[noise] chacha20 != chacha20poly1305 minus the tag
Trevor Perrin
trevp at trevp.net
Tue Jul 28 19:50:03 PDT 2015
On Fri, Jul 24, 2015 at 1:53 PM, Trevor Perrin <trevp at trevp.net> wrote:
> On Fri, Jul 24, 2015 at 1:47 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>> Hi folks,
>>
>> This might lead one to believe that rather than calling the RFC7539
>> chacha20poly1305 function and removing the tag from the end, it might
>> be optimal to directly call the usual chacha20 function. Danger! It
>> turns out that RFC7539 encrypts a block of zeros for block counter 0,
>> for poly's key, which means that encrypting the actual data begins on
>> block 1. As such, to obtain such an optimization, it's necessary to
>> call chacha20 with the block counter starting at 1.
>>
>> Just FYI. Not sure whether or not it'd be useful to mention this in
>> the document.
>
> Makes sense to clarify that in the ciphersuite definitions.
Clarified in section 7:
https://github.com/trevp/noise/blob/master/noise.md
"""
GETKEY(k, n): The first 32 bytes output from the ChaCha20 block
function from RFC 7539 with key k, nonce n encoded as for ENCRYPT(),
and the block count set to 1. This is the same as calling ENCRYPT() on
a plaintext consisting of 32 bytes of zeros and taking the first 32
bytes of output.
"""
Trevor
More information about the Noise
mailing list