ChaCha20 (without Poly1305) block counter

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ChaCha20 (without Poly1305) block counter

Jerry Lui
Hi,

I am trying to use ChaCha20 (without Poly1305)

From RFC 7539:
One of the inputs to ChaCha20 is:
"A 32-bit initial counter."

However I cannot find the function to set this. where should I input this?

Thanks,
Jerry

Reply | Threaded
Open this post in threaded view
|

Re: ChaCha20 (without Poly1305) block counter

Matt Caswell-2


On 17/04/2019 20:36, Jerry Lui wrote:
> Hi,
>
> I am trying to use ChaCha20 (without Poly1305)
>
> From RFC 7539:
> One of the inputs to ChaCha20 is:
> "A 32-bit initial counter."
>
> However I cannot find the function to set this. where should I input this?

From code inspection it looks to me like our documentation is wrong. Our docs say:

  =item EVP_chacha20()

  The ChaCha20 stream cipher. The key length is 256 bits, the IV is 96 bits long.

The IV here is referring to the number of bytes in the IV field that should be
sent to EVP_EncryptInit_ex().

But what is actually implemented is a 128 bit IV with the first 32 bits being
the counter and the next 96 bits being the nonce.

Additionally the counter is in little-endian order. So a counter of 1 is
expressed as 4 bytes: 01000000

I've raised the following PR to correct this:

https://github.com/openssl/openssl/pull/8780

Matt