Howto implement chacha20-poly1305?

Stef Bon stefbon at
Sun Dec 4 13:29:22 CET 2016

2016-12-04 11:03 GMT+01:00 Jussi Kivilinna <jussi.kivilinna at>:
> This ended up being more complicated than I first thought. I looked in to implementation of chacha20-poly1305 at in OpenSSH [1] and it clearly was not the 'draft' AEAD after all. Then I reread the spec [2] which says:
>  'The construction used is based on that proposed for TLS by Adam Langley in ...,
>   but differs in the layout of data passed to the MAC and in the addition of
>   encyption of the packet lengths.'
> So, it's different in somewhat complicated way with its 'encrypt AAD' which cannot be easily done with libgcrypt AEAD API. One way could be to handle AAD encryption with separate chacha20 cipher handle. But then one needs to use multiple handles to combine AEAD and encrypt AAD parts and might as well do the whole construction with two chacha20 handles and one poly1305 handle. Also, I could not find test-vectors for this mode.
> I modified OpenSSH-7.3p1 to use libgcrypt (1.7) for 'chacha20-poly1305 at' to give you example implementation. Commit for this change can found here:
> Does this help you?

Great. I will look at this tomorrow. Report to you back when some result.


More information about the Gcrypt-devel mailing list