2.4 The ChaCha20 Encryption Algorithm

ChaCha20 is a stream cipher designed by D. J. Bernstein. It is a refinement of the Salsa20 algorithm, and it uses a 256-bit key.

ChaCha20 successively calls the ChaCha20 block function, with the same key and nonce, and with successively increasing block counter parameters. ChaCha20 then serializes the resulting state by writing the numbers in little-endian order, creating a keystream block. Concatenating the keystream blocks from the successive blocks forms a keystream. The ChaCha20 function then performs an XOR of this keystream with the plaintext. Alternatively, each keystream block can be XORed with a plaintext block before proceeding to create the next block, saving some memory. There is no requirement for the plaintext to be an integral multiple of 512 bits. If there is extra keystream from the last block, it is discarded. Specific protocols MAY require that the plaintext and ciphertext have certain length. Such protocols need to specify how the plaintext is padded and how much padding it receives.

The inputs to ChaCha20 are:

A 256-bit key
A 32-bit initial counter. This can be set to any number, but will usually be zero or one. It makes sense to use one if we use the zero block for something else, such as generating a one-time authenticator key as part of an AEAD algorithm.
A 96-bit nonce. In some protocols, this is known as the Initialization Vector.
An arbitrary-length plaintext

The output is an encrypted message, or "ciphertext", of the same length.

Decryption is done in the same way. The ChaCha20 block function is used to expand the key into a keystream, which is XORed with the ciphertext giving back the plaintext.

2.4.1 The ChaCha20 Encryption Algorithm in Pseudocode

chacha20_encrypt(key, counter, nonce, plaintext):
   for j = 0 upto floor(len(plaintext)/64)-1
      key_stream = chacha20_block(key, counter+j, nonce)
      block = plaintext[(j*64)..(j*64+63)]
      encrypted_message +=  block ^ key_stream
      end
   if ((len(plaintext) % 64) != 0)
      j = floor(len(plaintext)/64)
      key_stream = chacha20_block(key, counter+j, nonce)
      block = plaintext[(j*64)..len(plaintext)-1]
      encrypted_message += (block^key_stream)[0..len(plaintext)%64]
      end
   return encrypted_message
   end

2.4.2 Example and Test Vector for the ChaCha20 Cipher

For a test vector, we will use the following inputs to the ChaCha20 block function:

Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f.
Nonce = (00:00:00:00:00:00:00:4a:00:00:00:00).
Initial Counter = 1.

We use the following for the plaintext. It was chosen to be long enough to require more than one block, but not so long that it would make this example cumbersome (so, less than 3 blocks):

Plaintext Sunscreen:

4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c  Ladies and Gentl
65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73  emen of the clas
73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63  s of '99: If I c
6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f  ould offer you o
6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20  nly one tip for 
74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73  the future, suns
63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69  creen would be i
74 2e                                            t.

The following figure shows four ChaCha state matrices:

First block as it is set up.
Second block as it is set up. Note that these blocks are only two bits apart -- only the counter in position 12 is different.
Third block is the first block after the ChaCha20 block operation was applied.
Final block is the second block after the ChaCha20 block operation was applied.

After that, we show the keystream.

First block setup:

    61707865  3320646e  79622d32  6b206574
    03020100  07060504  0b0a0908  0f0e0d0c
    13121110  17161514  1b1a1918  1f1e1d1c
    00000001  00000000  4a000000  00000000

Second block setup:

    61707865  3320646e  79622d32  6b206574
    03020100  07060504  0b0a0908  0f0e0d0c
    13121110  17161514  1b1a1918  1f1e1d1c
    00000002  00000000  4a000000  00000000

First block after block operation:

    f3514f22  e1d91b40  6f27de2f  ed1d63b8
    821f138c  e2062c3d  ecca4f7e  78cff39e
    a30a3b8a  920a6072  cd7479b5  34932bed
    40ba4c79  cd343ec6  4c2c21ea  b7417df0

Second block after block operation:

    9f74a669  410f633f  28feca22  7ec44dec
    6d34d426  738cb970  3ac5e9f3  45590cc4
    da6e8b39  892c831a  cdea67c1  2b7e1d90
    037463f3  a11a2073  e8bcfb88  edc49139

Keystream:

22:4f:51:f3:40:1b:d9:e1:2f:de:27:6f:b8:63:1d:ed:8c:13:1f:82:3d:2c:06
e2:7e:4f:ca:ec:9e:f3:cf:78:8a:3b:0a:a3:72:60:0a:92:b5:79:74:cd:ed:2b
93:34:79:4c:ba:40:c6:3e:34:cd:ea:21:2c:4c:f0:7d:41:b7:69:a6:74:9f:3f
63:0f:41:22:ca:fe:28:ec:4d:c4:7e:26:d4:34:6d:70:b9:8c:73:f3:e9:c5:3a
c4:0c:59:45:39:8b:6e:da:1a:83:2c:89:c1:67:ea:cd:90:1d:7e:2b:f3:63

Finally, we XOR the keystream with the plaintext, yielding the ciphertext:

Ciphertext Sunscreen:

6e 2e 35 9a 25 68 f9 80 41 ba 07 28 dd 0d 69 81  n.5.%h..A..(..i.
e9 7e 7a ec 1d 43 60 c2 0a 27 af cc fd 9f ae 0b  .~z..C`..'......
f9 1b 65 c5 52 47 33 ab 8f 59 3d ab cd 62 b3 57  ..e.RG3..Y=..b.W
16 39 d6 24 e6 51 52 ab 8f 53 0c 35 9f 08 61 d8  .9.$.QR..S.5..a.
07 ca 0d bf 50 0d 6a 61 56 a3 8e 08 8a 22 b6 5e  ....P.jaV....".^
52 bc 51 4d 16 cc f8 06 81 8c e9 1a b7 79 37 36  R.QM.........y76
5a f9 0b bf 74 a3 5b e6 b4 0b 8e ed f2 78 5e 42  Z...t.[......x^B
87 4d                                            .M