committed - thanks On Sun, 1 Dec 2013, Jon Cave wrote: > There is a small typo in the new protocol document where it mistakenly > references "Poly1306". > > - Jon > > Index: usr.bin/ssh/PROTOCOL.chacha20poly1305 > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/PROTOCOL.chacha20poly1305,v > retrieving revision 1.1 > diff -u -r1.1 PROTOCOL.chacha20poly1305 > --- usr.bin/ssh/PROTOCOL.chacha20poly1305 21 Nov 2013 00:45:43 -0000 1.1 > +++ usr.bin/ssh/PROTOCOL.chacha20poly1305 1 Dec 2013 14:15:21 -0000 > @@ -47,7 +47,7 @@ > the MAC. By using an independently-keyed cipher instance to encrypt the > length, an active attacker seeking to exploit the packet input handling > as a decryption oracle can learn nothing about the payload contents or > -its MAC (assuming key derivation, ChaCha20 and Poly1306 are secure). > +its MAC (assuming key derivation, ChaCha20 and Poly1305 are secure). > > The AEAD is constructed as follows: for each packet, generate a Poly1305 > key by taking the first 256 bits of ChaCha20 stream output generated > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
