[noise] chacha20 != chacha20poly1305 minus the tag
Trevor Perrin
trevp at trevp.net
Fri Jul 24 13:53:04 PDT 2015
On Fri, Jul 24, 2015 at 1:47 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> Hi folks,
>
> This might lead one to believe that rather than calling the RFC7539
> chacha20poly1305 function and removing the tag from the end, it might
> be optimal to directly call the usual chacha20 function. Danger! It
> turns out that RFC7539 encrypts a block of zeros for block counter 0,
> for poly's key, which means that encrypting the actual data begins on
> block 1. As such, to obtain such an optimization, it's necessary to
> call chacha20 with the block counter starting at 1.
>
> Just FYI. Not sure whether or not it'd be useful to mention this in
> the document.
Makes sense to clarify that in the ciphersuite definitions.
Jonathan's request for a Security Considerations section also makes sense.
Other implementation or security advice like this is welcome, I'll
incorporate it next week.
Trevor
More information about the Noise
mailing list