ChaCha20-Poly1305

ChaCha20-Poly1305 is an authenticated encryption with additional data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. Its usage in IETF protocols is standardized in RFC 8439. It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.

History
The two building blocks of the construction, the algorithms Poly1305 and ChaCha20, were both independently designed, in 2005 and 2008, by Daniel J. Bernstein.

In 2013–2014, a variant of the original ChaCha20 algorithm (using 32-bit counter and 96-bit nonce) and a variant of the original Poly1305 (authenticating 2 strings) were combined in an IETF draft to be used in TLS and DTLS, and chosen by Google, for security and performance reasons, as a newly supported cipher. Shortly after Google's adoption for TLS, ChaCha20, Poly1305 and the combined AEAD mode are added to OpenSSH via the authenticated encryption cipher  but kept the original 64-bit counter and 64-bit nonce for the ChaCha20 algorithm.

In 2015, the AEAD algorithm is standardized in RFC 7539 and RFC 7905 to be used in TLS 1.2 and DTLS 1.2 and in RFC 7634 to be used in IPsec. The same year, it was integrated by Cloudflare as an alternative ciphersuite.

In June 2018, the RFC 7539 was updated and replaced by RFC 8439.

Description
The ChaCha20-Poly1305 algorithm as described in RFC 8439 takes as input a 256-bit key and a 96-bit nonce to encrypt a plaintext, with a ciphertext expansion of 128-bit (the tag size). In the ChaCha20-Poly1305 construction, ChaCha20 is used in counter mode to derive a key stream that is XORed with the plaintext. The ciphertext and the associated data is then authenticated using a variant of Poly1305 that first encodes the two strings into one. The way that a cipher and a one time authenticator are combined is precisely identical to AES-GCM construction in how the first block is used to seed the authenticator and how the ciphertext is then authenticated with a 16-byte tag.

The main external difference with ChaCha20 is its 64 byte (512 bit) block size, in comparison to 16 bytes (128 bit) with both AES-128 and AES-256. The larger block size enables higher performance on modern CPUs and allows for larger streams before the 32 bit counter overflows.



XChaCha20-Poly1305 – extended nonce variant
The XChaCha20-Poly1305 construction is an extended 192-bit nonce variant of the ChaCha20-Poly1305 construction, using XChaCha20 instead of ChaCha20. When choosing nonces at random, the XChaCha20-Poly1305 construction allows for better security than the original construction. The draft attempt to standardize the construction expired in July 2020.

Salsa20-Poly1305 and XSalsa20-Poly1305
Salsa20-Poly1305 and XSalsa20-Poly1305 are variants of the ChaCha20-Poly1305 and XChaCha20-Poly1305 algorithms, using Salsa20 and XSalsa20 in place of ChaCha20 and XChaCha20. They are implemented in NaCl and libsodium but not standardized. The variants using ChaCha are preferred in practice as they provide better diffusion per round than Salsa.

Reduced-round variants
ChaCha20 can be replaced with its reduced-round variants ChaCha12 and ChaCha8, yielding ChaCha12-Poly1305 and ChaCha8-Poly1305. The same modification can be applied to XChaCha20-Poly1305. These are implemented by the RustCrypto team and not standardized.

Use
ChaCha20-Poly1305 is used in IPsec, SSH, TLS 1.2, DTLS 1.2, TLS 1.3, WireGuard, S/MIME 4.0, OTR v4 and multiple other protocols and implemented in OpenSSL and libsodium. Additionally, the algorithm is used in the backup software Borg in order to provide standard data encryption and in the copy-on-write filesystem Bcachefs for the purpose of optional whole filesystem encryption.

Performance
ChaCha20-Poly1305 usually offers better performance than the more prevalent AES-GCM algorithm Encryption and decryption speeds with software implementations are already above 1 GB/s when done on a single core, scaling up almost linearly if more cores are used in parallel. AES-NI reaches roughly same speed on a single core but does not scale as well to multiple CPUs, and without the instruction set extension it is difficult to implement efficiently. As a result, ChaCha20-Poly1305 is sometimes preferred over AES-GCM due to its similar levels of security and in certain use cases involving mobile devices, which mostly use ARM-based CPUs. Because ChaCha20-Poly1305 has less overhead than AES-GCM, ChaCha20-Poly1305 on mobile devices may consume less power than AES-GCM.

Security
The ChaCha20-Poly1305 construction is generally secure in the standard model and the ideal permutation model, for the single- and multi-user setting. However, similarly to GCM, the security relies on choosing a unique nonce for every message encrypted. Compared to AES-GCM, implementations of ChaCha20-Poly1305 are less vulnerable to timing attacks.

To be noted, when the SSH protocol uses ChaCha20-Poly1305 as underlying primitive, it is vulnerable to the Terrapin attack.