proposal: crypto/chacha20poly1305: add package

[qmuntal]

Proposal Details

I propose to move the golang.org/x/crypto/chacha20poly1305 package into the standard library with the name crypto/chacha20poly1305 as part of #65269.

golang.org/x/crypto/chacha20poly1305 would then be updated to just be a wrapper around crypto/chacha20poly1305.

golang.org/x/crypto/chacha20poly1305 is already heavily used in the standard library as a crypto/tls and crypto/internal/hpke cipher. More than 4,000 external projects depend on it.

The API surface is quite small, I would port it with the same functionality, but making the New and NewX function return concrete types rather than cipher.AEAD so that we can extend in the future.

// Package chacha20poly1305 implements the ChaCha20-Poly1305 AEAD
// and its extended nonce variant XChaCha20-Poly1305, as specified in RFC 8439
// and draft-irtf-cfrg-xchacha-01.
package chacha20poly1305

const (
	// KeySize is the size of the key used by this AEAD, in bytes.
	KeySize = 32

	// NonceSize is the size of the nonce used with the standard variant of this
	// AEAD, in bytes.
	//
	// Note that this is too short to be safely generated at random if the same
	// key is reused more than 2³² times.
	NonceSize = 12

	// NonceSizeX is the size of the nonce used with the XChaCha20-Poly1305
	// variant of this AEAD, in bytes.
	NonceSizeX = 24

	// Overhead is the size of the Poly1305 authentication tag, and the
	// difference between a ciphertext length and its plaintext.
	Overhead = 16
)

type Chacha20Poly1305 []byte

// New returns a ChaCha20-Poly1305 AEAD that uses the given 256-bit key.
func New(key []byte) (*Chacha20Poly1305, error)

func (*Chacha20Poly1305) NonceSize() int
func (*Chacha20Poly1305) Overhead() int
func (*Chacha20Poly1305) Seal(dst, nonce, plaintext, additionalData []byte) []byte
func (*Chacha20Poly1305) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error)


type XChacha20Poly1305 []byte

// NewX returns a XChaCha20-Poly1305 AEAD that uses the given 256-bit key.
func NewX(key []byte) (*XChacha20Poly1305, error)

func (*XChacha20Poly1305) NonceSize() int
func (*XChacha20Poly1305) Overhead() int
func (*XChacha20Poly1305) Seal(dst, nonce, plaintext, additionalData []byte) []byte
func (*XChacha20Poly1305) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error)

chacha20poly1305 internally uses golang.org/x/crypto/chacha20 and golang.org/x/crypto/internal/poly1305. I propose keep depending on golang.org/x/crypto/chacha20 (until its ported to the standard library, if ever), and copy golang.org/x/crypto/internal/poly1305 into a standard library internal package.

@golang/security @golang/proposal-review

[gabyhelp]

Related Issues

• crypto/hkdf: add package #61477 (closed)
• x/crypto: migrate packages to the standard library #65269
• proposal: x/crypto/chacha20poly1305: add support for XChaCha20 #23885 (closed)
• crypto/sha3: import from x/crypto #69982 (closed)
• x/crypto/chacha20poly1305: request for xchacha20 variant #21447 (closed)
• x/crypto/poly1305: deprecate public package #36646 (closed)
• x/crypto: add chacha20, xchacha20 #24485 (closed)
• x/crypto/poly1305: implement a subset of the hash.Hash interface #25219 (closed)
• proposal: x/crypto: add AEAD AES-CBC with HMAC-SHA2 #59241
• crypto/pbkdf2: add package #69488 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[mateusz834]

The doc comment mentions draft-irtf-cfrg-xchacha-01, the latest version is draft-irtf-cfrg-xchacha-03, see diff: https://author-tools.ietf.org/iddiff?url1=draft-irtf-cfrg-xchacha-01&url2=draft-irtf-cfrg-xchacha-03&difftype=--html (The changes might not matter).

[mateusz834]

This pkg has now concrete types, I think we don't want to have type X []byte in crypto libs, see for example CL 654096 which had to workaround that limitation in ed25519. I think it should be a struct with unexported fields.

[qmuntal]

This pkg has now concrete types, I think we don't want to have type X []byte in crypto libs

Good point. I don't have a strong preference here, just tried to follow the same pattern as in ed25519.

[FiloSottile]

Our AEADs are long overdue for an API refresh, to add e.g. AES-GCM-SIV and XAES-GCM-256, and to provide methods that generate and concatenate the nonce for the user. We should probably consider adding ChaCha20Poly1305 and XChaCha20Poly1305 in the context of those broader changes.