> "NM" == Niels Möller writes:
NM> Does anyone else know of use or interest in 128-bit chacha keys?
Given DJB's paper¹ on parallel hardware cracking, which strongly suggests
against using 128 bit symmetric if one is concerned about well funded
adversaries, I doubt there are any.
1] IINM, I'
Stefan Bühler writes:
> The RFC explicitly supports a range of nonce sizes; I think the
> overhead of supporting them is so small that I don't see why not to
> just add it and be done with it :)
Maybe. We'd then need all of a minimun, a maximum, and a
default/recommended value. I don't think we
Stefan Bühler writes:
> My preference, if you want to have a fixed length in the name, is
> still "chacha_set_key128" and similar. Not sure about
> "chacha_128_set_key", "chacha20_128_set_key", ...
Thanks for the feedback.
> As a side note: the paper for Chacha only mentions the 256-bit key
Hi,
I probably won't convince you anymore, so feel free to ignore this :)
Anyway, I just wanted to say that
#define CHACHA128_KEY_SIZE 16
#define CHACHA256_KEY_SIZE 32
[...]
void
chacha128_set_key(struct chacha_ctx *ctx, const uint8_t *key);
void
chacha256_set_key(struct chacha_ctx *ctx, const ui
Hi,
On Thu, 13 Feb 2014 09:38:30 +0100
ni...@lysator.liu.se (Niels Möller) wrote:
> ni...@lysator.liu.se (Niels Möller) writes:
>
> > Q: Should the nonce size be fixed?
> >
> > A: Yes. Motivation: For a given key, fixed nonce size is good
> > enough for RFC 5116. It's unclear if there are use-ca
ni...@lysator.liu.se (Niels Möller) writes:
> Q: Should the nonce size be fixed?
>
> A: Yes. Motivation: For a given key, fixed nonce size is good enough for
>RFC 5116. It's unclear if there are use-cases for varying the nonce size,
>and if needed one can define separate nettle_aead object
