalsa20-Poly1305 are variants of the ChaCha20-Poly1305 and XChaCha20-Poly1305 algorithms, using Salsa20 and XSalsa20 in place of ChaCha20 and XChaCha20. They are implemented in NaCl{{Cite web|title=NaCl: Networking and Cryptography library - Secret-key authenticated encryption|url=https://nacl.cr.yp.to/secretbox.html|url-status=live|archive-url=https://web.archive.org/web/20090630084736/http://nacl.cr.yp.to:80/secretbox.html |archive-date=2009-06-30 }} and libsodium{{Cite web|title=libsodium - Authenticated encryption|url=https://doc.libsodium.org/secret-key_cryptography/secretbox|url-status=live|archive-url=https://web.archive.org/web/20200804110531/https://doc.libsodium.org/secret-key_cryptography/secretbox |archive-date=2020-08-04 }} but not standardized. The variants using ChaCha are preferred in practice as they provide better diffusion per round than Salsa.

= Reduced-round variants =

ChaCha20 can be replaced with its reduced-round variants ChaCha12 and ChaCha8, yielding ChaCha12-Poly1305 and ChaCha8-Poly1305. The same modification can be applied to XChaCha20-Poly1305. These are implemented by the RustCrypto team and not standardized.{{cite web |title=chacha20poly1305 - Rust |url=https://docs.rs/chacha20poly1305/latest/chacha20poly1305/#supported-algorithms |website=docs.rs |quote=ChaCha8Poly1305 / ChaCha12Poly1305 - non-standard, reduced-round variants (gated under the reduced-round Cargo feature). See the Too Much Crypto paper for background and rationale on when these constructions could be used. When in doubt, prefer ChaCha20Poly1305. XChaCha8Poly1305 / XChaCha12Poly1305 - same as above, but with an extended 192-bit (24-byte) nonce.}}

Use

ChaCha20-Poly1305 is used in IPsec,{{Ref RFC|8439}} SSH,{{Ref RFC|9001}} TLS 1.2, DTLS 1.2, TLS 1.3,{{Ref RFC|7905}}{{Ref RFC|9001}} WireGuard,{{Cite web|last=Donenfeld|first=Jason A.|title=Protocol & Cryptography - WireGuard|url=https://www.wireguard.com/protocol/|access-date=2021-12-28|website=www.wireguard.com|language=en}} S/MIME 4.0,{{Ref RFC|8103}} OTRv4{{Citation|title=OTRv4|date=2021-12-25|url=https://github.com/otrv4/otrv4/blob/12cc3018577901e27715680ec9cb94b2562438b9/otrv4.md|publisher=OTRv4|access-date=2021-12-28}} and multiple other protocols and implemented in OpenSSL and libsodium. Additionally, the algorithm is used in the backup software Borg{{Citation|title=borg rcreate|date=2022-08-03|url=https://borgbackup.readthedocs.io/en/2.0.0b4/usage/rcreate.html#choosing-an-encryption-mode|publisher=borgbackup|access-date=2023-01-28}} in order to provide standard data encryption and in the copy-on-write filesystem Bcachefs for the purpose of optional whole filesystem encryption.{{Cite web |last=Overstreet |first=Kent |date=September 11, 2024 |title=Encryption |url=https://bcachefs.org/Encryption/ |url-status=live |archive-url=https://web.archive.org/web/20240526092007/https://bcachefs.org/Encryption/ |archive-date=May 26, 2024|access-date=June 8, 2024 |website=bcachefs}}

Performance

ChaCha20-Poly1305 usually offers better performance than the more prevalent AES-GCM algorithm, except on systems where the CPU(s) have the AES-NI instruction set extension{{Ref RFC|8439}}. As a result, ChaCha20-Poly1305 is sometimes preferred over AES-GCM due to its similar levels of security and in certain use cases involving mobile devices, which mostly use ARM-based CPUs. Because ChaCha20-Poly1305 has less overhead than AES-GCM, ChaCha20-Poly1305 on mobile devices may consume less power than AES-GCM.

Security

The ChaCha20-Poly1305 construction is generally secure in the standard model and the ideal permutation model, for the single- and multi-user setting.{{Citation |last1=Degabriele |first1=Jean Paul |title=The Security of ChaCha20-Poly1305 in the Multi-User Setting |date=2021-11-12 |url=https://doi.org/10.1145/3460120.3484814 |work=Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security |pages=1981–2003 |place=New York, NY, USA |publisher=Association for Computing Machinery |doi=10.1145/3460120.3484814 |isbn=978-1-4503-8454-4 |access-date=2021-12-27 |last2=Govinden |first2=Jérôme |last3=Günther |first3=Felix |last4=Paterson |first4=Kenneth G.|s2cid=244077782 |url-access=subscription }} However, similarly to GCM, the security relies on choosing a unique nonce for every message encrypted. Compared to AES-GCM, implementations of ChaCha20-Poly1305 are less vulnerable to timing attacks.

To be noted, when the SSH protocol uses ChaCha20-Poly1305 as underlying primitive, it is vulnerable to the Terrapin attack.

See also

References