[noise] Aligning with Chrome and IETF's ChaCha20/Poly1305
Trevor Perrin
trevp at trevp.net
Sun Jul 13 01:11:29 PDT 2014
On Sun, Jul 13, 2014 at 12:26 AM, Trevor Perrin <trevp at trevp.net> wrote:
>
> * Encrypt the plaintext starting at count=1 instead of count=2, by
> taking the "rekey" bytes from the end of the keystream instead of the
> beginning.
Hmm, I'm worried that future SW/HW might just provide the AEAD
combination of ChaCha/Poly[1], and not make it easy to get extra
ChaCha keystream.
So I changed the rekey step so it could be performed by invoking the
AEAD, if need be:
cc = ChaCha20(cipher_key, iv XOR 0xFF[8])[64:64 + CC_LEN]
In particular: instead of using "extra" keystream from the encryption,
rekey now uses ChaCha20 with a different IV than encryption, and it
uses the second block of output (because if invoking the AEAD, the
first block is used for the Poly1305 one-time key).
Thoughts?
Trevor
[1] https://datatracker.ietf.org/doc/draft-nir-cfrg-chacha20-poly1305/?include_text=1
More information about the Noise
mailing list