Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-poly1305-01.txt

[Mike Hamburg <mike@shiftleft.org>]

On Mar 13, 2014, at 8:16 AM, Ted Krovetz <ted@krovetz.net> wrote:

> 
>> I guess I should change the text to say that it’s a little-endian representation of integers limited to 32 bits.
> 
> I would recommend that you never use endianess to describe integers. An integer is an integer, and endianess has only to do with cpu-memory interfacing. An integer can be read little-endian from memory, but the resulting integer is not a little-endian integer, it's just an integer.

I probably would have said "little-endian integer" too, but this suggestion is clearer.

> So, for example, the input to chacha is a 256-bit key string, 96-bit nonce string and 32-bit unsigned integer. The first thing that happens in chacha is the key and nonce are split into 32-bit unsigned integers by byte reversing each 32-bit chunk and then interpreting each 32-bit chunk as an unsigned integer. Now we're in the realm of integers, and the word endianess is never mentioned.


I don't like this, though.  Your target is software on computers that use octets, right?  In that case, the key contains 32 octets, and the nonce contains 12 octets.  The first thing that happens is that the key and nonce are split into 4-octet fields, which are then converted to unsigned 32-bit integers by interpreting them in little-endian order, that is, with least significant octet first.

On a computer that uses 32-bit unsigned integer words as the addressable unit instead of octets (eg, a DSP), the input is an 8-word key and a 3-word nonce, and there's no endian issue.  That's why it's tempting to say "little-endian integers" even though it's less clear: it specifies the input on multiple platforms simultaneously.

I say this because "interpreting each 32-bit chunk as an unsigned integer" is ambiguous.  The natural meaning is "according to the platform's endian" which is not what you want.

-- Mike