Share to: share facebook share twitter share wa share telegram print page

 

ChaCha20-Poly1305

ChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code.[1] It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.[1]: §B 

History

The two building blocks of the construction, the algorithms Poly1305 and ChaCha20, were both independently designed, in 2005 and 2008, by Daniel J. Bernstein.[2][3]

In March 2013, a proposal was made to the IETF TLS working group to include Salsa20, a winner of the eSTREAM competition[4] to replace the aging RC4-based ciphersuites. A discussion followed in the IETF TLS mailing list with various enhancement suggestions, including using Chacha20 instead of Salsa20 and using a universal hashing based MAC for performance. The outcome of this process was the adoption of Adam Langley's proposal for a variant of the original ChaCha20 algorithm (using 32-bit counter and 96-bit nonce) and a variant of the original Poly1305 (authenticating 2 strings) being combined in an IETF draft[5][6] to be used in TLS and DTLS,[7] and chosen, for security and performance reasons, as a newly supported cipher.[8] Shortly after IETF's adoption for TLS, ChaCha20, Poly1305 and the combined AEAD mode are added to OpenSSH via thechacha20-poly1305@openssh.com authenticated encryption cipher[9][10] but kept the original 64-bit counter and 64-bit nonce for the ChaCha20 algorithm.

In 2015, the AEAD algorithm was standardized in RFC 7539[11] and in RFC 7634[12] to be used in IPsec. The same year, it was integrated by Cloudflare as an alternative ciphersuite.[13]

In 2016 RFC 7905[14] describes how to use it in the TLS 1.2 and DTLS 1.2 protocols.

In June 2018, RFC 7539 was updated and replaced by RFC 8439.[1]

Description

The ChaCha20-Poly1305 algorithm takes as input a 256-bit key and a 96-bit nonce to encrypt a plaintext,[1] with a ciphertext expansion of 128-bit (the tag size). In the ChaCha20-Poly1305 construction, ChaCha20 is used in counter mode to derive a key stream that is XORed with the plaintext. The ciphertext and the associated data is then authenticated using a variant of Poly1305 that first encodes the two strings into one. The way that a cipher and a one time authenticator are combined is precisely identical to AES-GCM construction in how the first block is used to seed the authenticator and how the ciphertext is then authenticated with a 16-byte tag.

The main external difference with ChaCha20 is its 64 byte (512 bit) block size, in comparison to 16 bytes (128 bit) with both AES-128 and AES-256. The larger block size enables higher performance on modern CPUs and allows for larger streams before the 32 bit counter overflows.

ChaCha20-Poly1305 Encryption
ChaCha20-Poly1305 Encryption

Variants

XChaCha20-Poly1305 – extended nonce variant

The XChaCha20-Poly1305 construction is an extended 192-bit nonce variant of the ChaCha20-Poly1305 construction, using XChaCha20 instead of ChaCha20. When choosing nonces at random, the XChaCha20-Poly1305 construction allows for better security than the original construction. The draft attempt to standardize the construction expired in July 2020.[15]

Salsa20-Poly1305 and XSalsa20-Poly1305

Salsa20-Poly1305 and XSalsa20-Poly1305 are variants of the ChaCha20-Poly1305 and XChaCha20-Poly1305 algorithms, using Salsa20 and XSalsa20 in place of ChaCha20 and XChaCha20. They are implemented in NaCl[16] and libsodium[17] but not standardized. The variants using ChaCha are preferred in practice as they provide better diffusion per round than Salsa.[2]

Reduced-round variants

ChaCha20 can be replaced with its reduced-round variants ChaCha12 and ChaCha8, yielding ChaCha12-Poly1305 and ChaCha8-Poly1305. The same modification can be applied to XChaCha20-Poly1305. These are implemented by the RustCrypto team and not standardized.[18]

Use

ChaCha20-Poly1305 is used in IPsec,[1] SSH,[19] TLS 1.2, DTLS 1.2, TLS 1.3,[14][19] WireGuard,[20] S/MIME 4.0,[21] OTRv4[22] and multiple other protocols and implemented in OpenSSL and libsodium. Additionally, the algorithm is used in the backup software Borg[23] in order to provide standard data encryption and in the copy-on-write filesystem Bcachefs for the purpose of optional whole filesystem encryption.[24]

Performance

ChaCha20-Poly1305 usually offers better performance than the more prevalent AES-GCM algorithm, except on systems where the CPU(s) have the AES-NI instruction set extension[1]. As a result, ChaCha20-Poly1305 is sometimes preferred over AES-GCM due to its similar levels of security and in certain use cases involving mobile devices, which mostly use ARM-based CPUs. Because ChaCha20-Poly1305 has less overhead than AES-GCM, ChaCha20-Poly1305 on mobile devices may consume less power than AES-GCM.

