On 02/15/2014 08:28 AM, Niels Möller wrote:
I was pointed to https://tools.ietf.org/html/draft-nir-cfrg-chacha20-poly1305-01. This draft specifies chacha as using a 96-bit nonce and a 32-bit block counter. When asking about this discrepancy on the tls list, Adam Langley replied : On Fri, Feb 14, 2014 at 1:57 PM, Niels Möller nisse@lysator.liu.se wrote: : > [...] And a 32-bit counter (256 GB message size, if I manage to get : > the powers right) ought to be sufficient for almost all applications. : > But I'm afraid it might to slow adoption of chacha if there are : > multiple slightly incompatible specifications. : I intend for the 64/64 bit version to be dead at this point. I think : everyone can agree on the 96/32 split. I wouldn't want there to be two : versions if it can be avoided. Apparently, IPSec wants 96 bits nonces, and this is also in line with rfc5116, which says that all AEAD algorithms SHOULD support 12-byte nonces. But this change is news to me. Do everyone really agree on the change of 96/32 in chacha?
In the TLS version of chacha we are going to propose is whather the cfrg draft says. So that would be 96/32.
regards, Nikos