[email protected] (Niels Möller) writes: > There is some possibilty to let the two views of these input block > coexist, but I'm afraid that will get a bit messy to support in Nettle > (although I haven't yet thought very much about the details).
This is all about initialization and update of words 12-15 (last row) of the chacha state. Either 12 13 14 15 c0 c1 n0 n1 (64-bit counter, 64 bit nonce) or 12 13 14 15 c n0 n1 n2 (32-bit counter, 96 bit nonce) When using a 64-bit counter, c0 is the least significant half, and c1 is the most significant half. Say we adopt the second layout (and notation). Then letting the counter c overflow is an error which should never happen when using the 32/96 variant. So we can make the compatible extension to increment the n0 word whenever c wraps around (this will break if for some reason someone wants to use 32/96 chacha with an unusually large initial counter, though). With this tweak, one can get 64/64 chacha by simply prepending 32 zero bits to the 64-bit nonce, and use the 32/96 chacha. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
