On Sun, 2014-10-26 at 17:20 +0100, Niels Möller wrote: > Nikos Mavrogiannopoulos <[email protected]> writes: > > > I was checking what is required for the chacha-poly1305 implementation > > to be kept up to date with the current draft [0], on Last-Call. My > > understanding is that the current implementation: > Thanks for keeping track of this. > > 1. Is missing support for 96-bit nonce Chacha (could be solved by adding > > a chacha_set_nonce96 function) > Right. Do we need to keep a 64-bit nonce AEAD option?
No such cipher is defined in the current draft which was published after the last call, so I doubt there will be other than editorial changes to that draft. > > 2. Misses the optimization which you proposed to CFRG (and was > > incorporated). > Should be easy to fix. Ideally, we should also take advantage of the > improved alignment between chacha and poly1305. > > > It seems however, that if nettle is changed for the latter (i.e., to pad > > AAD), then using chacha_poly1305_update() becomes tricky. > What difficulties do you see? As far as I understand, > chacha_poly1305_update can just call poly1305_update, and update the > auth_size field. > Then the first call to chacha_poly1305_*crypt (or chacha_poly1305_digest > if cleartext is empty) can add the needed padding. That makes sense. I was trying to figure that out without putting a conditional into encrypt. regards, Nikos _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
