Proposal: ChaCha20 and ChaCha20-Poly1305 Cipher implementations

Jamil Nimeh jamil.j.nimeh at
Thu Jan 25 20:29:08 UTC 2018

On 1/25/2018 11:45 AM, Adam Petcher wrote:
> On 1/25/2018 12:20 PM, Jamil Nimeh wrote:
>> Wrap and Unwrap: I have not been able to find a standardized 
>> wrap/unwrap format for ChaCha20 similar to RFC 3394 for AES. Right 
>> now the wrap() and unwrap() methods just take the encoding of the key 
>> to be wrapped and encrypts or decrypts them respectively.  If anyone 
>> is aware of a wrapping format for ChaCha20 please let me know.  My 
>> searches have so far come up empty.
> I haven't found any standards for key wrap with ChaCha20, either. 
> Until these standards are developed, I think the implementation should 
> throw an exception when wrap/unwrap is requested.
> The problems with simply encrypting are:
> * No integrity protection in bare ChaCha20
> * Need to generate a random nonce on wrap---this violates common 
> expectations about key wrap algorithms
> * Not standard, so there is potential for confusion about what the key 
> wrap algorithm is actually doing
Yeah, that makes sense to me.  Unless we find that there is some 
standardized format for wrap/unwrap I'll have it throw 


More information about the security-dev mailing list