Howto implement chacha20-poly1305?

Stef Bon stefbon at
Wed Nov 30 11:32:47 CET 2016

2016-11-29 17:56 GMT+01:00 Jussi Kivilinna <jussi.kivilinna at>:
> Hello,

> Unfortunately the AEAD cipher mode for "chacha20poly1305 at" is slightly different from chacha20-poly1305 AEAD described in RFC7539 which libgcrypt implements. Problem is that OpenSSH add chacha20-poly1305 support based on early draft-RFC and there was change to data padding later in the draft series.
> So, to get "chacha20poly1305 at" AEAD, you'd need to use separate Chacha20 cipher and Poly1305 mac instances and implement AEAD mode manually.
>  gcry_mac_open(... GCRY_MAC_POLY1305 ...)
>  gcry_cipher_open(... GCRY_CIPHER_CHACHA20 ...)

Sigh and another sigh.
Thanks for the answer though, how do I implement AEAD mode manually? I
know I have to open the cipher using GCRY_CIPHER_CHACHA20, and open
the mac using GCRY_HMAC_POLY1305 (you write GCRY_MAC_... but you mean
GCRY_HMAC_... ?) but what then? I've read about the function
gcry_cipher_authenticate (and gcry_cipher_gettag and
gcry_cipher_checktag). Do I have to set the cipher in a special mode?
Maybe good to know I'm using the documentation which is based on
1.6.4, and chacha20 and poly1305 are added later.


More information about the Gcrypt-devel mailing list