#94 new enhancement

add ChaCha

Reported by: zooko Owned by: dawuud
Priority: major Milestone:
Version: 0.5.29 Keywords:
Cc: Launchpad Bug:

Description

The ChaCha cipher (http://cr.yp.to/chacha.html) is very promising. It is a close relative of Salsa20, served as the core of BLAKE and BLAKE2 hash functions, and is currently a candidate for a standard cipher for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-01

Let's include an implementation of ChaCha in pycryptopp, so that Tahoe-LAFS has the option of using ChaCha for the Hundred Year Crypto project: https://tahoe-lafs.org/trac/tahoe-lafs/wiki/OneHundredYearCryptography

It would be great if Wei Dai wanted to implement and maintain ChaCha in Crypto++, but he has been minimally active on Crypto++ for a long time now and I don't expect him to do that. It would also be great if Jack Lloyd wanted to implement it in Botan http://botan.randombit.net/ and help us use it. That would be great, because Jack is actively maintaining Botan and he has helped us out in the past with this project. Another implementation of ChaCha: DJB's reference implementation: http://cr.yp.to/chacha.html

We don't need high optimization for this release! A portable, well-written, well-examined, well-tested implementation would be far preferable for deployment and safety reasons over an optimized implementation.

Change History (11)

comment:1 Changed at 2013-09-30T14:16:26Z by zooko

The ticket to add XSalsa20 into LAFS is Tahoe-LAFS ticket #1164. I'd like to use ChaCha instead of XSalsa20, now. (Because, since we chose XSalsa20 a while back, the BLAKE2 project and the include-ChaCha-in-TLS proposal have come along.)

comment:2 Changed at 2013-09-30T14:44:19Z by nickm

You can also use the XSalsa20 construction (the nonce extender that makes Salsa into XSalsa) with ChaCha.

As for implementation choice, I had occasion to look around for one recently. For a simple obvious C implementation, the "merged" implementation from SUPERCOP is a good choice. The "krovetz" implementation from SUPERCOP is a good C+SIMD implementation; it gives good performance on Intel, ARM, and PowerPC chips with vector instructions. (It's competitive with the assembly implementations on those systems where it runs.) These both need a little glue code to work, but only a little. Both are public domain.

In libottery, I wrote a minimal pure-Python ChaCha implementation as part of the tests; you might want to grab that for testing, though I wouldn't recommend it for real cryptography.

comment:3 follow-up: Changed at 2013-12-03T19:39:56Z by lally

I put together a binding against DJB's reference implementation this past weekend. Hopefully, expect a pull request this weekend on this. If there's another impl you'd prefer, let me know.

comment:4 in reply to: ↑ 3 Changed at 2013-12-03T21:56:34Z by zooko

Replying to lally:

I put together a binding against DJB's reference implementation this past weekend. Hopefully, expect a pull request this weekend on this. If there's another impl you'd prefer, let me know.

Awesome! Thanks. DJB's reference implementation sounds good to me. Note that nickm later pointed out in a Tahoe-LAFS Weekly Dev Chat conference call that we don't need the extended nonce since we use a unique key for every encryption. So we can just use standard ChaCha20.

comment:5 Changed at 2016-07-06T15:37:39Z by zooko

Now that ChaCha20 is in Crypto++ (https://github.com/weidai11/cryptopp/blob/433f2d65669d85e9745e32e584c569699c44297c/chacha.cpp) and Jeffrey Walton is doing a lot of maintenance work on Crypto++ (http://cryptopp.com/release563.html), I recommend we use that implementation.

comment:6 Changed at 2016-08-02T11:47:43Z by dawuud

in another ticket https://tahoe-lafs.org/trac/pycryptopp/ticket/100 i've gotten pycryptopp to build and pass tests using the latest stable tag of cryptopp. in order to use cryptopp's latest chacha20 should i simply build pycryptopp with that commit id? or tip? or cherry-pick it into the stable branch?

comment:7 Changed at 2016-08-03T13:33:43Z by dawuud

here's my latest progress:
https://github.com/tahoe-lafs/pycryptopp/pull/30

it builds and passes all tests. that dev branch includes the latest crypto++ master branch and i've added the files for chacha20 and blake2.

all we have to do now is write the c glue so blake2 and chacha20 are accessible from python.

comment:8 Changed at 2016-08-03T13:37:24Z by dawuud

  • Owner set to dawuud

comment:9 Changed at 2016-08-11T17:00:44Z by dawuud

here some more progress; derived the c/python glue from the salsa20 source files by search/replace strings. anyhow it currently appears to be working and needs the python tests to be fixed:

https://github.com/tahoe-lafs/pycryptopp/pull/31

comment:10 Changed at 2016-08-12T00:59:49Z by dawuud

in PR 31 i've pushed some more commits that fix the tests. i've also verified using pysodium that the python unit test outputs match that of pysodium's chacha20

ready for review and merge ;-)

comment:11 Changed at 2016-10-12T16:50:51Z by dawuud

rebased onto upstream master in a new pull-request here:
https://github.com/tahoe-lafs/pycryptopp/pull/34

I forced a buildbot build and it fails on some of them:

https://tahoe-lafs.org/buildbot-pycryptopp/builders/wily%2015.10%20syslib/builds/7/steps/compile/logs/stdio

looks like it fails on platforms that build with -DDISABLE_EMBEDDED_CRYPTOPP=1

Note: See TracTickets for help on using tickets.