rust-crypto icon indicating copy to clipboard operation
rust-crypto copied to clipboard

Published 20 hours ago verified publisher icon DaGenix

The RFC 7539 ChaCha20-Poly1305 AEAD construction is not implemented

Open briansmith opened this issue 10 years ago • 2 comments

The spec is https://tools.ietf.org/html/rfc7539. BoringSSL, Nettle, ring, and libsodium all implement it. Note that BoringSSL, ring, and libsodium also implement the old construction.

Differences:

  • The counter||nonce split is 32-bits||96-bits instead of 64-bits||64-bits
  • The Poly1305 tag is calculated differently, by padding the lengths of the components to 16 bytes with zeros.

briansmith avatar Oct 31 '15 03:10 briansmith

I have a working implementation of the RFC 7539 ChaCha20-Poly1305 AEAD as the chacha20-poly1305-aead crate.

cesarb avatar Jan 31 '16 23:01 cesarb

Can you explain the difference in the calculation of Poly1305 in more detail? AFAICT RFC7539 is faithful to the original Poly1305 spec in this aspect: note the bit of the example that reads

   Block = 7075
   Block with 0x01 byte = 017075

Thanks!

ciphergoth avatar Dec 24 '17 21:12 ciphergoth