Howto implement chacha20-poly1305?
Stef Bon
stefbon at gmail.com
Sun Dec 4 13:29:22 CET 2016
2016-12-04 11:03 GMT+01:00 Jussi Kivilinna <jussi.kivilinna at iki.fi>:
>
> This ended up being more complicated than I first thought. I looked in to implementation of chacha20-poly1305 at openssh.com in OpenSSH [1] and it clearly was not the 'draft' AEAD after all. Then I reread the spec [2] which says:
> 'The construction used is based on that proposed for TLS by Adam Langley in ...,
> but differs in the layout of data passed to the MAC and in the addition of
> encyption of the packet lengths.'
>
> So, it's different in somewhat complicated way with its 'encrypt AAD' which cannot be easily done with libgcrypt AEAD API. One way could be to handle AAD encryption with separate chacha20 cipher handle. But then one needs to use multiple handles to combine AEAD and encrypt AAD parts and might as well do the whole construction with two chacha20 handles and one poly1305 handle. Also, I could not find test-vectors for this mode.
>
> I modified OpenSSH-7.3p1 to use libgcrypt (1.7) for 'chacha20-poly1305 at openssh.com' to give you example implementation. Commit for this change can found here:
> https://github.com/jkivilin/openssh-portable/commit/dd4d06bb47cbbbe3607b9be30f17f1495adbeb12
>
> Does this help you?
>
Great. I will look at this tomorrow. Report to you back when some result.
Stef
More information about the Gcrypt-devel
mailing list