Given recent attacks against older, commonly-used encryption modes RC4 and CBC, the Google team began implementing new algorithms – ChaCha 20 for symmetric encryption and Poly1305 for authentication – in OpenSSL and NSS in March 2013. ChaCha20 is immune to padding-oracle attacks, such as the Lucky13, which affect CBC mode as used in TLS. By design, ChaCha20 is also immune to timing attacks.
“It was a complex effort that required implementing a new abstraction layer in OpenSSL in order to support the Authenticated Encryption with Associated Data (AEAD) encryption mode properly,” said Elie Bursztein, anti-abuse research lead at Google, in a blog.
He added that ChaCha20 and Poly1305 are very fast on mobile and wearable devices, as their designs are able to leverage common CPU instructions, including ARM vector instructions. “AEAD enables encryption and authentication to happen concurrently, making it easier to use and optimize than [CBC and RC4],” he said. “Poly1305 also saves network bandwidth, since its output is only 16 bytes compared to HMAC-SHA1, which is 20 bytes.”
This represents a 16% reduction of the TLS network overhead incurred when using older ciphersuites such as RC4-SHA or AES-SHA, Bursztein noted.
As of February 2014, almost all HTTPS connections made from Chrome browsers on Android devices to Google properties have used the new cipher suite; Google plans to make it available as part of the Android platform in a future release.