NEWS entries for Nettle-3.9.

1 files changed, 75 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 056100eb..2fef605c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,78 @@
+NEWS for the Nettle 3.9 release
+
+	This release includes bug fixes, several new features, a few
+	performance improvements, and one performance regression
+	affecting GCM on certain platforms.
+
+	Nettle's implementation of GHASH, the authentication mechanism
+	used for GCM, dates from 2011, and has used data-dependent
+	table lookups for performance. Those lookups imply a potential
+	side-channel leak. More recent assembly implementations of
+	GHASH that use the carry-less multiplication instruction,
+	available on certain platforms, don't suffer from this
+	problem.
+
+	This release includes a rewrite of the C implementation of
+	GHASH as well as the plain x86_64 assembly version to use
+	precomputed tables in a different way, with tables always
+	accessed in the same sequential manner.
+
+	This should make Nettle's GHASH implementation side-channel
+	silent on all platforms, but considerably slower on platforms
+	without carry-less mul instructions. E.g., benchmarks of the C
+	implementation on x86_64 showed a slowdown of 3 times.
+
+	Bug fixes:
+
+	* Fix bug in ecdsa and gostdsa signature verify operation, for
+	  the unlikely corner case that point addition really is point
+	  duplication.
+
+	* Fix for chacha on Power7, nettle's assembly used an
+	  instruction only available on later processors. Fixed by
+	  Mamone Tarsha.
+
+	* GHASH implementation should now be side-channel silent on
+	  all architectures.
+
+	* A few other portability fixes for *BSD.
+
+	New features:
+
+	* Support for the SM4 block cipher, contributed by Tianjia
+          Zhang.
+
+	* Support for the Balloon password hash, contributed by Zoltan
+          Fridrich.
+
+	* Support for SIV-GCM authenticated encryption mode,
+          contributed by Daiki Ueno.
+
+	* Support for OCB authenticated encryption mode.
+
+	* New exported functions md5_compress, sha1_compress,
+	  sha256_compress, sha512_compress, based on patches from
+	  Corentin Labbe.
+
+	Optimizations:
+
+	* Improved sha256 performance, in particular for x86_64 and
+	  s390x.
+
+	* Use GMP's mpn_sec_tabselect, which is implemented in
+	  assembly on many platforms, and delete the similar nettle
+	  function. Gives a modest speedup to all ecc operations.
+
+	* Faster poly1305 for x86_64 and ppc64. New ppc code
+	  contributed by Mamone Tarsha.
+
+	Miscellaneous:
+
+	* New ASM_FLAGS variable recognized by configure.
+
+	* Delete all arcfour assembly code. Affects 32-bit x86, 32-bit
+	  and 64-bit sparc.
+
 NEWS for the Nettle 3.8.1 release
 
 	This is a bugfix release, fixing a few portability issues