On Sun, 2014-10-26 at 17:20 +0100, Niels Möller wrote:
Nikos Mavrogiannopoulos nmav@gnutls.org writes:
I was checking what is required for the chacha-poly1305 implementation to be kept up to date with the current draft [0], on Last-Call. My understanding is that the current implementation:
Thanks for keeping track of this.
- Is missing support for 96-bit nonce Chacha (could be solved by adding
a chacha_set_nonce96 function)
Right. Do we need to keep a 64-bit nonce AEAD option?
No such cipher is defined in the current draft which was published after the last call, so I doubt there will be other than editorial changes to that draft.
- Misses the optimization which you proposed to CFRG (and was
incorporated).
Should be easy to fix. Ideally, we should also take advantage of the improved alignment between chacha and poly1305.
It seems however, that if nettle is changed for the latter (i.e., to pad AAD), then using chacha_poly1305_update() becomes tricky.
What difficulties do you see? As far as I understand, chacha_poly1305_update can just call poly1305_update, and update the auth_size field. Then the first call to chacha_poly1305_*crypt (or chacha_poly1305_digest if cleartext is empty) can add the needed padding.
That makes sense. I was trying to figure that out without putting a conditional into encrypt.
regards, Nikos