On Tue, Mar 4, 2014 at 3:23 PM, Stefan Bühler nettle-bugs@stbuehler.de wrote:
It has not been approved yet, but the latest TLS proposal for chacha is with 96-bit nonces and there is no plan to change. So at least for gnutls only the 96-bit nonce version is relevant.
I did propose using XChaCha (similar to XSalsa20) to support larger nonces (especially the AEAD recommended 96-bit length), and sticking with plain ChaCha for 64-bit nonces (and allowing them): http://www.ietf.org/mail-archive/web/cfrg/current/msg04310.html There should have been a CFRG meeting yesterday, and perhaps it was discussed, but I didn't get any feedback on it yet. If anyone (Nikos?) can report on that I'd be glad to hear about it :)
Unfortunately I was not there and did not follow the CFRG meeting. I, however, followed (online) the summary of the meeting by David Mcgrew in the TLS WG and the naming wasn't mentioned. The situation on the naming and the exact algorithm details will most probably clear up next month when CFRG provides input to the TLS WG on the chacha cipher.
regards, Nikos