Jeffrey Walton noloader@gmail.com writes:
I hope I'm not crossing my wires, but doesn't ChaCha core require a counter addition?
Sure, but nettle's _chacha_core function (what I've implemented so far for ppc) does a single block, and doesn't modify the counter. Variants like _chacha_3core (currently implemented for ARM Neon only) need to update the counter.
There are some fundamental differences between Bernstein's ChaCha and the IETF's ChaCha used in TLS. Bernstein's ChaCha uses a 64-bit counter.
That's a bit messy, but nettle supports both variants. To use the ietf version, either use the the chacha_poly1305_* aead functions, or, for chacha only, the functions chacha_set_nonce96 and chacha_crypt32.
And there are tests for 32-bit wraparound in both cases.
Regards, /Niels