Re: [kmip] ChaCha20 question, Block Counter?

[Bruce Rich <bar@cryptsoft.com>]

Mark,

Since no one else is stepping up to the bar withÂfacts, I'll venture an opinion.

ChaCha evolved over time (original paper is here http://cr.yp.to/chacha/chacha-20080128.pdf, from 2008). I believe the original block number was 64-bits and the IV was 64-bits.

RFC7539 changed some things, including dialing the block number down to 32-bits and upping the IV to 96-bits (but cryptographically the same, as the total is still 128-bits). And that variant might be called ChaCha20, or at least that's how it's been dealt with by some (like BouncyCastle, which has a ChaChaEngine and ChaCha20Engine). I believe early OpenSSL usage of ChaCha20 (pre-RFC7539) matches BouncyCastle'sÂChaCha.

For these vintage test vectors, I suspect that the counter would initialize at 1 if the combined "IV/Counter/Nonce" input were only 64 bits. But I have to admit that I'm theorizing here, as I don't know what the implementations are actually doing. I do know that BouncyCastle's ChaCha handles these tests just fine (which is why I didn't pursue the matter further). More challenging use cases might start with some block other than 1...

Bruce

On Wed, Apr 7, 2021 at 6:40 PM Mark Joseph <mark@p6r.com> wrote:

Hi,

Where does the Block Counter go in the request below? ÂThe IVCounterNonce is 64 bits which is the smallest defined IV for ChaCha20.ÂÂ

 Â

(From test caseÂCS-BC-M-CHACHA20-1-21.xml)

Â<BatchItem>

  <Operation type="Enumeration" value="Encrypt"/>

  <RequestPayload>

   <UniqueIdentifier type="TextString" value="$UNIQUE_IDENTIFIER_0"/>

   <CryptographicParameters>

   </CryptographicParameters>

   <Data type="ByteString" value="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"/>

   <IVCounterNonce type="ByteString" value="0000000000000000"/>

  </RequestPayload>

 </BatchItem>

Thanks,

Mark Joseph

P6R, Inc

408-205-0361