xref: /openbsd/lib/libcrypto/man/ChaCha.3 (revision 73471bf0) 
1.\" $OpenBSD: ChaCha.3,v 1.2 2020/06/24 18:15:00 jmc Exp $
2.\"
3.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
4.\"
5.\" Permission to use, copy, modify, and distribute this software for any
6.\" purpose with or without fee is hereby granted, provided that the above
7.\" copyright notice and this permission notice appear in all copies.
8.\"
9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\"
17.Dd $Mdocdate: June 24 2020 $
18.Dt CHACHA 3
19.Os
20.Sh NAME
21.Nm ChaCha_set_key ,
22.Nm ChaCha_set_iv ,
23.Nm ChaCha ,
24.Nm CRYPTO_chacha_20 ,
25.Nm CRYPTO_hchacha_20 ,
26.Nm CRYPTO_xchacha_20
27.Nd ChaCha20 stream cipher
28.Sh SYNOPSIS
29.In openssl/chacha.h
30.Ft void
31.Fo ChaCha_set_key
32.Fa "ChaCha_ctx *ctx"
33.Fa "const unsigned char *key"
34.Fa "unsigned int keybits"
35.Fc
36.Ft void
37.Fo ChaCha_set_iv
38.Fa "ChaCha_ctx *ctx"
39.Fa "const unsigned char *iv"
40.Fa "const unsigned char *counter"
41.Fc
42.Ft void
43.Fo ChaCha
44.Fa "ChaCha_ctx *ctx"
45.Fa "unsigned char *out"
46.Fa "const unsigned char *in"
47.Fa "size_t len"
48.Fc
49.Ft void
50.Fo CRYPTO_chacha_20
51.Fa "unsigned char *out"
52.Fa "const unsigned char *in"
53.Fa "size_t len"
54.Fa "const unsigned char key[32]"
55.Fa "const unsigned char iv[8]"
56.Fa "uint64_t counter"
57.Fc
58.Ft void
59.Fo CRYPTO_hchacha_20
60.Fa "unsigned char out[32]"
61.Fa "const unsigned char key[32]"
62.Fa "const unsigned char iv[16]"
63.Fc
64.Ft void
65.Fo CRYPTO_xchacha_20
66.Fa "unsigned char *out"
67.Fa "const unsigned char *in"
68.Fa "size_t len"
69.Fa "const unsigned char key[32]"
70.Fa "const unsigned char iv[24]"
71.Fc
72.Sh DESCRIPTION
73These functions provide a low-level implementation
74of the ChaCha stream cipher with 256 and 128-bit keys.
75The number of rounds is hardcoded to 20;
76variants with 8 or 12 rounds are not supported.
77.Pp
78Instead of using these functions directly,
79application programs normally use the more portable
80.Xr EVP_chacha20 3
81high-level interface.
82.Pp
83The ChaCha state is contained in the
84.Vt ChaCha_ctx
85structure and consists of sixteen 32-bit unsigned integers.
86.Pp
87For the recommended value of 256
88.Fa keybits ,
89.Fn ChaCha_set_key
90copies 32 bytes (256 bits) from
91.Fa key
92to the middle eight integers of the ChaCha state,
93using little endian order for each integer.
94For the alternative value of 128
95.Fa keybits ,
96only 16 bytes (128 bits) are copied from
97.Fa key
98to the ChaCha state, but they are copied twice,
99once to the second quarter and once to the third quarter.
100The first quarter of the ChaCha state is set to four constant integers;
101these constants differ depending on whether
102.Fa keybits
103is 128 or 256.
104The last quarter of the ChaCha state remains unchanged.
105.Pp
106.Fn ChaCha_set_iv
107copies eight bytes (64 bits) from
108.Fa counter
109and eight bytes (64 bits) from
110.Fa iv
111to the last quarter of the ChaCha state, the counter to the first
112two integers and the initialization vector to the last two integers,
113again in little endian order.
114If
115.Fa counter
116is
117.Dv NULL ,
118the two respective integers are set to 0 instead.
