#StackBounty: #authenticated-encryption #chacha #poly1305 Reason for 3 rounds ChaCha in ChaCha20Poly1305@openssh

Bounty: 50

OpenSSH uses a slightly different ChaCha20Poly1305 AEAD construct then the one proposed by A. Langley and others for TLS.

The TLS version

The openSSH version (and here)

  1. The openSSH version uses two 256bit keys.

  2. First key is used for deriving the Poly1305 MAC key and for encrypting the actual payload

  3. The second key is used to encrypt the AAD (the 4 byte packet length in the openSSH case)

  4. This construct result in at least 3 rounds of ChaCha20 for small messages (<=64 bytes).

  5. The first ChaCha20 round for deriving the 256bit Poly1305 key spits out 64bytes where the last 32bytes are unused.

  6. The second ChaCha20 round encrypts the AAD data (a 4 byte packet length)

  7. The third (and more) ChaCha20 round(s) encrypts the actual packet payload.

For small messages, this seems to generate an unnecessary overhead of up to 33% computation time (in case message payload is less then 64 bytes).

The question

  1. Why not use the unused 32bytes from the Poly1305 key derivation ChaCha20 round in order to encrypt the packet length (or say the AAD data up to 32 bytes)?
  2. Is it cryptographically required to use a 2nd ChaCha20 context with a 2nd key to encrypt the packet length (the AAD data),… or in other words, is it more secure to use a 2nd key (that very likely comes from the same single shared secret as the first key) rather then use a single key and encrypt the AAD data from the same ChaCha20 round that derived the Poly1305 key?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.