OpenSSH uses a slightly different ChaCha20Poly1305 AEAD construct then the one proposed by A. Langley and others for TLS.
- The openSSH version uses two 256bit keys.
- First key is used for deriving the Poly1305 MAC key and for encrypting the actual payload
The second key is used to encrypt the AAD (the 4 byte packet length in the openSSH case)
This construct result in at least 3 rounds of ChaCha20 for small messages (<=64 bytes).
The first ChaCha20 round for deriving the 256bit Poly1305 key spits out 64bytes where the last 32bytes are unused.
The second ChaCha20 round encrypts the AAD data (a 4 byte packet length)
The third (and more) ChaCha20 round(s) encrypts the actual packet payload.
For small messages, this seems to generate an unnecessary overhead of up to 33% computation time (in case message payload is less then 64 bytes).
- Why not use the unused 32bytes from the Poly1305 key derivation ChaCha20 round in order to encrypt the packet length (or say the AAD data up to 32 bytes)?
Is it cryptographically required to use a 2nd ChaCha20 context with a 2nd key to encrypt the packet length (the AAD data),… or in other words, is it more secure to use a 2nd key (that very likely comes from the same single shared secret as the first key) rather then use a single key and encrypt the AAD data from the same ChaCha20 round that derived the Poly1305 key?