version 1.1, 2013/11/21 00:45:43 |
version 1.2, 2013/12/02 02:50:27 |
|
|
the MAC. By using an independently-keyed cipher instance to encrypt the |
the MAC. By using an independently-keyed cipher instance to encrypt the |
length, an active attacker seeking to exploit the packet input handling |
length, an active attacker seeking to exploit the packet input handling |
as a decryption oracle can learn nothing about the payload contents or |
as a decryption oracle can learn nothing about the payload contents or |
its MAC (assuming key derivation, ChaCha20 and Poly1306 are secure). |
its MAC (assuming key derivation, ChaCha20 and Poly1305 are secure). |
|
|
The AEAD is constructed as follows: for each packet, generate a Poly1305 |
The AEAD is constructed as follows: for each packet, generate a Poly1305 |
key by taking the first 256 bits of ChaCha20 stream output generated |
key by taking the first 256 bits of ChaCha20 stream output generated |