ChaCha20 Rekey Frequency

Christian Weisgerber naddy at mips.inka.de
Sat Mar 25 07:36:05 AEDT 2023


Chris Rapier:

> I'm wondering why the ChaCha20 cipher rekeys so frequently. At speed I'm 
> seeing rekeys every second or two. So I'm spending a large amount of 
> time in the rekey process. From what I've read about ChaCha20 it 
> shouldn't need to be rekeyed quite so frequently. Am I missing something 
> obvious?

That looks to be accidental.

The default rekey limit is set in ssh_set_newkeys():
        /*
         * The 2^(blocksize*2) limit is too expensive for 3DES,
         * so enforce a 1GB limit for small blocksizes.
         * See RFC4344 section 3.2.
         */
        if (enc->block_size >= 16)
                *max_blocks = (u_int64_t)1 << (enc->block_size*2);
        else
                *max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
        if (state->rekey_limit)
                *max_blocks = MINIMUM(*max_blocks,
                    state->rekey_limit / enc->block_size);

And the block size of chacha20-poly1305 is set to 8 bytes in
ciphers[].  As a result, chacha20-poly1305 is rekeyed every 1GB of
data as opposed to the 4GB limit of the AES-based ciphers.

-- 
Christian "naddy" Weisgerber                          naddy at mips.inka.de


More information about the openssh-unix-dev mailing list