Commit ede524e5 authored by Daiki Ueno's avatar Daiki Ueno Committed by Niels Möller
Browse files

doc: match ChaCha-Poly1305 documentation to the implementation

While the documentation said the nonce size is 8 octets, the
implementation actually assumed 12 octets following RFC 7539.
Signed-off-by: default avatarDaiki Ueno <>
parent 2176ccc1
......@@ -3325,15 +3325,10 @@ poly1305 message authentication code (@pxref{Poly1305}). It originates
from the NaCl cryptographic library by D. J. Bernstein et al, which
defines a similar construction but with Salsa20 instead of ChaCha.
Nettle's implementation ChaCha-Poly1305 should be considered
@strong{experimental}. At the time of this writing, there is no
authoritative specification for ChaCha-Poly1305, and a couple of
different incompatible variants. Nettle implements it using the original
definition of ChaCha, with 64 bits (8 octets) each for the nonce and the
block counter. Some protocols prefer to use nonces of 12 bytes, and it's
a small change to ChaCha to use the upper 32 bits of the block counter
as a nonce, instead limiting message size to @math{2^32} blocks or 256
GBytes, but that variant is currently not supported.
Nettle's implementation of ChaCha-Poly1305 follows @cite{RFC 8439},
where the ChaCha cipher is initialized with a 12-byte nonce and a 4-byte
block counter. This allows up to 256 gigabytes of data to be encrypted
using the same key.
For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256
bits, and a per-message nonce. The first block of the key stream
......@@ -3362,7 +3357,7 @@ ChaCha-Poly1305 key size, 32.
@end defvr
@defvr Constant CHACHA_POLY1305_NONCE_SIZE
Same as the ChaCha nonce size, 16.
ChaCha-Poly1305 nonce size, 12.
@end defvr
@defvr Constant CHACHA_POLY1305_DIGEST_SIZE
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment