9

I see in the Salsa20 specification there are test examples throughout the document to help an implementer make sure every function works as designed. Consequently the whole algorithm would work perfectly if all the tests pass. Without these test vectors it would be very difficult to know whether the code was working as designed or was giving incorrect outputs. Test-driven development should be the gold standard for developing a cryptographic library.

So it came as a surprise to me when reading the improved ChaCha20 specification that there are no test examples to validate against. I have even had a look on the ChaCha web page but found nothing.

Even though ChaCha20 has better diffusion and is supposedly more secure, I would consider myself actually safer using the Salsa20 algorithm as I have reference test vectors for the code/library to validate against and I would know for sure that it was implemented correctly. Using ChaCha20 would be a risky move in comparison. How do all the other implementers of ChaCha20 e.g. OpenSSH know their implementation is correct? How are other people able to trust that their implementation is correct?

I would like to know where the ChaCha20 test examples are which show the correct outputs from the ChaCha quarter-round and ChaCha matrix? Why aren't they in the specification document?

otus
  • 32,462
  • 5
  • 75
  • 167
Motox
  • 146
  • 1
  • 7

2 Answers2

12

There are in the RFC : https://datatracker.ietf.org/doc/html/draft-agl-tls-chacha20poly1305-04#section-7

The following blocks contain test vectors for ChaCha20. The first line contains the 256-bit key, the second the 64-bit nonce and the
last line contains a prefix of the resulting ChaCha20 key-stream.

KEY: 00000000000000000000000000000000000000000000000000000000 00000000
NONCE: 0000000000000000
KEYSTREAM: 76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc 8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11c c387b669b2ee6586

KEY: 00000000000000000000000000000000000000000000000000000000 00000001
NONCE: 0000000000000000
KEYSTREAM: 4540f05a9f1fb296d7736e7b208e3c96eb4fe1834688d2604f450952 ed432d41bbe2a0b6ea7566d2a5d1e7e20d42af2c53d792b1c43fea81 7e9ad275ae546963

KEY: 00000000000000000000000000000000000000000000000000000000 00000000
NONCE: 0000000000000001
KEYSTREAM: de9cba7bf3d69ef5e786dc63973f653a0b49e015adbff7134fcb7df1 37821031e85a050278a7084527214f73efc7fa5b5277062eb7a0433e 445f41e3

KEY: 00000000000000000000000000000000000000000000000000000000 00000000
NONCE: 0100000000000000
KEYSTREAM: ef3fdfd6c61578fbf5cf35bd3dd33b8009631634d21e42ac33960bd1 38e50d32111e4caf237ee53ca8ad6426194a88545ddc497a0b466e7d 6bbdb0041b2f586b

Community
  • 1
Dillinur
  • 407
  • 3
  • 6
5

You'll find the test vector in a draft "Test Vectors for the Stream Cipher ChaCha draft-strombergson-chacha-test-vectors-00" available at the following link: https://datatracker.ietf.org/doc/html/draft-strombergson-chacha-test-vectors-00 The document links a github repo where you can find all the vectors https://github.com/secworks/chacha_testvectors/

Another interesting reading: http://insanecoding.blogspot.fr/2014/06/avoid-incorrect-chacha20-implementations.html

You may also find others test vectors for ChaCha20 implementation in Draft "ChaCha20 and Poly1305 based Cipher Suites for TLS draft-agl-tls-chacha20poly1305-00" (Section 7) available at https://datatracker.ietf.org/doc/html/draft-agl-tls-chacha20poly1305-00.

Community
  • 1
ddddavidee
  • 3,364
  • 2
  • 24
  • 34