Comment by tptacek
1 year ago
WireGuard is an instantiation of Noise, which slightly disfavors AES-GCM (see: the spec). I don't think it's a huge big deal, but at the time WireGuard was being designed it was pretty normal to tack away from GCM.
I agree in advance, Noise already uses counter-based nonces, the extended nonce wouldn't matter to vanilla Noise.
This has been nagging at me for a day, so just to clarify real quick:
I wanted to push back a little on the notion that Chapoly was "cool" and GCM was "lame" back in 2015-2016. At the time, GCM was coming off a pretty rough run of implementation bugs. It was the tail end of a period of time where a concern was that some mainstream architectures wouldn't be able to run performant constant-time GCM at all; like, the fast software GCMs had a table-driven multiplication? I forget the details.
But you could have done a secure WireGuard instantiated on AES-GCM. It's true that GCM was out of fashion and Chapoly was in fashion. I just want to say, that fashion had (has?) some real technical roots. That's all.