Brian Smith <br...@briansmith.org> wrote: > This way, one Poly1305 invocation per record could be saved, potentially, > forapplication_data records, which is the common case. > > This is still true, but...
> An implementation that avavoids sending encrypted alerts and avoids > renegotiation could avoid writing code for the case where non-empty AAD is > needed, and could share the exact same code between TLS 1.2 and TLS 1.3 for > ChaCha20-Poly1305. > > This isn't true, because of the Finished message. So, it is not quite as good of an idea as I thought, but still it seems like it could be worthwhile. Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
