[Cryptography] XChaCha20 standardized?

Jason Cooper cryptography at lakedaemon.net
Mon Dec 4 15:46:47 EST 2017 

To put a more refined point on it:

On Mon, Dec 04, 2017 at 06:54:58PM +0000, Jason Cooper wrote:
> While digging into libsodium [1] (An ISC licensed chacha20-poly1305 AEAD
> crypto library), I found they recently added support for
> chacha20-poly1305-ietf and xchacha20-poly1305-ietf.  The difference
> between the original and these two new ones being nonce size.
> 
> The original libsodium chacha20-poly1305 AEAD construction used a 64bit
> nonce.  When chacha20-poly1305 AEAD was formally specified in RFC 7539
> [2], they used a 96bit nonce.  libsodium calls this
> chacha20-poly1305-ietf.
> 
> A 2008 paper by DJB, "Extending the Salsa20 nonce", described XSalsa20
> with a 192bit nonce [3].  libsodium apparently applied this concept to
> ChaCha20 to create XChaCha20 [4].  This seems attractive, but I'm
> reluctant to deploy anything without a formal specification.  So,

In [3], under the "Definition of HSalsa20", DJB states "The indices 0,
5, 10, 15, 6, 7, 8, 9 here were not chosen arbitrarily; the choice is
important for the security proof later in this paper."

Those output indices are then used as the key for the next double-round.

Looking at the libsodium implementation of HChaCha20 in:

  src/libsodium/crypto_core/hchacha20/core_hchacha20.c:17

it finishes with:

    STORE32_LE(out +  0, x0);
    STORE32_LE(out +  4, x1);
    STORE32_LE(out +  8, x2);
    STORE32_LE(out + 12, x3);
    STORE32_LE(out + 16, x12);
    STORE32_LE(out + 20, x13);
    STORE32_LE(out + 24, x14);
    STORE32_LE(out + 28, x15);

This *appears* to be in line with intent XSalsa20's output choices.  The
indexes output for both XSalsa20 and XChaCha20 correspond to the
original positions of the constants and the nonce (blockcounter & nonce
in ChaCha20's case) in both cases.

But I'd feel a whole lot more comfortable with it if I could locate some
definitive specification and analysis.

thx,

Jason.

> [1] https://download.libsodium.org/doc/
> [2] https://tools.ietf.org/html/rfc7539
> [3] https://cr.yp.to/snuffle/xsalsa-20081128.pdf
> [4] https://download.libsodium.org/doc/key_derivation/index.html#nonce-extension

More information about the cryptography mailing list