poly1305 nonce increments

List overview All Threads
Download

newer

older

Apparent bug in SHA-1 digests

Make error on CentOS 6.4 x64

nisse＠lysator.liu.se

12 Nov 2013 12 Nov '13

8:17 p.m.

As I wrote, I'm working with poly1305. One question: The _digest function will update the nonce value, so that by default one gets a nonce sequence of 0, 1, 2, .... In the code I'm working with (contributed by Nikos), this increment is done in a big-endian fashion, just like increments for CTR mode.

Is this going to be the common way to generate nonces for poly1305?

Regards, /Niels

-- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.

Show replies by date

Nikos Mavrogiannopoulos

13 Nov 13 Nov

10:46 a.m.

On Tue, Nov 12, 2013 at 9:17 PM, Niels Möller nisse@lysator.liu.se wrote:

...

As I wrote, I'm working with poly1305. One question: The _digest function will update the nonce value, so that by default one gets a nonce sequence of 0, 1, 2, .... In the code I'm working with (contributed by Nikos), this increment is done in a big-endian fashion, just like increments for CTR mode. Is this going to be the common way to generate nonces for poly1305?

There is no common way as poly1305-aes isn't used in any standard (that I know) yet.

There is: draft-agl-tls-chacha20poly1305-03, but it uses a very different construction than the poly1305-aes.

regards, Nikos

nisse＠lysator.liu.se

21 Nov 21 Nov

10:23 p.m.

New subject: poly1305

nisse@lysator.liu.se (Niels Möller) writes:

...

As I wrote, I'm working with poly1305.

I just pushed a poly1305 branch to the public repo. Includes the code contributed by Nikos, based on MIT-licensed code by Andrew M. (floodyberry), with some modifications, and an initial x86_64 implementation, which needs fixes to support the w64 abi, and better testing.

The C implementation runs at 5.4 cycles/byte, and the assembly code at 3 cycles/byte.

Some further changes I think I will do:

* Take out the nonce from struct poly1305_ctx, and let poly1305_aes do all nonce handling. poly1305_digest gets the encrypted nonce as argument.

* For poly1305_aes, use aes128_ctx (it's hard coded for 128-bit AES anyway), and perhaps rename it to poly1305_aes128.

* Introduce a poly1305_update function, and use preprocessor casting tricks to define poly1305_aes128_update (and any other poly1305_*_update) as an alias.

* Promote union gcm_block to a more general abstraction, renaming it to nettle_block16 or so, and use it to guarantee nicer alignment for block buffer and nonce in poly1305.

Regards, /Niels

-- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.

4016

Age (days ago)

4025

Last active (days ago)

nettle-bugs@lists.lysator.liu.se

2 comments

2 participants

tags (0)

participants (2)

Nikos Mavrogiannopoulos
nisse＠lysator.liu.se