Hi, In Section 2, draft-ietf-ipsecme-chacha20-poly1305-01 has the following text:
> o Finally, the Poly1305 function is run on the data to be > authenticated, which is, as specified in section 2.7 of > [chacha_poly] a concatenation of the following in the below order: > > * The Authenticated Additional Data (AAD) - see Section 2.1. > * The AAD length in bytes as a 32-bit network order quantity. > * The ciphertext > * The length of the ciphertext as a 32-bit network order > quantity. First, I assume [chacha_poly] should be updated to draft-irtf-cfrg-chacha20-poly1305, where section 2.7 is now 2.8? draft-irtf-cfrg-chacha20-poly1305-10 2.8 defines AEAD construction for Poly1305 with padding and a final block with two 64-bit little endian length fields; in contrary to what is defined here. The GCM-like padding is certainly preferable, as it allows implementations to run four Poly1305 iterations on each ChaCha20 block. This is not only simpler, but allows parallel ChaCha20/Poly1305 processing without operating on partial blocks. Kind regards Martin _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
