You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The implementations for XChaCha20 and its documentation is all over the place when it comes to Draft 02 vs Draft 03. There is a very minor, but critical difference between the two revisions... the counter value used (0 vs. 1 respectively).
The documentation and code comments for XChaCha20 currently link to Draft 03.
"8 bytes (default)", "The original ChaCha20 designed by Bernstein.", "No limitations", "Max 200 000 messages"
"12 bytes", "The TLS ChaCha20 as defined in `RFC7539`_.", "256 GB", "Max 13 billions messages"
"24 bytes", "XChaCha20, still in `draft stage <https://tools.ietf.org/html/draft-arciszewski-xchacha-03>`_.", "256 GB", "No limitations"
However, when using XChaCha20, the ChaCha20 class actually internally implements Draft 02 (despite the comment referencing Draft 03). It does not increment the counter to 1 when using the ChaCha20 stream.
It appears it is up to the user of ChaCha20 to increment the counter themselves in order to adhere to Draft 03. This can be confusing when using the class and its output does not match that of other libraries.
I would make a PR, but I'm unsure the direction the maintainers would wish to take:
Change all implementations to adhere to Draft 03, and increment the counter internally (inside ChaCha20)
Update the documentation to state the base behavior is Draft 02 (updating the link), and how to adhere to Draft 03 by incrementing the counter manually
Option 1 would possibly break user's code, so I would believe Option 2 to be better. However, the unit tests would need updated as well, as they are lying.
The text was updated successfully, but these errors were encountered:
The implementations for XChaCha20 and its documentation is all over the place when it comes to Draft 02 vs Draft 03. There is a very minor, but critical difference between the two revisions... the counter value used (
0vs.1respectively).The documentation and code comments for XChaCha20 currently link to Draft 03.
pycryptodome/Doc/src/cipher/chacha20.rst
Lines 15 to 17 in a6b6ecd
However, when using XChaCha20, the
ChaCha20class actually internally implements Draft 02 (despite the comment referencing Draft 03). It does not increment the counter to 1 when using the ChaCha20 stream.pycryptodome/lib/Crypto/Cipher/ChaCha20.py
Lines 99 to 107 in a6b6ecd
The unit test vectors even refer to Draft 02 as well.
pycryptodome/test_vectors/pycryptodome_test_vectors/Cipher/wycheproof/xchacha20_poly1305_test.json
Line 22 in a6b6ecd
However, the XChaCha20-Poly1305 implementation in the class
ChaCha20_Poly1305does increment the counter, as per Draft 03.pycryptodome/lib/Crypto/Cipher/ChaCha20_Poly1305.py
Lines 69 to 72 in a6b6ecd
As does this unit test manually?
pycryptodome/lib/Crypto/SelfTest/Cipher/test_ChaCha20.py
Lines 317 to 319 in a6b6ecd
It appears it is up to the user of
ChaCha20to increment the counter themselves in order to adhere to Draft 03. This can be confusing when using the class and its output does not match that of other libraries.I would make a PR, but I'm unsure the direction the maintainers would wish to take:
ChaCha20)Option 1 would possibly break user's code, so I would believe Option 2 to be better. However, the unit tests would need updated as well, as they are lying.
The text was updated successfully, but these errors were encountered: