ANNOUNCE: Nettle-3.0

Niels Möller nisse at
Sat Jun 7 10:35:10 CEST 2014

I'm happy to announce a new version of GNU Nettle, a low-level
cryptographics library. The Nettle home page can be found at

This release is dual licensed as LGPLv3 or later, or GPLv2 or later. See
the manual for details.

NEWS for the Nettle 3.0 release

	This is a major release, including several interface changes,
	and new features, some of which are a bit experimental.
	Feedback is highly appreciated.

	It is *not* binary (ABI) compatible with earlier versions. It
	is mostly source-level (API) compatible, with a couple of
	incompatibilities noted below. The shared library names are and, with sonames and
	There may be some problems in the new interfaces and new
	features which really need incompatible fixes. It is likely
	that there will be an update in the form of a 3.1 release in
	the not too distant future, with small but incompatible
	changes, and if that happens, bugfix-only releases 3.0.x are
	unlikely. Users and applications which desire better API and
	ABI stability are advised to stay with nettle-2.7.x (latest
	version is now 2.7.1) until the dust settles.

	Interface changes:

	* For the many _set_key functions, it is now consider the
	  normal case to have a fixed key size, with no key_size
	  arguments. _set_key functions with a length parameter are
	  provided only for algorithms with a truly variable keysize,
	  and where it makes sense for backwards compatibility.

	  INCOMPATIBLE CHANGE: cast128_set_key no longer accepts a key
	  size argument. The old function is available under a new
	  name, cast5_set_key.

	  INCOMPATIBLE CHANGE: The function typedef
	  nettle_set_key_func no longer accepts a key size argument.
	  In particular, this affects users of struct nettle_cipher.

	* The nettle_cipher abstraction (in nettle-meta.h) is
	  restricted to block ciphers only. The encrypt and decrypt
	  functions now take a const argument for the context.

	  INCOMPATIBLE CHANGE: nettle_arcfour, i.e., the nettle_cipher
	  abstraction for the arcfour stream cipher, is deleted.

	  INCOMPATIBLE CHANGE: New type, nettle_cipher_func, for the
	  encrypt and decrypt fields of struct nettle_cipher.

	* New DSA interface, with a separate struct dsa_param to
	  represent the underlying group, and generalized dsa_sign and
	  dsa_verify functions which don't care about the hash
	  function used. Limited backwards compatibility provided in

	  INCOMPATIBLE CHANGE: Declarations of the old interface,
	  e.g., struct dsa_public_key, dsa_sha1_sign, etc, is moved to

	  INCOMPATIBLE CHANGE: The various key conversion functions,
	  e.g., dsa_keypair_to_sexp, all use the new DSA interface, with
	  no backwards compatible functions.

	  INCOMPATIBLE CHANGE: dsa_generate_keypair also uses the new
	  interface. dsa-compat.h declares a function
	  dsa_compat_generate_keypair, implementing the old
	  interface, and #defines dsa_generate_keypair to refer to
	  this backwards compatible function.

	* New AES and Camellia interfaces. There are now separate
	  context structs for each key size, e.g., aes128_ctx and
	  camellia256_ctx, and corresponding new functions. The old
	  interface, with struct aes_ctx and struct camellia_ctx, is
	  kept for backwards compatibility, but might be removed in
	  later versions.

	* The type of most length arguments is changed from unsigned
	  to size_t. The memxor functions have their pointer arguments
	  changed from uint8_t * to void *, for consistency with
	  related libc functions.

	* For hash functions, the constants *_DATA_SIZE have been
	  renamed to *_BLOCK_SIZE. Old names kept for backwards

	Removed features:

	* The nettle_next_prime function has been deleted.
	  Applications should use GMP's mpz_nextprime instead.

	* Deleted the RSAREF compatibility, including the header file
	  rsa-compat.h and everything declared therein.

	* Also under consideration for removal is des-compat.h and
	  everything declared therein. This implements a subset of the
	  old libdes/ssleay/openssl interface for DES and triple-DES,
	  and it is poorly tested. If anyone uses this interface,
	  please speak up! Otherwise, it will likely be removed in the
	  next release.
	Bug fixes:

	* Building with ./configure --disable-static now works.

	* Use GMP's allocation functions for temporary storage related
	  to bignums, to avoid potentially large stack allocations.

	* Fixes for shared libraries on M$ Windows.

	New features:

	* Support for Poly1305-AES MAC.

	* Support for the ChaCha stream cipher and EXPERIMENTAL
	  support for the ChaCha-Poly1305 AEAD mode. Specifications
	  are still in flux, and future releases may do incompatible
	  changes to track standardization. Currently uses 256-bit key
	  and 64-bit nonce.

	* Support for EAX mode.

	* Support for CCM mode. Contributed by Owen Kirby.

	* Additional variants of SHA512 with output size of 224 and
	  256 bits. Contributed by Joachim Strömbergson.

	* New interface, struct nettle_aead, for mechanisms providing
	  authenticated encryption with associated data (AEAD).

	* DSA: Support a wider range for the size of q and a wider
	  range for the digest size.


	* New x86_64 assembly for GCM and MD5. Modest speedups on the
	  order of 10%-20%.


	* SHA3 is now documented as EXPERIMENTAL. Nettle currently
	  implements SHA3 as specified at the time Keccak won the SHA3
	  competition. However, the final standard specified by NIST
	  is likely to be incompatible, in which case future releases
	  may do incompatible changes to track standardization.

	* The portability fix for the rotation macros, mentioned in
	  NEWS for 2.7.1, actually didn't make it into that release.
	  It is included now.

	* cast128_set_key rewritten for clarity, also eliminating a
	  couple of compiler warnings.

	* New command line tool nettle-pbkdf2.

Available at: (soon)

Happy hacking,
/Niels Möller

Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 193 bytes
Desc: not available
URL: <>

More information about the nettle-bugs mailing list