RFR: ChaCha20 and ChaCha20/Poly1305 Cipher implementations

Jamil Nimeh jamil.j.nimeh at oracle.com
Fri Apr 13 18:59:53 UTC 2018

Round 3 of updates for ChaCha20 and ChaCha20-Poly1305:

* Removed the key field in ChaCha20 and Poly1305 implementations and 
only retain the key bytes as an object field (thanks Thomas for catching 

* Added additional protections against key/nonce reuse.  This is a 
behavioral change to ChaCha20 and ChaCha20-Poly1305.  Instances of these 
ciphers will no longer allow you to do subsequent doUpdate/doFinal calls 
after the first doFinal without re-initializing the cipher with either a 
new key or nonce. Attempting to reuse the cipher without a new 
initialization will throw an IllegalStateException.  This is similar to 
the behavior of AES-GCM in encrypt mode, but for ChaCha20 it needs to be 
done for both encrypt and decrypt.



On 04/10/2018 03:34 PM, Jamil Nimeh wrote:
> Hello everyone,
> This is a quick update to the previous webrev:
> * When using the form of engineInit that does only takes op, key and 
> random, the nonce will always be random even if the random parameter 
> is null.  A default instance of SecureRandom will be used to create 
> the nonce in this case, instead of all zeroes.
> * Unused debug code was removed from the ChaCha20Cipher.java file
> * ChaCha20Parameters.engineToString no longer obtains the line 
> separator from a System property directly.  It calls 
> System.lineSeparator() similar to how other AlgorithmParameter classes 
> in com.sun.crypto.provider do it.
> http://cr.openjdk.java.net/~jnimeh/reviews/8153028/webrev.02/
> Thanks,
> --Jamil
> On 03/26/2018 12:08 PM, Jamil Nimeh wrote:
>> Hello all,
>> This is a request for review for the ChaCha20 and ChaCha20-Poly1305 
>> cipher implementations.  Links to the webrev and the JEP which 
>> outlines the characteristics and behavior of the ciphers are listed 
>> below.
>> http://cr.openjdk.java.net/~jnimeh/reviews/8153028/webrev.01/
>> http://openjdk.java.net/jeps/329
>> Thanks,
>> --Jamil

More information about the security-dev mailing list