Come on folks, here's an actual design that could help solve problems!
Give it a look!!!
On 9/11/13 6:33 PM, Adam Langley wrote:
XORing a per-session secret with the sequence number would not be
sufficient for Poly1305. The mask part (the final 16 bytes), at least,
needs to be uniformly distribu
On Wed, Sep 11, 2013 at 12:43 PM, William Allen Simpson
wrote:
> Thanks, this part I knew, although it would be good explanatory text to
> add to the draft.
Done.
> My old formulation from CBCS was developed during the old IPsec
> discussions. It's just simpler and faster to xor the per-packet
On 9/11/13 10:37 AM, Adam Langley wrote:
On Tue, Sep 10, 2013 at 10:59 PM, William Allen Simpson
wrote:
Or you could use 16 bytes, and cover all the input fields There's no
reason the counter part has to start at 1.
It is the case that most of the bottom row bits will be zero. However,
C
On 9/11/13 10:27 AM, Adam Langley wrote:
[attempt two, because I bounced off the mailing list the first time.]
On Tue, Sep 10, 2013 at 9:35 PM, William Allen Simpson
wrote:
Why generate the ICV key this way, instead of using a longer key blob
from TLS and dividing it? Is there a related-key a
On 9/11/13 6:00 AM, Alexandre Anzala-Yamajako wrote:
Chacha20 being a stream cipher, the only requirement we have on the ICV is
that it doesn't repeat isn't ?
You mean IV, the Initialization Vector. ICV is the Integrity Check Value,
usually 32-64 bits appended to the packet. Each is separat
2013/9/11 William Allen Simpson
> It bugs me that so many of the input words are mostly zero. Using the
> TLS Sequence Number for the nonce is certainly going to be mostly zero
> bits. And the block counter is almost all zero bits, as you note,
>
>(In the case of the TLS, limits on the plai
[attempt two, because I bounced off the mailing list the first time.]
On Tue, Sep 10, 2013 at 9:35 PM, William Allen Simpson
wrote:
>ChaCha20 is run with the given key and nonce and with the two counter
>words set to zero. The first 32 bytes of the 64 byte output are
>saved to become
On Tue, Sep 10, 2013 at 10:59 PM, William Allen Simpson
wrote:
> I suggest:
>
>ChaCha20 is run with the given key and sequence number nonce and with
>
>the two counter words set to zero. The first 32 bytes of the 64 byte
>output are saved to become the one-time key for Poly1305. The
It bugs me that so many of the input words are mostly zero. Using the
TLS Sequence Number for the nonce is certainly going to be mostly zero
bits. And the block counter is almost all zero bits, as you note,
(In the case of the TLS, limits on the plaintext size mean that the
first counter
On 9/10/13 2:42 PM, Ben Laurie wrote:
On 10 September 2013 18:00, zooko mailto:zo...@zooko.com>>
wrote:
Please ask your friendly neighborhood TLS implementor to move fast on
http://tools.ietf.org/id/draft-josefsson-salsa20-tls-02.txt .
We prefer https://datatracker.ietf.org/doc/draft-ag
10 matches
Mail list logo
