static void
init_constant(crypto_chacha_ctx *ctx)
{
- ctx->input[0] = load32_le((uint8_t*)"expa");
- ctx->input[1] = load32_le((uint8_t*)"nd 3");
- ctx->input[2] = load32_le((uint8_t*)"2-by");
- ctx->input[3] = load32_le((uint8_t*)"te k");
+ ctx->input[0] = load32_le((uint8_t*)"expa");
+ ctx->input[1] = load32_le((uint8_t*)"nd 3");
+ ctx->input[2] = load32_le((uint8_t*)"2-by");
+ ctx->input[3] = load32_le((uint8_t*)"te k");
+ ctx->pool_index = 64; // the random pool starts empty
}
static void
init_constant(ctx );
init_key (ctx, key );
init_nonce (ctx, nonce);
- ctx->pool_index = 64; // the random pool starts empty
+}
+
+void
+crypto_init_ietf_chacha20(crypto_chacha_ctx *ctx,
+ const uint8_t key[32],
+ const uint8_t nonce[12])
+{
+ init_constant(ctx);
+ init_key(ctx, key);
+ ctx->input[12] = 0;
+ ctx->input[13] = load32_le(nonce );
+ ctx->input[14] = load32_le(nonce + 4);
+ ctx->input[15] = load32_le(nonce + 8);
}
void
crypto_chacha_ctx init_ctx;
init_constant (&init_ctx );
init_key (&init_ctx, key);
- // init big nonce
+ // init big nonce (first 16 bytes)
for (int i = 0; i < 4; i++)
init_ctx.input[i + 12] = load32_le(nonce + i*4);
ctx->input[i + 4] = buffer[i ]; // constant
ctx->input[i + 8] = buffer[i + 12]; // counter and nonce
}
- init_nonce(ctx, nonce + 16);
- ctx->pool_index = 64; // the random pool starts empty
+ init_nonce(ctx, nonce + 16); // init big nonce (last 8 bytes)
}
void
const uint8_t key[32],
const uint8_t nonce[8]);
-// Initializes a chacha context, with a bigger nonce (192 bits).
+// Initializes a chacha context, with a slightly bigger nonce (96 bits),
+// barely enough to be selected at random (if in doubt, don't).
//
-// It's slower than regular initialization, but that big nonce can now
-// be selected at random without fear of collision. No more complex,
-// stateful headache.
+// The price you pay for this nonce is a smaller counter, which cannot
+// handle messages biger than 128Gib.
+// WARNING: ANY MESSAGE THAT EXCEEDS 128Gib WILL SPILL ITS SECRETS.
+void
+crypto_init_ietf_chacha20(crypto_chacha_ctx *ctx,
+ const uint8_t key[32],
+ const uint8_t nonce[12]);
+
+// Initializes a chacha context, with an even bigger nonce (192 bits),
+// more than enough to be selected at random.
+//
+// The price you pay for that is a slower initialization. The security
+// guarantees are the same as regular initialization.
void
crypto_init_Xchacha20(crypto_chacha_ctx *ctx,
const uint8_t key[32],
--- /dev/null
+key: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
+nonce: 000000000000004a00000000
+text: 4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e
+cipher: 6e2e359a2568f98041ba0728dd0d6981e97e7aec1d4360c20a27afccfd9fae0bf91b65c5524733ab8f593dabcd62b3571639d624e65152ab8f530c359f0861d807ca0dbf500d6a6156a38e088a22b65e52bc514d16ccf806818ce91ab77937365af90bbf74a35be6b40b8eedf2785e42874d
projects / Monocypher.git / commitdiff