[noise] chacha20 != chacha20poly1305 minus the tag

Jason A. Donenfeld Jason at zx2c4.com
Fri Jul 24 13:47:04 PDT 2015


Hi folks,

Stumbled across an implementation pitfall. The document reads:
"GETKEY(k, n): Calls the ENCRYPT function with cipher key k and nonce
n to encrypt a block of zeros equal in length to k. Returns the same
number of bytes from the beginning of the encrypted output. This
function can typically be implemented more efficiently than calling
ENCRYPT (e.g. by skipping the MAC calculation)."

This might lead one to believe that rather than calling the RFC7539
chacha20poly1305 function and removing the tag from the end, it might
be optimal to directly call the usual chacha20 function. Danger! It
turns out that RFC7539 encrypts a block of zeros for block counter 0,
for poly's key, which means that encrypting the actual data begins on
block 1. As such, to obtain such an optimization, it's necessary to
call chacha20 with the block counter starting at 1.

Just FYI. Not sure whether or not it'd be useful to mention this in
the document.

Jason


More information about the Noise mailing list