Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
ChaChaTLS results when counter block wraps #790
ChaCha and the IETF's ChaChaTLS are slightly different implementations. Each uses the ChaCha state variables slightly differently, which leads to two slightly different implementations. Two of the differences are:
Crypto++, Botan and libsodium are arriving at different results for ChaChaTLS for the following test case, which verifies behavior around the wrap condition:
Crypto++ arrives at the following keystream (see
Botan and libsodium arrive at the following keystream (see Botan
The problem everyone is having is, RFC 7539 does not say what should happen. Crypto++ wraps the counter block (
We can't find authority to increment the nonce, and it feels like a wild memory write because it is a different object (message nonce vs block counter).
This bug report merely documents the problem. We need the RFC to say what we should do.
Also see How to handle block counter wrap in IETF's ChaCha algorithm? on the CFRG mailing list.