Howto implement chacha20-poly1305?

Jussi Kivilinna jussi.kivilinna at
Sun Dec 4 11:03:28 CET 2016

On 01.12.2016 10:46, Werner Koch wrote:
> On Wed, 30 Nov 2016 20:53, jussi.kivilinna at said:
>> I was thinking of same too. I can do it. Draft mode selection would
>> happen with new gcry_cipher_open flag, maybe GCRY_CIPHER_POLY1305_DRAFT
> Both make sense - maybe Openssh is the more descriptive one.  I don't
> really care. 

This ended up being more complicated than I first thought. I looked in to implementation of chacha20-poly1305 at in OpenSSH [1] and it clearly was not the 'draft' AEAD after all. Then I reread the spec [2] which says:
 'The construction used is based on that proposed for TLS by Adam Langley in ...,
  but differs in the layout of data passed to the MAC and in the addition of
  encyption of the packet lengths.'

So, it's different in somewhat complicated way with its 'encrypt AAD' which cannot be easily done with libgcrypt AEAD API. One way could be to handle AAD encryption with separate chacha20 cipher handle. But then one needs to use multiple handles to combine AEAD and encrypt AAD parts and might as well do the whole construction with two chacha20 handles and one poly1305 handle. Also, I could not find test-vectors for this mode.

> Stef: Can you help Jussi with testing?

I modified OpenSSH-7.3p1 to use libgcrypt (1.7) for 'chacha20-poly1305 at' to give you example implementation. Commit for this change can found here:

Does this help you?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 273 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161204/8d0f279f/attachment.sig>

More information about the Gcrypt-devel mailing list