[noise] Aligning with Chrome and IETF's ChaCha20/Poly1305

Stephen Touset stephen at squareup.com
Tue Jul 22 13:59:38 PDT 2014

I’ll work on these changes ASAP; I’ve been away on vacation.

I greatly prefer the new approach to the rekey step.

On Jul 13, 2014, at 1:11 AM, Trevor Perrin <trevp at trevp.net> wrote:

> On Sun, Jul 13, 2014 at 12:26 AM, Trevor Perrin <trevp at trevp.net> wrote:
>> * Encrypt the plaintext starting at count=1 instead of count=2, by
>> taking the "rekey" bytes from the end of the keystream instead of the
>> beginning.
> Hmm, I'm worried that future SW/HW might just provide the AEAD
> combination of ChaCha/Poly[1], and not make it easy to get extra
> ChaCha keystream.
> So I changed the rekey step so it could be performed by invoking the
> AEAD, if need be:
> cc = ChaCha20(cipher_key, iv XOR 0xFF[8])[64:64 + CC_LEN]
> In particular: instead of using "extra" keystream from the encryption,
> rekey now uses ChaCha20 with a different IV than encryption, and it
> uses the second block of output (because if invoking the AEAD, the
> first block is used for the Poly1305 one-time key).
> Thoughts?
> Trevor
> [1] https://datatracker.ietf.org/doc/draft-nir-cfrg-chacha20-poly1305/?include_text=1
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise

Stephen Touset
stephen at squareup.com

More information about the Noise mailing list