Daiki Ueno <[email protected]> writes: > From: Daiki Ueno <[email protected]> > > While the documentation said the nonce size is 16 octets, the
And 16 was never correct, the older variant used 8 octests (CHACHA_NONCE_SIZE). > implementation actually assumed 12 octets following RFC 7539. > > Signed-off-by: Daiki Ueno <[email protected]> > --- > nettle.texinfo | 17 +++++------------ > 1 file changed, 5 insertions(+), 12 deletions(-) > > diff --git a/nettle.texinfo b/nettle.texinfo > index 0b339f51..7d5e1780 100644 > --- a/nettle.texinfo > +++ b/nettle.texinfo > @@ -3292,17 +3292,10 @@ except that @var{cipher} and @var{f} are > replaced with a context structure. > ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the > poly1305 message authentication code (@pxref{Poly1305}). It originates > from the NaCl cryptographic library by D. J. Bernstein et al, which > -defines a similar construction but with Salsa20 instead of ChaCha. > - > -Nettle's implementation ChaCha-Poly1305 should be considered > -@strong{experimental}. At the time of this writing, there is no > -authoritative specification for ChaCha-Poly1305, and a couple of > -different incompatible variants. Nettle implements it using the original > -definition of ChaCha, with 64 bits (8 octets) each for the nonce and the > -block counter. Some protocols prefer to use nonces of 12 bytes, and it's > -a small change to ChaCha to use the upper 32 bits of the block counter > -as a nonce, instead limiting message size to @math{2^32} blocks or 256 > -GBytes, but that variant is currently not supported. > +defines a similar construction but with Salsa20 instead of ChaCha. > + > +Nettle's implementation of ChaCha-Poly1305 follows @cite{RFC 7539}. > +Unlike the original definition of ChaCha, the nonces are of 12 bytes. Maybe worth mentioning the 32-bit block count and corresponding limit on message size? Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
