On Thu, 2016-05-05 at 12:39 -0400, Jeffrey Walton wrote: > On Thu, May 5, 2016 at 10:49 AM, Stephen Farrell > <[email protected]> wrote: > > > > > > Thanks all. I updated the RFC editor note to add the FIPS > > reference. > > > You might also consider mentioning the interop problems that are > going > to occur when diverging from Bernstein's reference implementation. > Its > already creating open questions on other mailing lists. For example, > linux-crypto and > https://www.mail-archive.com/[email protected]/msg1137554. > html: > > > + chacha20_block(&crng->state[0], out); > > + if (crng->state[12] == 0) > > + crng->state[13]++; > > state[12]++? Or why do you increment the nonce?
I wondered the same when I saw the comment. However, I'm not sure that is an issue. Chacha20 as a stream cipher is not defined anywhere by IETF (as far as I know). RFC7539 defines Chacha20-poly1305 AEAD (authenticated encryption) mechanism which uses a modified chacha20 than the reference algorithm. However, that doesn't really affect any other uses for the stream cipher. That's maybe the reason for the confusion. Bottom line, the comment relates more to RFC7539 rather than this draft. regards, Nikos _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
