### The Security of ChaCha20-Poly1305 in the Multi-user Setting

##### Abstract

The ChaCha20-Poly1305 AEAD scheme is being increasingly widely deployed in practice. Practitioners need proven security bounds in order to set data limits and rekeying intervals for the scheme. But the formal security analysis of ChaCha20-Poly1305 currently lags behind that of AES-GCM. The only extant analysis (Procter, 2014) contains a flaw and is only for the single-user setting. We rectify this situation. We prove a multi-user security bound on the AEAD security of ChaCha20-Poly1305 and establish the tightness of each term in our bound through matching attacks. We show how our bound differs both qualitatively and quantitatively from the known bounds for AES-GCM, highlighting how subtle design choices lead to distinctive security properties. We translate our bound to the nonce-randomized setting employed in TLS 1.3 and elsewhere, and we additionally improve the corresponding security bounds for GCM. Finally, we provide a simple yet stronger variant of ChaCha20-Poly1305 that addresses the deficiencies highlighted by our analysis.

Note: Full version of the original paper published in ACM CCS 2021.

Available format(s)
Category
Secret-key cryptography
Publication info
Published elsewhere. ACM CCS 2021
DOI
10.1145/3460120.3484814
Keywords
Contact author(s)
jeanpaul degabriele @ tii ae
mail @ felixguenther info
kenny paterson @ inf ethz ch
History
2023-01-26: approved
See all versions
Short URL
https://ia.cr/2023/085

CC BY

BibTeX

@misc{cryptoeprint:2023/085,
author = {Jean Paul Degabriele and Jérôme Govinden and Felix Günther and Kenneth G. Paterson},
title = {The Security of ChaCha20-Poly1305 in the Multi-user Setting},
howpublished = {Cryptology ePrint Archive, Paper 2023/085},
year = {2023},
doi = {10.1145/3460120.3484814},
note = {\url{https://eprint.iacr.org/2023/085}},
url = {https://eprint.iacr.org/2023/085}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.