[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ANNOUNCE: Nettle-3.9

From: Niels Möller
Subject: ANNOUNCE: Nettle-3.9
Date: Sun, 14 May 2023 17:28:25 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (berkeley-unix)

I'm happy to announce a new release of GNU Nettle, a low-level
cryptographics library. The release features new SIV-GCM and OCB
authenticated encryption modes, and improved performance for SHA256 and
Poly1305, among other things. See NEWS entries below.

The Nettle home page can be found at, and the manual at

The release can be downloaded from

Happy hacking,
/Niels Möller

NEWS for the Nettle 3.9 release

        This release includes bug fixes, several new features, a few
        performance improvements, and one performance regression
        affecting GCM on certain platforms.

        The new version is intended to be fully source and binary
        compatible with Nettle-3.6. The shared library names are and, with sonames and

        This release includes a rewrite of the C implementation of
        GHASH (dating from 2011), as well as the plain x86_64 assembly
        version, to use precomputed tables in a different way, with
        tables always accessed in the same sequential manner.

        This should make Nettle's GHASH implementation side-channel
        silent on all platforms, but considerably slower on platforms
        without carry-less mul instructions. E.g., benchmarks of the C
        implementation on x86_64 showed a slowdown of 3 times.

        Bug fixes:

        * Fix bug in ecdsa and gostdsa signature verify operation, for
          the unlikely corner case that point addition really is point

        * Fix for chacha on Power7, nettle's assembly used an
          instruction only available on later processors. Fixed by
          Mamone Tarsha.

        * GHASH implementation should now be side-channel silent on
          all architectures.

        * A few portability fixes for *BSD.

        New features:

        * Support for the SM4 block cipher, contributed by Tianjia

        * Support for the Balloon password hash, contributed by Zoltan

        * Support for SIV-GCM authenticated encryption mode,
          contributed by Daiki Ueno.

        * Support for OCB authenticated encryption mode.

        * New exported functions md5_compress, sha1_compress,
          sha256_compress, sha512_compress, based on patches from
          Corentin Labbe.


        * Improved sha256 performance, in particular for x86_64 and

        * Use GMP's mpn_sec_tabselect, which is implemented in
          assembly on many platforms, and delete the similar nettle
          function. Gives a modest speedup to all ecc operations.

        * Faster poly1305 for x86_64 and ppc64. New ppc code
          contributed by Mamone Tarsha.


        * New ASM_FLAGS variable recognized by configure.

        * Delete all arcfour assembly code. Affects 32-bit x86, 32-bit
          and 64-bit sparc.

        Known issues:

        * Version 6.2.1 of GNU GMP (the most recent GMP release as of
          this writing) has a known issue for MacOS on 64-bit ARM: GMP
          assembly files use the reserved x18 register. On this
          platform it is recommended to use a GMP snapshot where this
          bug is fixed, and upgrade to a later GMP release when one
          becomes available.

        * Also on MacOS, Nettle's testsuite may still break due to
          DYLD_LIBRARY_PATH being discarded under some circumstances.
          As a workaround, use

          make check EMULATOR='env DYLD_LIBRARY_PATH=$(TEST_SHLIB_DIR)'

Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677.
Internet email is subject to wholesale government surveillance.

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]