Re: [kmip] ChaCha20 question, Block Counter?

Mark,

Since no one else is stepping up to the bar with facts, I'll venture an opinion.

ChaCha evolved over time (original paper is here http://cr.yp.to/chacha/chacha-20080128.pdf, from 2008). I believe the original block number was 64-bits and the IV was 64-bits.

RFC7539 changed some things, including dialing the block number down to 32-bits and upping the IV to 96-bits (but cryptographically the same, as the total is still 128-bits). And that variant might be called ChaCha20, or at least that's how it's been dealt with by some (like BouncyCastle, which has a ChaChaEngine and ChaCha20Engine). I believe early OpenSSL usage of ChaCha20 (pre-RFC7539) matches BouncyCastle's ChaCha.

For these vintage test vectors, I suspect that the counter would initialize at 1 if the combined "IV/Counter/Nonce" input were only 64 bits. But I have to admit that I'm theorizing here, as I don't know what the implementations are actually doing. I do know that BouncyCastle's ChaCha handles these tests just fine (which is why I didn't pursue the matter further). More challenging use cases might start with some block other than 1...

Bruce

On Wed, Apr 7, 2021 at 6:40 PM Mark Joseph <mark@p6r.com> wrote:

Hi,

Where does the Block Counter go in the request below? The IVCounterNonce is 64 bits which is the smallest defined IV for ChaCha20.

(From test case CS-BC-M-CHACHA20-1-21.xml)

<BatchItem>
<Operation type="Enumeration" value="Encrypt"/>
<RequestPayload>
<UniqueIdentifier type="TextString" value="$UNIQUE_IDENTIFIER_0"/>
<CryptographicParameters>
</CryptographicParameters>
<Data type="ByteString" value="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"/>
<IVCounterNonce type="ByteString" value="0000000000000000"/>
</RequestPayload>
</BatchItem>

Thanks,
Mark Joseph
P6R, Inc
408-205-0361

kmip message