Hi Yoav,

I was intrig=
ued by the idea of using these algorithms and thought I would have a go at =
implementing them based on the draft.

He=
re are some comments I have that could help clarify the descriptions for im=
plementers.

First of all I would like to say that I was able to quickly i=
mplement the algorithms so I think all of the details are there. What IR=
17;m going to suggest are things that will make it a simpler for an i=
mplementer to pick out what they need to do and make it easier to verify th=
e implementation.

1. &n=
bsp; The ChaCha quarter round des=
cription (2.1) is not really C code. It is a mathematical description. The =
steps are ordered and therefore should be numbered. The worked example is g=
ood for clarity and should use values that show up edge cases: b=3D0xffeedd=
cc, a=3D0x77777777. Rotate by 7 rather than 16 and it is clearer that you h=
ave rotated the correct direction.

2.&nb=
sp; In the work=
ed example in 2.2.1 it might be helpful to highlight the modified values us=
ing, say, a bold font if possible.

3.&nb=
sp; In section =
2.3, the state and the block are mixed in together. How about separating th=
e ‘inner block’ (where the quarter rounds are performed) out in=
to its own section?

4. &nbs=
p; In section 2.3, putting =
the adding of the original input words into an algorithm description would =
help implementers ‘tick-off’ that they have got all the parts d=
one. Something like:

chacha20_block(key, counter, nonce):

state =3D key | counter | nonce

working_state =3D state

for i=3D1 upto 10

inner_block(workin=
g_state)

state +=3D =
working_state

serial=
ize(state)

5. &nb=
sp; In section 2.3, saying there are 20=
rounds but combining the two rounds into one step is confusing. Saying the=
re are 10 rounds of the following 8 steps explicitly could remove the confu=
sion.

6. &n=
bsp; In section 2.3, the whole endian thing i=
s very confusing. Thankfully the worked example makes this clear.

7. =
; In section 2.4, an algorithmic representation of the bl=
ock counter incrementing would be helpful. Something like:

chacha20_encrypt(key, counter, nonce=
, plaintext):

for co=
unter=3D1 upto ceil(length of plaintext in bytes / 64)

key_stream =3D =
chacha20_block(key, counter, nonce)

encrypted_message +=3D plaintext[(=
(counter-1)*64)..(counter*64-1)] ^ key_stream

8. =
In section 2.4, say that a key-stream block can be XOR-ed with a plaintext =
block before proceeding. Implementation detail should, I think, be kept for=
a later section.

9. &n=
bsp; In section 2.4, a minor quib=
ble but, copying the plaintext and ciphertext into test code is a little di=
fficult.

10. &nbs=
p; In section 2.5, a proper algorithmic description=
would be nice. Something like:

clamp(r): r &=3D 0x0fffff0c0ffffffc0ffffffcffffffff<=
span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"'>

poly1305_mac(msg, tag, key)=
:

~~r =3D clamp(le_byt=
es_to_num(tag))~~

s =
=3D le_num(key)

accu=
mulator =3D 0

p =3D =
(1<<130)-5

for=
i=3D1 upto ceil(msg length in bytes / 16)

n =3D le_bytes_to_num([0x01=
] | msg[((i-1)*16)..(i*16)])

a +=3D n

a =3D (r * a) % p

a +=3D s

num_to_16_le_bytes(a)

11. &nbs=
p; In section 2.6, an algorithmic description would be good too:

poly1305_key_gen(key, iv, cons=
tant):

counter =3D 0=
=

<=
span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"'>12. =
; In section 2.8 there is a=
lot of text and an algorithmic description would be better. Something like=
:

~~chacha20_aead_encr=
ypt(aad, key, iv, constant, plaintext):~~

k =3D poly1305_key_gen(key, iv, constant)

ciphertext =3D chacha_encrypt(key=
, 1, constant | iv, plaintext)

mac_data =3D aad | [0]*((16 – (aad.length & 15)) &=
15)

mac_data |=3D c=
iphertext | [0]*((16 – (ciphertext.length & 15)) & 15)=

mac_data |=3D num_to_4_le_=
bytes(aad.length)

ma=
c_data |=3D num_to_4_le_bytes(ciphertext.length)

tag =3D poly1305_mac(mac_data, k[0..15], k[16.=
.31])

(ciphertext, t=
ag)

Hope this is helpful,

Sean

--

Sean Parkinson | Consultant Software Engineer | RSA, The Security Divisi=
on of EMC

Office +61 7 3032 5232 | Fax +=
61 7 3032 5299