BIP151: Clarifications on sequence numbers. #426

pull chjj wants to merge 2 commits into bitcoin:master from chjj:bip151-aadseq changing 1 files +2 −2
  1. chjj commented at 6:50 AM on July 27, 2016: contributor

    This clarifies that the ciphertext payload length is meant to update the AEAD as AAD. OpenSSH does this, but in a naive way, as seen here (aadlen is 4 -- poly1305_auth is called on both size and payload).

    Although the payload length is AAD, OpenSSH violates both RFCs by not including the AAD length (or the ciphertext length) in the MAC before finalization. This change to the bip includes the size explicitly as AAD.

    Update: Nevermind the above change. I confused myself by reading the openssh code too much (AAD not necessary due to bip151's encrypted size).

    This change also explicitly mentions sequence numbers are meant to be uint32's which are allowed to overflow. This is in keeping with openssh behavior. I don't think having a 64bit sequence provides any benefit over a 32bit one for bip151's use case: we're guaranteed to have rekeyed by the time the seq number reaches uint32_max, so there's no danger in reusing a previous IV/sequence earlier.

    Along with the sequence size, this PR shrinks IV size to 64 bits a la openssh (we weren't using all 96 bits even with 64bit sequences). This allows for a 64 bit chacha counter.

    cc @jonasschnelli

  2. BIP151: Clarifications on AAD and sequence numbers. f388fef2f6
  3. bip151: remove aad change. 0607a34fcf
  4. chjj renamed this:
    BIP151: Clarifications on AAD and sequence numbers.
    BIP151: Clarifications on sequence numbers.
    on Jul 27, 2016
  5. jonasschnelli commented at 8:49 AM on July 27, 2016: contributor

    Thanks @chjj!

    1. AAD

    Update: Nevermind the above change. I confused myself by reading the openssh code too much (AAD not necessary due to bip151's encrypted size).

    As you updated your PR, I think the way how we build the AEAD is correct.

    1. I just checked the ChaCha20Poly1305@openssh.com specs and there it says

    <pre> The AEAD is constructed as follows: for each packet, generate a Poly1305 key by taking the first 256 bits of ChaCha20 stream output generated using K_2, an IV consisting of the packet sequence number encoded as an <strong>uint64</strong> under the SSH wire encoding rules and a ChaCha20 block counter of zero. </pre>

    And yes, openssh is using a uint32_t as internal sequence number counter (which should be sufficient as you stated).

    ACK after squash.

  6. luke-jr merged this on Jul 27, 2016
  7. luke-jr closed this on Jul 27, 2016
  8. chjj commented at 4:52 AM on July 29, 2016: contributor

    As you updated your PR, I think the way how we build the AEAD is correct.

    Yeah, I was confused for a second. I didn't notice openssh had an option for unencrypted payload sizes at first.

    I just checked the ChaCha20Poly1305@openssh.com specs and there it says

    Hmm, I think they're referring to the IV there (i.e. encoding/casting a uint32 seq number to a uint64 for the IV).

    Anyway, glad we got this figured out before more implementations roll out.

Contributors
chjjjonasschnelli
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-14 21:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me