ChaCha20-Poly1305 is an authenticated encryption with additional data (AEAD) algorithm, that combines the

ChaCha20 Salsa20 and the closely related ChaCha are stream ciphers developed by Daniel J. Bernstein. Salsa20, the original cipher, was designed in 2005, then later submitted to the eSTREAM European Union cryptographic validation process by Bernstein. Ch ...

stream cipher with the

Poly1305 Poly1305 is a universal hash family designed by Daniel J. Bernstein for use in cryptography. As with any universal hash family, Poly1305 can be used as a one-time message authentication code to authenticate a single message using a key shared ...

message authentication code. Its usage in IETF protocols is standardized in RFC 8439. It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.

History

The two building blocks of the construction, the algorithms Poly1305 and ChaCha20, were both independently designed, in 2005 and 2008, by Daniel J. Bernstein. In 2013–2014, a variant of the original ChaCha20 algorithm (using 32-bit counter and 96-bit nonce) and a variant of the original Poly1305 (authenticating 2 strings) were combined in an IETF draft to be used in TLS and

DTLS Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol i ...

, and chosen by

Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...

, for security and performance reasons, as a newly supported cipher. Shortly after Google's adoption for TLS, ChaCha20, Poly1305 and the combined AEAD mode are added to

OpenSSH OpenSSH (also known as OpenBSD Secure Shell) is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture. Network Working Gro ...

via thechacha20-poly1305@openssh.com authenticated encryption cipher but kept the original 64-bit counter and 64-bit nonce for the ChaCha20 algorithm. In 2015, the AEAD algorithm is standardized in RFC 7539 and RFC 7905 to be used in TLS 1.2 and DTLS 1.2 and in RFC 7634 to be used in IPsec. The same year, it is integrated in Cloudflare as an alternative ciphersuite. In June 2018, the RFC 7539 was updated and replaced by RFC 8439.

Description

The ChaCha20-Poly1305 algorithm as described in RFC 8439 take as input a 256-bit key and a 96-bit nonce to encrypt a plaintext, with a ciphertext expansion of 128-bit (the tag size). In the ChaCha20-Poly1305 construction, ChaCha20 is used in counter mode to derive a key stream that is

XORed Exclusive or or exclusive disjunction is a Logical connective, logical operation that is true if and only if its arguments differ (one is true, the other is false). It is Table of logic symbols, symbolized by the prefix operator J and by the ...

with the plaintext. The ciphertext and the associated data is then authenticated using a variant of Poly1305 that first encodes the two strings into one. ChaCha20-Poly1305 Encryption

Variants

XChaCha20-Poly1305 – extended nonce variant

The XChaCha20-Poly1305 construction is an extended 192-bit nonce variant of the ChaCha20-Poly1305 construction, using XChaCha20 instead of

. When choosing nonces at random, the XChaCha20-Poly1305 construction allows for better security than the original construction. The draft attempt to standardize the construction expired in July 2020.

Salsa20-Poly1305 and XSalsa20-Poly1305

Salsa20-Poly1305 and XSalsa20-Poly1305 are variants of the ChaCha20-Poly1305 and XChaCha20-Poly1305 algorithms, using

Salsa20 Salsa20 and the closely related ChaCha are stream ciphers developed by Daniel J. Bernstein. Salsa20, the original cipher, was designed in 2005, then later submitted to the eSTREAM European Union cryptographic validation process by Bernstein. Ch ...

and

XSalsa20 Salsa20 and the closely related ChaCha are stream ciphers developed by Daniel J. Bernstein. Salsa20, the original cipher, was designed in 2005, then later submitted to the eSTREAM European Union cryptographic validation process by Bernstein. Ch ...

in place of ChaCha20 and XChaCha20. They are implemented in

NaCl Sodium chloride , commonly known as salt (although sea salt also contains other chemical salts), is an ionic compound with the chemical formula NaCl, representing a 1:1 ratio of sodium and chloride ions. With molar masses of 22.99 and 35.45 g/ ...

and libsodium but not standardized. The variants using ChaCha is preferred in practice as it provides better

diffusion Diffusion is the net movement of anything (for example, atoms, ions, molecules, energy) generally from a region of higher concentration to a region of lower concentration. Diffusion is driven by a gradient in Gibbs free energy or chemica ...

per round than Salsa.

Use

ChaCha20-Poly1305 is used in

IPsec In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in ...

SSH The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH applications are based on ...

TLS 1.2 Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...

1.2,

TLS 1.3 Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...

QUIC QUIC (pronounced "quick") is a general-purpose transport layer network protocol initially designed by Jim Roskind at Google, implemented, and deployed in 2012, announced publicly in 2013 as experimentation broadened, and described at an IETF meet ...

, WireGuard, S/MIME 4.0, OTRv4 and multiple other protocols. Among others, it is implemented in OpenSSL,

and

libsodium NaCl (pronounced "salt") is an abbreviation for "Networking and Cryptography library", a public domain "...high-speed software library for network communication, encryption, decryption, signatures, etc". NaCl was created by the mathematician and ...

Performance

ChaCha20-Poly1305 usually offers better performance than the more prevalent AES- GCM algorithm on systems where the CPU(s) does not feature the AES-NI instruction set extension. As a result, ChaCha20-Poly1305 is sometimes preferred over AES-GCM due to its similar levels of security and in certain use cases involving

mobile device A mobile device (or handheld computer) is a computer small enough to hold and operate in the hand. Mobile devices typically have a flat LCD or OLED screen, a touchscreen interface, and digital or physical buttons. They may also have a physica ...

s, which mostly use

ARM In human anatomy, the arm refers to the upper limb in common usage, although academically the term specifically means the upper arm between the glenohumeral joint (shoulder joint) and the elbow joint. The distal part of the upper limb between th ...

-based CPUs.

Security

The ChaCha20-Poly1305 construction is proven secure in the standard model and the ideal permutation model, for the single- and multi-user setting. However, similarly to GCM, the security relies on choosing a unique nonce for every message encrypted. Compared to AES-GCM, implementations of ChaCha20-Poly1305 are less vulnerable to timing attacks.

External links

RFC 8439
ChaCha20 and Poly1305 for IETF Protocols
RFC 7634
ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec
RFC 7905
ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
RFC 8103
Using ChaCha20-Poly1305 Authenticated Encryption in the Cryptographic Message Syntax (CMS)

References

{{Cryptography navbox, stream, hash Authenticated-encryption schemes Message authentication codes Stream ciphers Finite fields