119The first three quarters of the ChaCha state remain unchanged.
120.Pp
121.Fn ChaCha
122encrypts
123.Fa len
124bytes of data from
125.Fa in
126to
127.Fa out
128using the
129.Fa ctx
130that was previously set up with
131.Fn ChaCha_set_key
132and
133.Fn ChaCha_set_iv .
134Providing an
135.Fa out
136buffer of at least
137.Fa len
138bytes is the responsibility of the caller.
139This function can be called multiple times in a row with varying
140.Fa len
141arguments.
142The
143.Fa len
144does not need to be a multiple of 64.
145.Pp
146.Fn CRYPTO_chacha_20
147encrypts
148.Fa len
149bytes of data from
150.Fa in
151to
152.Fa out
153in a one-shot operation, using the given
154.Fa key
155and
156.Fa iv
157as described for
158.Fn ChaCha_set_key
159and
160.Fn ChaCha_set_iv
161and copying the less significant half of
162.Fa counter
163to the first counter integer in the initial ChaCha state
164and the more significant half to the second integer.
165Providing an
166.Fa out
167buffer of at least
168.Fa len
169bytes is again the responsibility of the caller.
170The maximum supported value for
171.Fa len
172is 2^32 \- 1.
173.Pp
174XChaCha is a variant of ChaCha designed to support longer nonces,
175just like XSalsa20 is a variant of Salsa20 supporting longer nonces.
176.Pp
177.Fn CRYPTO_xchacha_20
178encrypts
179.Fa len
180bytes of data from
181.Fa in
182to
183.Fa out
184in a one-shot operation with the XChaCha algorithm, using the given
185.Fa key
186and
187.Fa iv .
188It is equivalent to
189.Fn CRYPTO_chacha_20
190with the last third of
191.Fa iv ,
192a
193.Fa counter
194of 0, and a key generated with
195.Fn CRYPTO_hchacha_20
196from the first two thirds of
197.Fa iv .
198.Sh SEE ALSO
199.Xr crypto 3 ,
200.Xr EVP_chacha20 3
201.Rs
202.%A Daniel J. Bernstein
203.%T ChaCha, a variant of Salsa20
204.%U http://cr.yp.to/chacha/chacha-20080128.pdf
205.%C Chicago
206.%D January 28, 2008
207.Re
208.Rs
209.%A Daniel J. Bernstein
210.%T Extending the Salsa20 nonce
211.%U https://cr.yp.to/snuffle/xsalsa-20110204.pdf
212.%C Chicago
213.%D August 22, 2017
214.Re
215.Sh STANDARDS
216RFC 8439: ChaCha20 and Poly1305 for IETF Protocols
217.Pp
218Note that the standard specifies
219a 32-bit counter and a 96-bit initialization vector whereas
220this implementation follows Bernstein's original specification
221and uses a 64-bit counter and a 64-bit initialization vector.
222.Pp
223These functions are specific to LibreSSL and not provided by OpenSSL.
224BoringSSL does provide
225.Fn CRYPTO_chacha_20 ,
226but with an incompatible interface, taking a 96-bit
227.Fa iv
228and a 32-bit
229.Fa counter .
230.Sh HISTORY
231.Fn ChaCha_set_key ,
232.Fn ChaCha_set_iv ,
233.Fn ChaCha ,
234and
235.Fn CRYPTO_chacha_20
236first appeared in
237.Ox 5.6 .
238.\" Committed on May 1, 2014.
239.\" BoringSSL added CRYPTO_chacha_20 on June 20, 2014.
240.Pp
241.Fn CRYPTO_hchacha_20
242and
243.Fn CRYPTO_xchacha_20
244first appeared in
245.Ox 6.5 .
246.Sh AUTHORS
247.An -nosplit
248This implementation was written by
249.An Daniel J. Bernstein Aq Mt djb@cr.yp.to .
250The API layer was added by
251.An Joel Sing Aq Mt jsing@openbsd.org
252for ChaCha, and for XChaCha by
253.An David Gwynne Aq Mt dlg@openbsd.org .
254