Howto implement chacha20-poly1305?
jussi.kivilinna at iki.fi
Sun Dec 4 11:03:28 CET 2016
On 01.12.2016 10:46, Werner Koch wrote:
> On Wed, 30 Nov 2016 20:53, jussi.kivilinna at iki.fi said:
>> I was thinking of same too. I can do it. Draft mode selection would
>> happen with new gcry_cipher_open flag, maybe GCRY_CIPHER_POLY1305_DRAFT
>> or GCRY_CIPHER_POLY1305_OPENSSH.
> Both make sense - maybe Openssh is the more descriptive one. I don't
> really care.
This ended up being more complicated than I first thought. I looked in to implementation of chacha20-poly1305 at openssh.com in OpenSSH  and it clearly was not the 'draft' AEAD after all. Then I reread the spec  which says:
'The construction used is based on that proposed for TLS by Adam Langley in ...,
but differs in the layout of data passed to the MAC and in the addition of
encyption of the packet lengths.'
So, it's different in somewhat complicated way with its 'encrypt AAD' which cannot be easily done with libgcrypt AEAD API. One way could be to handle AAD encryption with separate chacha20 cipher handle. But then one needs to use multiple handles to combine AEAD and encrypt AAD parts and might as well do the whole construction with two chacha20 handles and one poly1305 handle. Also, I could not find test-vectors for this mode.
> Stef: Can you help Jussi with testing?
I modified OpenSSH-7.3p1 to use libgcrypt (1.7) for 'chacha20-poly1305 at openssh.com' to give you example implementation. Commit for this change can found here:
Does this help you?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 273 bytes
Desc: OpenPGP digital signature
More information about the Gcrypt-devel