[noise] Aligning with Chrome and IETF's ChaCha20/Poly1305

Trevor Perrin trevp at trevp.net
Sun Jul 13 01:11:29 PDT 2014

On Sun, Jul 13, 2014 at 12:26 AM, Trevor Perrin <trevp at trevp.net> wrote:
>  * Encrypt the plaintext starting at count=1 instead of count=2, by
> taking the "rekey" bytes from the end of the keystream instead of the
> beginning.

Hmm, I'm worried that future SW/HW might just provide the AEAD
combination of ChaCha/Poly[1], and not make it easy to get extra
ChaCha keystream.

So I changed the rekey step so it could be performed by invoking the
AEAD, if need be:

 cc = ChaCha20(cipher_key, iv XOR 0xFF[8])[64:64 + CC_LEN]

In particular: instead of using "extra" keystream from the encryption,
rekey now uses ChaCha20 with a different IV than encryption, and it
uses the second block of output (because if invoking the AEAD, the
first block is used for the Poly1305 one-time key).



[1] https://datatracker.ietf.org/doc/draft-nir-cfrg-chacha20-poly1305/?include_text=1

More information about the Noise mailing list