Howto implement chacha20-poly1305?

Jussi Kivilinna jussi.kivilinna at
Tue Nov 29 17:56:31 CET 2016


On 29.11.2016 00:23, Stef Bon wrote:
> 2016-11-28 22:01 GMT+01:00 Stef Bon <stefbon at>:
>>> Then use gcry_cipher_gettag/gcry_cipher_checktag for retrieving/checking
>>> tag.
>>> It is an AEAD cipher mode, so there is no separate encryption and separate
>>> MAC.
>> Ah. Thanks a lot!
> Do I have to decrypt and encrypt in a special way as described here:

Unfortunately the AEAD cipher mode for "chacha20poly1305 at" is slightly different from chacha20-poly1305 AEAD described in RFC7539 which libgcrypt implements. Problem is that OpenSSH add chacha20-poly1305 support based on early draft-RFC and there was change to data padding later in the draft series.

So, to get "chacha20poly1305 at" AEAD, you'd need to use separate Chacha20 cipher and Poly1305 mac instances and implement AEAD mode manually.
 gcry_mac_open(... GCRY_MAC_POLY1305 ...)
 gcry_cipher_open(... GCRY_CIPHER_CHACHA20 ...)


> Stef
> _______________________________________________
> Gcrypt-devel mailing list
> Gcrypt-devel at

More information about the Gcrypt-devel mailing list