Security

The ChaCha20-Poly1305 construction is generally secure in the standard model and the ideal permutation model, for the single- and multi-user setting.[25] However, similarly to GCM, the security relies on choosing a unique nonce for every message encrypted. Compared to AES-GCM, implementations of ChaCha20-Poly1305 are less vulnerable to timing attacks.

To be noted, when the SSH protocol uses ChaCha20-Poly1305 as underlying primitive, it is vulnerable to the Terrapin attack.

See also

  • Josefsson, Simon (2013-03-17). "Salsa20 stream cipher in TLS". mailarchive.ietf.org. IETF. Retrieved 2024-07-31. FYI, we have published -00 of a draft that describes how the Salsa20 stream cipher

References

  1. ^ a b c d e f Y. Nir; A. Langley (June 2018). ChaCha20 and Poly1305 for IETF Protocols. Internet Research Task Force. doi:10.17487/RFC8439. ISSN 2070-1721. RFC 8439. Informational. Obsoletes RFC 7539.
  2. ^ a b Bernstein, D. J. (January 2008). ChaCha, a variant of Salsa20 (PDF). The State of the Art of Stream Ciphers. Vol. 8. pp. 3–5.
  3. ^ Bernstein, Daniel J. (2005), "The Poly1305-AES Message-Authentication Code", Fast Software Encryption, Lecture Notes in Computer Science, vol. 3557, Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 32–49, doi:10.1007/11502760_3, ISBN 978-3-540-26541-2
  4. ^ Josefsson, Simon (March 2013). The Salsa20 Stream Cipher for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). I-D draft-josefsson-salsa20-tls-00.
  5. ^ Langley, Adam (September 2013). ChaCha20 and Poly1305 based Cipher Suites for TLS. I-D draft-agl-tls-chacha20poly1305-00.
  6. ^ Nir, Yoav (27 January 2014). ChaCha20 and Poly1305 for IETF protocols. I-D draft-nir-cfrg-chacha20-poly1305-00.
  7. ^ Langley, Adam; Chang, Wan-Teh; Mavrogiannopoulos, Nikos; Strombergson, Joachim; Josefsson, Simon (24 January 2014). The ChaCha Stream Cipher for Transport Layer Security. I-D draft-mavrogiannopoulos-chacha-tls-01.
  8. ^ Bursztein, Elie (24 April 2014). "Speeding up and strengthening HTTPS connections for Chrome on Android". Google Online Security Blog. Archived from the original on 2016-09-28. Retrieved 2021-12-27.
  9. ^ Miller, Damien. "Super User's BSD Cross Reference: /OpenBSD/usr.bin/ssh/PROTOCOL.chacha20poly1305". bxr.su. Archived from the original on 2013-12-13. Retrieved 2021-12-28.
  10. ^ Miller, Damien (29 November 2013). "ChaCha20 and Poly1305 in OpenSSH". Archived from the original on 2013-12-13. Retrieved 2021-12-28.
  11. ^ Y. Nir; A. Langley (May 2015). ChaCha20 and Poly1305 for IETF Protocols. Internet Engineering Task Force. doi:10.17487/RFC7539. ISSN 2070-1721. RFC 7539. Obsolete. Obsoleted by RFC 8439.
  12. ^ Y. Nir, ed. (August 2015). ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec. Internet Engineering Task Force. doi:10.17487/RFC7634. ISSN 2070-1721. RFC 7634. Proposed Standard.
  13. ^ "Do the ChaCha: better mobile performance with cryptography". The Cloudflare Blog. 2015-02-23. Retrieved 2021-12-28.
  14. ^ a b A. Langley; W. Chang; N. Mavrogiannopoulos; J. Strombergson; S. Josefsson (June 2016). ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS). Internet Engineering Task Force. doi:10.17487/RFC7905. ISSN 2070-1721. RFC 7905. Proposed Standard. Updates RFC 6347 and 5246.
  15. ^ Arciszewski, Scott (10 January 2020). XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305. I-D draft-irtf-cfrg-xchacha.
  16. ^ "NaCl: Networking and Cryptography library - Secret-key authenticated encryption". Archived from the original on 2009-06-30.
