Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
Is the AEAD construction of poly1305 with chacha [0] planned to be included? It is currently intended to be used in TLS so it would be a really useful to have in nettle.
Would make sense, once the spec is stable. Comment on aead-interfaces in general is appreciated. Maybe RFC5116 is useful guidance,
[0]. http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04
Thanks for the pointer. Are you (or anyone else on this list) involved in this ietf process? On which ietf list is it discussed?
After a quick reading, the following jumps out at me (in Sec. 5):
The reason for generating the Poly1305 key like this rather than using key material from the handshake is that handshake key material is per-session, but for a polynomial MAC, a unique, secret key is needed per-record.
As far as I understand, you can use the same poly1305 key for a large number of records/messages, as long as you have a unique nonce for each message.
Then it should work fine in tls to use a per-session key for both chacha and poly135, and then use the same nonce for both chacha and poly1305, based on the record sequence number.
Am I missing something? I guess Adam Langley usually knows what he's doing. But otherwise, the paragraph in the draft, and the awkward method it describes, makes absolutely no sense to me.
Regards, /Niels