Howto implement chacha20-poly1305?
Jussi Kivilinna
jussi.kivilinna at iki.fi
Tue Nov 29 17:56:31 CET 2016
Hello,
On 29.11.2016 00:23, Stef Bon wrote:
> 2016-11-28 22:01 GMT+01:00 Stef Bon <stefbon at gmail.com>:
>
>>> Then use gcry_cipher_gettag/gcry_cipher_checktag for retrieving/checking
>>> tag.
>>>
>>> It is an AEAD cipher mode, so there is no separate encryption and separate
>>> MAC.
>>
>> Ah. Thanks a lot!
>
> Do I have to decrypt and encrypt in a special way as described here:
>
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD
Unfortunately the AEAD cipher mode for "chacha20poly1305 at openssh.com" is slightly different from chacha20-poly1305 AEAD described in RFC7539 which libgcrypt implements. Problem is that OpenSSH add chacha20-poly1305 support based on early draft-RFC and there was change to data padding later in the draft series.
So, to get "chacha20poly1305 at openssh.com" AEAD, you'd need to use separate Chacha20 cipher and Poly1305 mac instances and implement AEAD mode manually.
gcry_mac_open(... GCRY_MAC_POLY1305 ...)
gcry_cipher_open(... GCRY_CIPHER_CHACHA20 ...)
-Jussi
>
> Stef
>
> _______________________________________________
> Gcrypt-devel mailing list
> Gcrypt-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
>
More information about the Gcrypt-devel
mailing list