Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proposal: x/crypto/chacha20poly1305: add support for XChaCha20 #23885

Closed
cyphar opened this issue Feb 17, 2018 · 9 comments
Closed

proposal: x/crypto/chacha20poly1305: add support for XChaCha20 #23885

cyphar opened this issue Feb 17, 2018 · 9 comments
Labels
FrozenDueToAge Proposal Proposal-Accepted Proposal-Crypto Proposal related to crypto packages or other security issues
Milestone
Proposal

Comments

@cyphar
Copy link

cyphar commented Feb 17, 2018

Currently golang.org/x/crypto/chacha20poly1305 only supports the IETF ChaCha20, which has a nonce size of 96 bits. However, according to the folks from libsodium, this nonce size is too short to allow you to use random nonces.
However, XChaCha20 (which has an extended nonce size of 192 bits, but uses the same underlying construction from my non-cryptographer understanding) has a long enough nonce that random nonces are safe. Here's the quote from libsodium:

Unlike plain ChaCha20, the nonce is 192 bits long, so that generating a random nonce for every message is safe. If the output of the PRNG is indistinguishable from random data, the probability for a collision to happen is negligible.

Is there any interest or plan to implement XChaCha20 support? I've found some third-party libraries, but I don't trust them as much as I'd trust golang.org/x/crypto maintainers.
@bradfitz bradfitz changed the title [feature] x/crypto/chacha20poly1305: add support for XChaCha20? x/crypto/chacha20poly1305: add support for XChaCha20? Feb 17, 2018
@cyphar
Copy link
Author

cyphar commented Feb 17, 2018

In addition, XChaCha20 also appears to not have the message length or number restrictions that ChaCha20 does:

The XChaCha20 variant, introduced in libsodium 1.0.12. It can safely encrypt a practically unlimited number of messages of any sizes, and random nonces are safe to use.

@dgryski
Copy link
Contributor

dgryski commented Feb 17, 2018

The version at https://godoc.org/github.com/aead/chacha20 was written by @aead who has crypto code in the standard library and /x/crypto.

@cyphar
Copy link
Author

cyphar commented Feb 17, 2018

Is there a strong reason why it hasn't been included in /x/crypto (or was it just that nobody has had the time to work on it)?

(For others' reference, https://github.com/aead/chacha20poly1305 is a full AEAD implementation using @aead's chacha20 library that supports XChaCha20.)

@jedisct1
Copy link

Broader support for XChaCha would indeed be great.

A longer nonce can prevent foot-shooting with custom protocols, and is XChaCha is trivial to add to an existing ChaCha implementation.

@aead
Copy link
Contributor

aead commented Feb 17, 2018
edited

@cyphar IIRC the main focus of the C20P1305 implementation in x/crypto is TLS. For example there is special asm code for TLS. I think XC20P1305 is useful if:

  • you want to en/decrypt many messages under the same key.
    This is probably useful if you're en/decrypting many messages while the nonce cannot be some kind of counter. I think that's a valid use case - even though I don't know whether it's a common one.
  • you want to en/decrypt very long messages (longer than ~ 64 * 2^32).
    However, I don't think that this is a valid use case at the moment since cipher.AEAD requires the message to be in RAM. I don't think en/decrypting more than 256 GB under the same key-nonce pair is common; esp. if the whole data must be in RAM.

If this is a proposal/feature request - I think adding XC20P1305 may be useful. We may have to think about a clean API and add hchacha20 functionality. If anyone wants to send a CL - feel free to use any code of https://github.com/aead/chacha20poly1305 and https://github.com/aead/chacha20

However I cannot make any decision about proposals - so check with Adam and/or Filippo.

@FiloSottile
Copy link
Contributor

We tend to avoid variant proliferation in x/crypto, but an AEAD supporting random nonces is something I do eventually want in the standard library. (See also gtank/cryptopasta#14.)

I guess the API would just be NewX(key []byte) (cipher.AEAD, error).

However, maybe we should just wait for SIV.

@FiloSottile FiloSottile added this to the Proposal milestone Feb 18, 2018
@FiloSottile FiloSottile changed the title x/crypto/chacha20poly1305: add support for XChaCha20? proposal: x/crypto/chacha20poly1305: add support for XChaCha20 Feb 18, 2018
@ianlancetaylor
Copy link
Contributor

@FiloSottile Should this proposal be put on hold for now?

@ianlancetaylor ianlancetaylor added the Proposal-Crypto Proposal related to crypto packages or other security issues label Mar 20, 2018
@ALTree ALTree mentioned this issue Mar 22, 2018
Closed
@hako hako mentioned this issue Apr 4, 2018
Closed
@gz-c gz-c mentioned this issue Apr 11, 2018
Open
@rsc
Copy link
Contributor

rsc commented Apr 20, 2018

See #24885.

@rsc rsc closed this as completed Apr 20, 2018
@dgryski
Copy link
Contributor

dgryski commented Apr 20, 2018

Typo in bug number. I believe it should be #24485 .

@desimone desimone mentioned this issue Jan 3, 2019
Closed
@golang golang locked and limited conversation to collaborators Apr 20, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge Proposal Proposal-Accepted Proposal-Crypto Proposal related to crypto packages or other security issues
Projects
None yet
Milestone
Proposal
Development

No branches or pull requests
8 participants
@rsc @jedisct1 @dgryski @FiloSottile @cyphar @ianlancetaylor @gopherbot @aead