  17. ^ "libsodium - Authenticated encryption". Archived from the original on 2020-08-04.
  18. ^ "chacha20poly1305 - Rust". docs.rs. ChaCha8Poly1305 / ChaCha12Poly1305 - non-standard, reduced-round variants (gated under the reduced-round Cargo feature). See the Too Much Crypto paper for background and rationale on when these constructions could be used. When in doubt, prefer ChaCha20Poly1305. XChaCha8Poly1305 / XChaCha12Poly1305 - same as above, but with an extended 192-bit (24-byte) nonce.
  19. ^ a b M. Thomson; S. Turner, eds. (May 2021). Using TLS to Secure QUIC. Internet Engineering Task Force. doi:10.17487/RFC9001. ISSN 2070-1721. RFC 9001. Proposed Standard.
  20. ^ Donenfeld, Jason A. "Protocol & Cryptography - WireGuard". www.wireguard.com. Retrieved 2021-12-28.
  21. ^ R. Housley (February 2017). Using ChaCha20-Poly1305 Authenticated Encryption in the Cryptographic Message Syntax (CMS). Internet Engineering Task Force. doi:10.17487/RFC8103. ISSN 2070-1721. RFC 8103. Proposed Standard.
  22. ^ OTRv4, OTRv4, 2021-12-25, retrieved 2021-12-28
  23. ^ borg rcreate, borgbackup, 2022-08-03, retrieved 2023-01-28
  24. ^ Overstreet, Kent (September 11, 2024). "Encryption". bcachefs. Archived from the original on May 26, 2024. Retrieved June 8, 2024.
  25. ^ Degabriele, Jean Paul; Govinden, Jérôme; Günther, Felix; Paterson, Kenneth G. (2021-11-12), "The Security of ChaCha20-Poly1305 in the Multi-User Setting", Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA: Association for Computing Machinery, pp. 1981–2003, doi:10.1145/3460120.3484814, ISBN 978-1-4503-8454-4, S2CID 244077782, retrieved 2021-12-27
Index: pl ar de en es fr it arz nl ja pt ceb sv uk vi war zh ru af ast az bg zh-min-nan bn be ca cs cy da et el eo eu fa gl ko hi hr id he ka la lv lt hu mk ms min no nn ce uz kk ro simple sk sl sr sh fi ta tt th tg azb tr ur zh-yue hy my ace als am an hyw ban bjn map-bms ba be-tarask bcl bpy bar bs br cv nv eml hif fo fy ga gd gu hak ha hsb io ig ilo ia ie os is jv kn ht ku ckb ky mrj lb lij li lmo mai mg ml zh-classical mr xmf mzn cdo mn nap new ne frr oc mhr or as pa pnb ps pms nds crh qu sa sah sco sq scn si sd szl su sw tl shn te bug vec vo wa wuu yi yo diq bat-smg zu lad kbd ang smn ab roa-rup frp arc gn av ay bh bi bo bxr cbk-zam co za dag ary se pdc dv dsb myv ext fur gv gag inh ki glk gan guw xal haw rw kbp pam csb kw km kv koi kg gom ks gcr lo lbe ltg lez nia ln jbo lg mt mi tw mwl mdf mnw nqo fj nah na nds-nl nrm nov om pi pag pap pfl pcd krc kaa ksh rm rue sm sat sc trv stq nso sn cu so srn kab roa-tara tet tpi to chr tum tk tyv udm ug vep fiu-vro vls wo xh zea ty ak bm ch ny ee ff got iu ik kl mad cr pih ami pwn pnt dz rmy rn sg st tn ss ti din chy ts kcg ve
Prefix: a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9

Portal di Ensiklopedia Dunia

Portal : Agama
Agama
Portal : Bahasa
Bahasa
Portal : Biografi
Biografi
Portal : Budaya
Budaya
Portal : Ekonomi
Ekonomi
Portal : Elektronika
Elektronika
Portal : Film
Film
Portal : Filsafat
Filsafat
Portal : Geografi
Geografi
Portal : Indonesia
Indonesia
Portal : Ilmu
Ilmu
Portal : Lingkungan
Lingkungan
Portal : Masyarakat
Masyarakat
Portal : Matematika
Matematika
Portal : Militer
Militer
Portal : Mitologi
Mitologi
Portal : Musik
Musik
Portal : Olahraga
Olahraga
Portal : Pendidikan
Pendidikan
Portal : Politik
Politik
Portal : Sastra
Sastra
Portal : Sejarah
Sejarah
Portal : Seni
Seni
Portal : Teknologi
Teknologi
Kembali kehalaman sebelumnya