Nikos Mavrogiannopoulos <[email protected]> writes: > I was checking what is required for the chacha-poly1305 implementation > to be kept up to date with the current draft [0], on Last-Call. My > understanding is that the current implementation:
Thanks for keeping track of this. > 1. Is missing support for 96-bit nonce Chacha (could be solved by adding > a chacha_set_nonce96 function) Right. Do we need to keep a 64-bit nonce AEAD option? > 2. Misses the optimization which you proposed to CFRG (and was > incorporated). Should be easy to fix. Ideally, we should also take advantage of the improved alignment between chacha and poly1305. > It seems however, that if nettle is changed for the latter (i.e., to pad > AAD), then using chacha_poly1305_update() becomes tricky. What difficulties do you see? As far as I understand, chacha_poly1305_update can just call poly1305_update, and update the auth_size field. Then the first call to chacha_poly1305_*crypt (or chacha_poly1305_digest if cleartext is empty) can add the needed padding. If this is hard to do, for some reason I'm missing, it ought to be brought up before the spec is done. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
