The RFC 7539 ChaCha20-Poly1305 AEAD construction is not implemented

DaGenix / rust-crypto

A (mostly) pure-Rust implementation of various cryptographic algorithms.

Apache License 2.0

1.39k stars 297 forks source link

The RFC 7539 ChaCha20-Poly1305 AEAD construction is not implemented #328

Open briansmith opened 9 years ago

briansmith commented 9 years ago

The spec is https://tools.ietf.org/html/rfc7539. BoringSSL, Nettle, ring, and libsodium all implement it. Note that BoringSSL, ring, and libsodium also implement the old construction.

Differences:

The counter||nonce split is 32-bits||96-bits instead of 64-bits||64-bits
The Poly1305 tag is calculated differently, by padding the lengths of the components to 16 bytes with zeros.

cesarb commented 8 years ago

I have a working implementation of the RFC 7539 ChaCha20-Poly1305 AEAD as the chacha20-poly1305-aead crate.

ciphergoth commented 6 years ago

Can you explain the difference in the calculation of Poly1305 in more detail? AFAICT RFC7539 is faithful to the original Poly1305 spec in this aspect: note the bit of the example that reads

   Block = 7075
   Block with 0x01 byte = 017075

Thanks!