This is great news.<p>ChaCha20 is a refinement of Salsa20, which is probably Bernstein's best-known crypto design (it survived the eSTREAM contest to become one of the final portfolio ciphers). Bernstein wrote an extremely readable design paper on Salsa20:<p><a href="http://cr.yp.to/snuffle/salsafamily-20071225.pdf" rel="nofollow">http://cr.yp.to/snuffle/salsafamily-20071225.pdf</a><p>Salsa20 is essentially a fast hash function run in a carefully designed counter mode. If you don't care about speed, you can turn any secure hash function into a stream cipher by, for instance, running the HMAC of that hash in counter mode. Here, Bernstein has designed the Formula 1 car of hash cores to run quickly in software without side channels as the basis for a counter-mode stream cipher.<p>Poly1305 is, like the GHASH construction from GCM, a "polynomial MAC", which is the modern way to say "cryptographic CRC". Poly1305 was designed more carefully for software performance than GHASH. In particular, because it's based on binary fields, for competitive performance GHASH requires either hardware support (such as the Intel CLMUL instructions) or a table-based implementation that potentially leaks secrets from cache timing. Poly1305 is based on prime fields and is fast in software on platforms without instructions tailored to it. It is also mercifully easier to code (though maybe I'm just irrationally biased against binary field polynomial math).
"Poly1305 also saves network bandwidth, since its output is only 16 bytes compared to HMAC-SHA1, which is 20 bytes. This represents a 16% reduction of the TLS network overhead incurred when using older ciphersuites such as RC4-SHA or AES-SHA."<p>Does that mean 25B->21B per-packet overhead? What percentage overhead are TLS headers?
Does anyone know why google doesn't offer a webserver?<p>I want SPDY, QUIC, and whatever cypher ordering magic is required to make my service faster on android. Unfortunately I probably won't be able to deploy this for at least a year because I have to wait on nginx and openSSL. By the time I could reasonably deploy this, shipping android phones will have the hardware to make this irrelevant.<p>Maybe google sees their in house webserver as a competitive advantage. Maybe their own internal infrastructure is too complicated to pull out a simple useful webserver.
> Poly1305 also saves network bandwidth, since its output is only 16 bytes compared to HMAC-SHA1, which is 20 bytes.<p>You could also just truncate HMAC-SHA1 to 16 bytes, right?
I'd love to offer ChaCha20 server-side, but I am currently using the default package of OpenSSL from Debian Wheezy which doesn't support the cipher. Are there already official OpenSSL builds available with ChaCha20 enabled, or does it still require running the patch from the Chromium team? If available, it'd be nice if someone could backport it.