diff options
| author | Daiki Ueno <dueno@redhat.com> | 2020-03-09 13:01:19 +0100 |
|---|---|---|
| committer | Niels Möller <nisse@lysator.liu.se> | 2020-03-09 19:09:28 +0100 |
| commit | ede524e52548039cb735bde5905f94b786987ea2 (patch) | |
| tree | 92e2f57740525b6dbe97b92841dbf0afe3fe5d5f | |
| parent | 2176ccc158d220f2884a10980266899c495b77be (diff) | |
| download | nettle-ede524e52548039cb735bde5905f94b786987ea2.tar.gz | |
doc: match ChaCha-Poly1305 documentation to the implementation
While the documentation said the nonce size is 8 octets, the
implementation actually assumed 12 octets following RFC 7539.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
| -rw-r--r-- | nettle.texinfo | 19 |
1 files changed, 7 insertions, 12 deletions
diff --git a/nettle.texinfo b/nettle.texinfo index fe44f6af..418f46d8 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -3323,17 +3323,12 @@ except that @var{cipher} and @var{f} are replaced with a context structure. ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the poly1305 message authentication code (@pxref{Poly1305}). It originates from the NaCl cryptographic library by D. J. Bernstein et al, which -defines a similar construction but with Salsa20 instead of ChaCha. - -Nettle's implementation ChaCha-Poly1305 should be considered -@strong{experimental}. At the time of this writing, there is no -authoritative specification for ChaCha-Poly1305, and a couple of -different incompatible variants. Nettle implements it using the original -definition of ChaCha, with 64 bits (8 octets) each for the nonce and the -block counter. Some protocols prefer to use nonces of 12 bytes, and it's -a small change to ChaCha to use the upper 32 bits of the block counter -as a nonce, instead limiting message size to @math{2^32} blocks or 256 -GBytes, but that variant is currently not supported. +defines a similar construction but with Salsa20 instead of ChaCha. + +Nettle's implementation of ChaCha-Poly1305 follows @cite{RFC 8439}, +where the ChaCha cipher is initialized with a 12-byte nonce and a 4-byte +block counter. This allows up to 256 gigabytes of data to be encrypted +using the same key. For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 bits, and a per-message nonce. The first block of the key stream @@ -3362,7 +3357,7 @@ ChaCha-Poly1305 key size, 32. @end defvr @defvr Constant CHACHA_POLY1305_NONCE_SIZE -Same as the ChaCha nonce size, 16. +ChaCha-Poly1305 nonce size, 12. @end defvr @defvr Constant CHACHA_POLY1305_DIGEST_SIZE |