Paper 2023/085

The Security of ChaCha20-Poly1305 in the Multi-user Setting

Jean Paul Degabriele, Technology Innovation Institute, TU Darmstadt
Jérôme Govinden, TU Darmstadt
Felix Günther, ETH Zurich
Kenneth G. Paterson, ETH Zurich
Abstract

The ChaCha20-Poly1305 AEAD scheme is being increasingly widely deployed in practice. Practitioners need proven security bounds in order to set data limits and rekeying intervals for the scheme. But the formal security analysis of ChaCha20-Poly1305 currently lags behind that of AES-GCM. The only extant analysis (Procter, 2014) contains a flaw and is only for the single-user setting. We rectify this situation. We prove a multi-user security bound on the AEAD security of ChaCha20-Poly1305 and establish the tightness of each term in our bound through matching attacks. We show how our bound differs both qualitatively and quantitatively from the known bounds for AES-GCM, highlighting how subtle design choices lead to distinctive security properties. We translate our bound to the nonce-randomized setting employed in TLS 1.3 and elsewhere, and we additionally improve the corresponding security bounds for GCM. Finally, we provide a simple yet stronger variant of ChaCha20-Poly1305 that addresses the deficiencies highlighted by our analysis.

Note: Full version of the original paper published in ACM CCS 2021.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. ACM CCS 2021
DOI
10.1145/3460120.3484814
Keywords
ChaCha20-Poly1305Multi-user SecurityGCMNonce RandomizationAEADTLS 1.3Tight Security
Contact author(s)
jeanpaul degabriele @ tii ae
jerome govinden @ tu-darmstadt de
mail @ felixguenther info
kenny paterson @ inf ethz ch
History
2023-01-26: approved
2023-01-24: received
See all versions
Short URL
https://ia.cr/2023/085
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2023/085,
      author = {Jean Paul Degabriele and Jérôme Govinden and Felix Günther and Kenneth G. Paterson},
      title = {The Security of {ChaCha20}-Poly1305 in the Multi-user Setting},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/085},
      year = {2023},
      doi = {10.1145/3460120.3484814},
      url = {https://eprint.iacr.org/2023/085}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.