Daiki Ueno ueno@gnu.org writes:
From: Daiki Ueno dueno@redhat.com
While the documentation said the nonce size is 16 octets, the
And 16 was never correct, the older variant used 8 octests (CHACHA_NONCE_SIZE).
implementation actually assumed 12 octets following RFC 7539.
Signed-off-by: Daiki Ueno dueno@redhat.com
nettle.texinfo | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-)
diff --git a/nettle.texinfo b/nettle.texinfo index 0b339f51..7d5e1780 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -3292,17 +3292,10 @@ except that @var{cipher} and @var{f} are replaced with a context structure. ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the poly1305 message authentication code (@pxref{Poly1305}). It originates from the NaCl cryptographic library by D. J. Bernstein et al, which -defines a similar construction but with Salsa20 instead of ChaCha.
-Nettle's implementation ChaCha-Poly1305 should be considered -@strong{experimental}. At the time of this writing, there is no -authoritative specification for ChaCha-Poly1305, and a couple of -different incompatible variants. Nettle implements it using the original -definition of ChaCha, with 64 bits (8 octets) each for the nonce and the -block counter. Some protocols prefer to use nonces of 12 bytes, and it's -a small change to ChaCha to use the upper 32 bits of the block counter -as a nonce, instead limiting message size to @math{2^32} blocks or 256 -GBytes, but that variant is currently not supported. +defines a similar construction but with Salsa20 instead of ChaCha.
+Nettle's implementation of ChaCha-Poly1305 follows @cite{RFC 7539}. +Unlike the original definition of ChaCha, the nonces are of 12 bytes.
Maybe worth mentioning the 32-bit block count and corresponding limit on message size?
Regards, /Niels