Cryptography ‐ ChaCha20 Poly1305 - Arrbat/Veil-Forge GitHub Wiki

Introduction

Here it will be discussed what ChaCha20 - stream cipher is, why is Poly1305 and why it is great to use them both. Without basic knowledge of crypto and some math it is impossible to explain how it works, for anyone who wants to deeply understand applied cryptography I recommend this book:

A Graduate Course in Applied Cryptography
Dan Boneh and Victor Shoup

3.6 Case study: the Salsa and ChaCha PRGs
6. Message Integrity

Also very good article about both ChaCha20 and Poly1305, and combination of them

ChaCha20

ChaCha20 is a stream cipher developed by Daniel J. Bernstein, designed as an improvement over Salsa20. Both ciphers are built on the same family of pseudorandom functions but ChaCha introduces a better diffusion per round and is more resistant to cryptanalysis.

Visual representation of ChaCha’s internal structure:

image

where

  • pad(s, j, n) function
  • pi means permutation function
  • used 64-bit counter and 64-bit nonce

or architecture representation: image

Poly1305

Poly1305 is a one-time, fast Message Authentication Code (MAC) algorithm, also designed by Bernstein. It operates over a 128-bit prime field and provides data integrity by producing a 16-byte tag.

Architecture is below:

Architecture-of-Poly1305-primitive-20

ChaCha20+Poly1305

When combined, ChaCha20 for encryption and Poly1305 for authentication, the result is a powerful authenticated encryption with associated data (AEAD). So we ensure that there are:

  • Confidentiality
  • Integrity
  • authenticity

Overall combination implements idea Encrypt-then-MAC (second line on the image), the process is following:

  • Encrypt the plaintext using ChaCha20.

  • MAC the ciphertext + AAD using Poly1305.

  • Output the ciphertext + authentication tag.

image

Project`s context

In this project, ChaCha20-Poly1305 is used to:

Encrypt the payload securely,

Authenticate the ciphertext and optional AAD,

Obfuscate the key and nonce values.

Also this combination is faster then some implementations where AES is main algorithm