[dpdk-dev] [RFC] Chacha20 Poly1305 Support

[dpdk-dev] [RFC] Chacha20 Poly1305 Support

[Kusztal, ArkadiuszX]

Hi,

due to increasing interest of crypto protocols in Chacha20-Poly1305 algorithm I would like to start discussion about adding it to cryptodev.
I would suggest adding something like:

@@ -348,6 +348,8 @@ enum rte_crypto_aead_algorithm {
             /**< AES algorithm in CCM mode. */
             RTE_CRYPTO_AEAD_AES_GCM,
             /**< AES algorithm in GCM mode. */
+            RTE_CRYPTO_AEAD_CHACHA20_POLY1305,
+            /**< Chacha20 encryption cipher with poly1305 authenticator */


In 'iv offset' of aead xform
+                           * - For Chacha20-Poly1305 it is 96-bit nonce. Initial counter
+                           * value for Chacha20 encryption is set by PMD to 1, meanwhile
+                            * for Poly1305 is set to 0 as per rfc7539 2.8. AEAD construction.

In 'iv length' of aead xform
+                           * - For Chacha20-Poly1305 this field is always 12.

It is AEAD instead of cipher + auth as rfc7539 explicitly specifies initial counters to one and zero with AEAD construction, which is not done
for Chacha and Poly separately. If in future someone would like to add these algorithms to cipher and auth enums additional field that holds initial counter
should be added as well.

I have tested it with openssl pmd implementation I have created for test purposes (Chacha Poly is supported since OpenSSL 1.1.0 version) which I may attach if needed.

(Sorry if I have not included someone in cc, please cc any interested person)

Regards,
Arek

Re: [dpdk-dev] [RFC] Chacha20 Poly1305 Support

[Trahe, Fiona]

Hi Arek,

------
From: Kusztal, ArkadiuszX 
Sent: Wednesday, October 9, 2019 9:30 AM
To: dev@dpdk.org
Cc: akhil.goyal@nxp.com; Zhang, Roy Fan <roy.fan.zhang@intel.com>; Shally Verma <shallyv@marvell.com>; Trahe, Fiona <fiona.trahe@intel.com>; Anoob Joseph <anoobj@marvell.com>; De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>; Doherty, Declan <declan.doherty@intel.com>; tdu@semihalf.com
Subject: [RFC] Chacha20 Poly1305 Support

Hi,

due to increasing interest of crypto protocols in Chacha20-Poly1305 algorithm I would like to start discussion about adding it to cryptodev.
I would suggest adding something like:

@@ -348,6 +348,8 @@ enum rte_crypto_aead_algorithm {
             /**< AES algorithm in CCM mode. */
             RTE_CRYPTO_AEAD_AES_GCM,
             /**< AES algorithm in GCM mode. */
+            RTE_CRYPTO_AEAD_CHACHA20_POLY1305,
+            /**< Chacha20 encryption cipher with poly1305 authenticator */


In 'iv offset' of aead xform
+                           * - For Chacha20-Poly1305 it is 96-bit nonce. Initial counter
+                           * value for Chacha20 encryption is set by PMD to 1, meanwhile
+                            * for Poly1305 is set to 0 as per rfc7539 2.8. AEAD construction.
[Fiona] I'd suggest moving initial counter description to next line as separate from nonce.
And as Poly1305 is used twice in the procedure, maybe reword as:
PMD sets initial counter for Poly1305 key generation part to 0 and for Chacha20 encryption 
to 1 as per rfc7539 2.8. AEAD construction.

In 'iv length' of aead xform
+                           * - For Chacha20-Poly1305 this field is always 12.

It is AEAD instead of cipher + auth as rfc7539 explicitly specifies initial counters to one and zero with AEAD construction, which is not done
for Chacha and Poly separately. If in future someone would like to add these algorithms to cipher and auth enums additional field that holds initial counter
should be added as well.

I have tested it with openssl pmd implementation I have created for test purposes (Chacha Poly is supported since OpenSSL 1.1.0 version) which I may attach if needed.

(Sorry if I have not included someone in cc, please cc any interested person)

Regards,
Arek

Re: [dpdk-dev] [RFC] Chacha20 Poly1305 Support

[Kusztal, ArkadiuszX]

Hi Fiona,

Thanks for your feedback,
> 
> Hi,
> 
> due to increasing interest of crypto protocols in Chacha20-Poly1305
> algorithm I would like to start discussion about adding it to cryptodev.
> I would suggest adding something like:
> 
> @@ -348,6 +348,8 @@ enum rte_crypto_aead_algorithm {
>              /**< AES algorithm in CCM mode. */
>              RTE_CRYPTO_AEAD_AES_GCM,
>              /**< AES algorithm in GCM mode. */
> +            RTE_CRYPTO_AEAD_CHACHA20_POLY1305,
> +            /**< Chacha20 encryption cipher with poly1305 authenticator
> +*/
> 
> 
> In 'iv offset' of aead xform
> +                           * - For Chacha20-Poly1305 it is 96-bit
> +nonce. Initial counter
> +                           * value for Chacha20 encryption is set by
> +PMD to 1, meanwhile
> +                            * for Poly1305 is set to 0 as per rfc7539 2.8. AEAD
> construction.
> [Fiona] I'd suggest moving initial counter description to next line as separate
> from nonce.
> And as Poly1305 is used twice in the procedure, maybe reword as:
> PMD sets initial counter for Poly1305 key generation part to 0 and for
> Chacha20 encryption to 1 as per rfc7539 2.8. AEAD construction.
[Arek] - Yes, we can reword it this way.
[Arek] - rfc7539 is obsoleted by rfc8439 so " as per rfc8439", no additional changes are necessary due to this fact.
> 
> In 'iv length' of aead xform
> +                           * - For Chacha20-Poly1305 this field is always 12.
> 
> It is AEAD instead of cipher + auth as rfc7539 explicitly specifies initial
> counters to one and zero with AEAD construction, which is not done for
> Chacha and Poly separately. If in future someone would like to add these
> algorithms to cipher and auth enums additional field that holds initial
> counter should be added as well.
> 
> I have tested it with openssl pmd implementation I have created for test
> purposes (Chacha Poly is supported since OpenSSL 1.1.0 version) which I may
> attach if needed.
> 
> (Sorry if I have not included someone in cc, please cc any interested person)
> 
> Regards,
> Arek