ChaCha20

文档：rfc8439（原RFC7539）

ChaCha20 is a stream cipher designed by Daniel J. Bernstein.

The secret key is 256 bits long (32 bytes).

The cipher requires a nonce, which must not be reused across encryptions performed with the same key.

Nonce length	Description	Max data	If random nonce and same key
8 bytes (default)	The original ChaCha20 designed by Bernstein.	No limitations	Max 200 000 messages
12 bytes	The TLS ChaCha20 as defined in RFC7539.	256 GB	Max 13 billions messages
24 bytes	XChaCha20, still in draft stage.	256 GB	No limitations

Message Authentication Code (such as HMAC) should be used to authenticate the ciphertext (encrypt-then-mac). Alternatively, ChaCha20_Poly1305 can be used.

1. Introduction

AES的问题：

• 再优秀的算法也需要有备用替代算法；
• 在有些平台还是慢；
• cache-collision timing attacks ([Cache-Collisions]).

RFC 8439介绍了3种算法：

• The ChaCha20 cipher
  • 软件实现效率是AES的3倍；
  • 可抵御timing attacks.
• The Poly1305 authenticator, a high-speed MAC；
• The CHACHA20-POLY1305 AEAD construction.

2. Allgorithms

2.1. The ChaCha Quarter Round

The basic operation of the ChaCha algorithm is the quarter round. It operates on four 32-bit unsigned integers, denoted a, b, c, and d.

#define QR(a, b, c, d) {\
    a+=b; d^=a; d=ROTL(d,16); \
    c+=d; b^=c; b=ROTL(b,12); \
    a+=b; d^=a; d=ROTL(d,8);  \
    c+=d; b^=c; b=ROTL(b,7);  \
}
// ROTL: 循环左移

The algorithm name is “ChaCha”. “ChaCha20” is a specific instance where 20 “rounds” or 80 quarter rounds

2.2. A Quarter Round on the ChaCha State

The ChaCha state does not have four integer numbers: it has 16. So the quarter-round operation works on only four of them – hence the name.

QUARTERROUND(1, 5, 9, 13);
0 *a 2 3
4 *b 6 7
8 *c 10 11
12 *d 14 15

this run of quarter round is part of what is called a “column round”.

2.3. The ChaCha20 Block Function

The ChaCha block function transforms a ChaCha state by running multiple quarter rounds.

uint8_t[64] /*keystream*/ BlockFunc(
    uint8_t key[32]		// 256 bits
    , uint8_t nonce[12]	// 96 bits
    , uint32_t  blockCount	// 32 bits
);

The original ChaCha had a 64-bit nonce and 64-bit block count. We have modified this here to be more consistent with recommendations in Section 3.2 of RFC 5116: An Interface and Algorithms for Authenticated Encryption.

Init

The ChaCha20 state is initialized as follows:

// 1
hash[0] = 0x61707865;
hash[1] = 0x3320646e;
hash[2] = 0x79622d32;
hash[3] = 0x6b206574;
// 2
// Move 256-bit/32-byte key into h[4..11]
for (i=0; i<8; i++) {
    hash[4+i] = u8to32_little(key + 4*i);
}

// hash[12] = block counter


hash[13] = u8to32_little(nonce);
hash[14] = u8to32_little(nonce + 4);
hash[15] = u8to32_little(nonce + 8);

/*
cccccccc cccccccc cccccccc cccccccc
kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk
kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk
bbbbbbbb nnnnnnnn nnnnnnnn nnnnnnnn
*/

Pycryptodome src: Nonce must be 8/12 bytes(ChaCha20) or 24 bytes (XChaCha20)

Round

ChaCha20共20轮，4轮"column rounds" 和4轮"diagonal rounds"交替进行。

for (i=0; i<10; i++) {
    /** Column round **/
    QR(h[0], h[4], h[ 8], h[12]);
    QR(h[1], h[5], h[ 9], h[13]);
    QR(h[2], h[6], h[10], h[14]);
    QR(h[3], h[7], h[11], h[15]);
    /** Diagonal round **/
    QR(h[0], h[5], h[10], h[15]);
    QR(h[1], h[6], h[11], h[12]);
    QR(h[2], h[7], h[ 8], h[13]);
    QR(h[3], h[4], h[ 9], h[14]);
}

以上操作是在state副本上操作的，最后需要将原始值和新的值相加，小端存储为key stream作为输出，16个四字节hash，刚好64字节。

2.4. The ChaCha20 Encryption Algorithm

The ChaCha20 function then performs an XOR of this keystream with the plaintext.

There is no requirement for the plaintext to be an integral multiple of 512 bits. If there is extra keystream from the last block, it is discarded.

Specific protocols MAY require that the plaintext and ciphertext have certain length. Such protocols need to specify how the plaintext is padded and how much padding it receives.

实现

https://github.com/C0deStarr/CryptoImp/tree/main/Cipher/StreamCipher

• chacha20.h
• chacha20.c

参考资料

RFC 8439: ChaCha20 and Poly1305 for IETF Protocols (rfc-editor.org)

ChaCha20 and XChaCha20 — PyCryptodome 3.17.0 documentation