Proposal: ChaCha20 and ChaCha20-Poly1305 Cipher implementations

Adam Petcher adam.petcher at
Thu Jan 25 19:45:00 UTC 2018

On 1/25/2018 12:20 PM, Jamil Nimeh wrote:

> Wrap and Unwrap: I have not been able to find a standardized 
> wrap/unwrap format for ChaCha20 similar to RFC 3394 for AES. Right now 
> the wrap() and unwrap() methods just take the encoding of the key to 
> be wrapped and encrypts or decrypts them respectively.  If anyone is 
> aware of a wrapping format for ChaCha20 please let me know.  My 
> searches have so far come up empty.

I haven't found any standards for key wrap with ChaCha20, either. Until 
these standards are developed, I think the implementation should throw 
an exception when wrap/unwrap is requested.

The problems with simply encrypting are:

* No integrity protection in bare ChaCha20
* Need to generate a random nonce on wrap---this violates common 
expectations about key wrap algorithms
* Not standard, so there is potential for confusion about what the key 
wrap algorithm is actually doing

More information about the security-dev mailing list