On 02/15/2014 08:28 AM, Niels Möller wrote: > I was pointed to > https://tools.ietf.org/html/draft-nir-cfrg-chacha20-poly1305-01. This > draft specifies chacha as using a 96-bit nonce and a 32-bit block > counter. When asking about this discrepancy on the tls list, Adam > Langley replied > : On Fri, Feb 14, 2014 at 1:57 PM, Niels Möller <[email protected]> wrote: > : > [...] And a 32-bit counter (256 GB message size, if I manage to get > : > the powers right) ought to be sufficient for almost all applications. > : > But I'm afraid it might to slow adoption of chacha if there are > : > multiple slightly incompatible specifications. > : I intend for the 64/64 bit version to be dead at this point. I think > : everyone can agree on the 96/32 split. I wouldn't want there to be two > : versions if it can be avoided. > Apparently, IPSec wants 96 bits nonces, and this is also in line with > rfc5116, which says that all AEAD algorithms SHOULD support 12-byte > nonces. > But this change is news to me. Do everyone really agree on the change of > 96/32 in chacha?
In the TLS version of chacha we are going to propose is whather the cfrg draft says. So that would be 96/32. regards, Nikos _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
