Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement Chacha20 and Poly1305 #485

wants to merge 23 commits into from


Copy link

@damaki damaki commented May 18, 2016

Hello again!

This pull request implements the ChaCha20 cipher, the Poly1305 authenticator,
and the ChaCha20+Poly1305 AEAD described in RFC 7539. This addresses Issue #346

ChaCha20 and AEAD_ChaCha20_Poly1305 have been added to the Cipher module also.

I've implemented these algorithms by following RFC 7539. I referred to one of the RFC's informative references here to help fix some multiplication correctness issues that I had with Poly1305 whilst implementing the algorithm.

The test suite has been updated to include the test vectors from RFC 7539 for each of the algorithms.

Below are the benchmark results for ChaCha20 and Poly1305 individually, tested
on my system: Ubuntu 14.04 64-bit, Intel Core i7-2630QM, built using GCC 4.9.3.

AES-CBC-128              :     321493 Kb/s,          5 cycles/byte
AES-CBC-192              :     288173 Kb/s,          6 cycles/byte
AES-CBC-256              :     256147 Kb/s,          7 cycles/byte
AES-GCM-128              :     125628 Kb/s,         15 cycles/byte
AES-GCM-192              :     121279 Kb/s,         15 cycles/byte
AES-GCM-256              :     115015 Kb/s,         16 cycles/byte
AES-CCM-128              :     178437 Kb/s,         10 cycles/byte
AES-CCM-192              :     161727 Kb/s,         11 cycles/byte
AES-CCM-256              :     147757 Kb/s,         13 cycles/byte
CAMELLIA-CBC-128         :      60861 Kb/s,         32 cycles/byte
CAMELLIA-CBC-192         :      46225 Kb/s,         47 cycles/byte
CAMELLIA-CBC-256         :      47150 Kb/s,         40 cycles/byte
ChaCha20                 :     209225 Kb/s,          9 cycles/byte
Poly1305                 :     700353 Kb/s,          2 cycles/byte
BLOWFISH-CBC-128         :      71843 Kb/s,         26 cycles/byte
BLOWFISH-CBC-192         :      73082 Kb/s,         26 cycles/byte
BLOWFISH-CBC-256         :      71474 Kb/s,         28 cycles/byte

This change currently only adds the ciphers to mbedTLS. I haven't added any of the ChaCha20 cipher suites described in draft-ietf-tls-chacha20-poly1305-04, as I'd like some feedback first.

Copy link

@simonbutcher simonbutcher commented May 18, 2016

Gosh that was quick! You didn't really do this in a day did you?

Thanks very much for the contribution! It's going to take us a little time to review, and properly integrate, which we'll do at the next opportunity.

Copy link
Contributor Author

@damaki damaki commented May 18, 2016

Haha no, I started working on it for mbedTLS a few days ago, since I'd like to use these along with mbedTLS on one of my own projects. I'm also familiar with ChaCha20 having previously implemented it in Ada about a year ago, so that helps.

damaki added 23 commits May 15, 2016
Test vectors are included from RFC 7539.

Poly1305 is also added to the benchmark program.
This implementation is based off the description in RFC 7539.

The ChaCha20 code is also updated to provide a means of generating
keystream blocks with arbitrary counter values. This is used to
generated the one-time Poly1305 key in the AEAD construction.
This change permits users of the ChaCha20/Poly1305 algorithms
(and the AEAD construction thereof) to pass NULL pointers for
data that they do not need, and avoids the need to provide a valid
buffer for data that is not used.
I refactored some code into the function mbedtls_constant_time_memcmp
in commit 7aad291 but this function is only used by GCM and
AEAD_ChaCha20_Poly1305 to check the tags. So this function is now
only enabled if either of these two ciphers is enabled.
This change assigns error codes for ChaCha20, Poly1305, and
AEAD_ChaCha20_Poly1305 according to the policy defined in error.h
This change corrects some minor style violations, mostly for spacing
around parentheses.
@damaki damaki force-pushed the damaki:chacha20 branch from ee1d51b to 9d32942 Sep 1, 2016
Copy link
Contributor Author

@damaki damaki commented Sep 1, 2016

Hello again,

I've just rebased my branch with the latest mbedTLS development branch to resolve the merge conflicts and to keep it more up-to-date.

@mpg mpg mentioned this pull request May 8, 2018
Copy link

@mpg mpg commented May 8, 2018

@damaki Thanks again for your contribution and sorry for keeping you waiting for so long. I'm happy to announce that integrating these new primitives finally made it into our short term roadmap and we are aiming to include your contribution in our next release.

Even though your PR is very high quality already, there are inevitably a few things to rework. Since we feel it wouldn't be fair to ask you to do this rework in a short delay after keeping you waiting for almost two years, we're going to do it ourselves in this new PR: #1617

Please note that this is not how we intend to handle contributions in general, it is only a work-around while we try to handle our backlog of overdue PRs. In the future we certainly intend to react more quickly to incoming contributions and work with submitters on finalizing them.

Copy link

@mpg mpg commented May 8, 2018

Continued in: #1617

@mpg mpg closed this May 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants