RFR: ChaCha20 and ChaCha20/Poly1305 Cipher implementations

Jamil Nimeh jamil.j.nimeh at oracle.com
Fri Apr 27 21:21:08 UTC 2018


Round 4 of updates for ChaCha20 and ChaCha20-Poly1305, minor stuff mostly:

  * Added words in the description of javax.crypto.Cipher recommending
    callers reinitialize the Cipher to use different nonces after each
    complete encryption or decryption (similar language to what exists
    already for AES-GCM encryption).
  * Added an additional test case for ChaCha20NoReuse
  * Made accessor methods for ChaCha20ParameterSpec final and cleaned up
    the code a bit based on comments from the field.

http://cr.openjdk.java.net/~jnimeh/reviews/8153028/webrev.04/

Thanks!

--Jamil


On 04/13/2018 11:59 AM, Jamil Nimeh wrote:
> Round 3 of updates for ChaCha20 and ChaCha20-Poly1305:
>
> * Removed the key field in ChaCha20 and Poly1305 implementations and 
> only retain the key bytes as an object field (thanks Thomas for 
> catching this)
>
> * Added additional protections against key/nonce reuse.  This is a 
> behavioral change to ChaCha20 and ChaCha20-Poly1305.  Instances of 
> these ciphers will no longer allow you to do subsequent 
> doUpdate/doFinal calls after the first doFinal without re-initializing 
> the cipher with either a new key or nonce. Attempting to reuse the 
> cipher without a new initialization will throw an 
> IllegalStateException.  This is similar to the behavior of AES-GCM in 
> encrypt mode, but for ChaCha20 it needs to be done for both encrypt 
> and decrypt.
>
> http://cr.openjdk.java.net/~jnimeh/reviews/8153028/webrev.03/
>
> Thanks,
> --Jamil
>
> On 04/10/2018 03:34 PM, Jamil Nimeh wrote:
>> Hello everyone,
>>
>> This is a quick update to the previous webrev:
>>
>> * When using the form of engineInit that does only takes op, key and 
>> random, the nonce will always be random even if the random parameter 
>> is null.  A default instance of SecureRandom will be used to create 
>> the nonce in this case, instead of all zeroes.
>>
>> * Unused debug code was removed from the ChaCha20Cipher.java file
>>
>> * ChaCha20Parameters.engineToString no longer obtains the line 
>> separator from a System property directly.  It calls 
>> System.lineSeparator() similar to how other AlgorithmParameter 
>> classes in com.sun.crypto.provider do it.
>>
>> http://cr.openjdk.java.net/~jnimeh/reviews/8153028/webrev.02/
>>
>> Thanks,
>>
>> --Jamil
>>
>>
>> On 03/26/2018 12:08 PM, Jamil Nimeh wrote:
>>> Hello all,
>>>
>>> This is a request for review for the ChaCha20 and ChaCha20-Poly1305 
>>> cipher implementations.  Links to the webrev and the JEP which 
>>> outlines the characteristics and behavior of the ciphers are listed 
>>> below.
>>>
>>> http://cr.openjdk.java.net/~jnimeh/reviews/8153028/webrev.01/
>>> http://openjdk.java.net/jeps/329
>>>
>>> Thanks,
>>> --Jamil
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180427/5f309264/attachment.htm>


More information about the security-dev mailing list