Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XChaCha20 support #727

Closed
fxha opened this issue Oct 25, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@fxha
Copy link

commented Oct 25, 2018

Do you plan to add the XChaCha20 cipher because the default cipher has only a 64-bit nonce? It should be a similar initialization as XSalsa20 with the HSalsa20 construction. A problem may be that it isn't standardized yet but it's implemented in other libraries such as libsodium and go crypto.

References:

draft arciszewski xchacha

@noloader

This comment has been minimized.

Copy link
Collaborator

commented Oct 26, 2018

Yes, we'll support XChaCha eventually.

Also note TLS uses a variation on ChaCha that's not compatible with Bernstein's ChaCha. TLS's ChaCha looks more like XChaCha. And as far as I know the kernel provides TLS's ChaCha, not Bernstein's ChaCha, due to VPN over TLS.

It is really unfortunate the IETF hijacked the ChaCha name and did not distinguish it like with XChaCha. They were warned of the interop problems and confusion they were causing in advance.

@noloader

This comment has been minimized.

Copy link
Collaborator

commented Jan 24, 2019

@fxha,

I think I have several days of free time coming up. I plan on using it for RFC 7539, ChaCha20 and Poly1305 for IETF Protocols and XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305.

ChaChaTLS was added at Commit 5603661eec5b. The caveat is, we are not sure what should happen for some use cases, like Initial Counter Block = 0xffffffff and then processing 5x blocks. The case should wrap the 32-bit counter block but the RFC does not say what is supposed to happen. Another small problem is, we don't have large block test vectors. We need a test vector that processes 12x blocks (768-bytes) but the RFC lacks one and there is no reference implementation.

noloader added a commit that referenced this issue Jan 26, 2019

noloader added a commit that referenced this issue Jan 27, 2019

Add Poly1305TLS algorithm (GH #727)
This is the IETF's rendition of Poly1305 that forgoes AES and the nonce, and uses 16-bytes of the key directly to mac the message

noloader added a commit that referenced this issue Jan 27, 2019

noloader added a commit to noloader/cryptopp that referenced this issue Feb 5, 2019

noloader added a commit that referenced this issue Feb 6, 2019

noloader added a commit to noloader/cryptopp that referenced this issue Feb 6, 2019

noloader added a commit to noloader/cryptopp that referenced this issue Feb 6, 2019

noloader added a commit that referenced this issue Feb 6, 2019

@noloader

This comment has been minimized.

Copy link
Collaborator

commented Feb 6, 2019

Done and done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.