[botan-devel] ChaCha20Poly1305 padding bug

Jack Lloyd lloyd at randombit.net
Fri Mar 25 12:18:40 EDT 2016

I made a mistake in the IETF implementation of the ChaCha20Poly1305
AEAD, and padding is incorrectly applied. Specifically, if the
plaintext or AAD are in some exact multiple of 16 bytes, then 16 bytes
of zero padding were applied, rather than the minimal (zero length)
padding necessary.  This case is unfortunately not covered by the
published test cases from the relevant RFCs, and so was not caught
until TLS interop testing.

This is a compatability bug, without security issues. Either version
is secure, but only the 0 length padding version is compatible with
other implementations.

This change affects ChaCha20Poly1305 users who are using a 96 bit
nonce - for affected plaintext/AAD lengths, the tag generated by
future releases (1.11.30 onward) and all previous versions will be
different, and will mutually be rejected as invalid.

ChaCha20Poly1305 with a 64 bit nonce selects a slightly different
format which is not affected by this change (it's the earlier version
of ChaCha20Poly1305 which was deployed early on at Google and some
other sites).

Just a heads up on this breaking change.


More information about the botan-devel mailing list