NEWS entries for Nettle-3.9.

diff --git a/NEWS b/NEWS
index 056100ebf28f9381d606811692e37b867abd01e7..2fef605c413a2bcd5db56392842b06730d0f09a6 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,78 @@
+NEWS for the Nettle 3.9 release
+
+       This release includes bug fixes, several new features, a few
+       performance improvements, and one performance regression
+       affecting GCM on certain platforms.
+
+       Nettle's implementation of GHASH, the authentication mechanism
+       used for GCM, dates from 2011, and has used data-dependent
+       table lookups for performance. Those lookups imply a potential
+       side-channel leak. More recent assembly implementations of
+       GHASH that use the carry-less multiplication instruction,
+       available on certain platforms, don't suffer from this
+       problem.
+
+       This release includes a rewrite of the C implementation of
+       GHASH as well as the plain x86_64 assembly version to use
+       precomputed tables in a different way, with tables always
+       accessed in the same sequential manner.
+
+       This should make Nettle's GHASH implementation side-channel
+       silent on all platforms, but considerably slower on platforms
+       without carry-less mul instructions. E.g., benchmarks of the C
+       implementation on x86_64 showed a slowdown of 3 times.
+
+       Bug fixes:
+
+       * Fix bug in ecdsa and gostdsa signature verify operation, for
+         the unlikely corner case that point addition really is point
+         duplication.
+
+       * Fix for chacha on Power7, nettle's assembly used an
+         instruction only available on later processors. Fixed by
+         Mamone Tarsha.
+
+       * GHASH implementation should now be side-channel silent on
+         all architectures.
+
+       * A few other portability fixes for *BSD.
+
+       New features:
+
+       * Support for the SM4 block cipher, contributed by Tianjia
+          Zhang.
+
+       * Support for the Balloon password hash, contributed by Zoltan
+          Fridrich.
+
+       * Support for SIV-GCM authenticated encryption mode,
+          contributed by Daiki Ueno.
+
+       * Support for OCB authenticated encryption mode.
+
+       * New exported functions md5_compress, sha1_compress,
+         sha256_compress, sha512_compress, based on patches from
+         Corentin Labbe.
+
+       Optimizations:
+
+       * Improved sha256 performance, in particular for x86_64 and
+         s390x.
+
+       * Use GMP's mpn_sec_tabselect, which is implemented in
+         assembly on many platforms, and delete the similar nettle
+         function. Gives a modest speedup to all ecc operations.
+
+       * Faster poly1305 for x86_64 and ppc64. New ppc code
+         contributed by Mamone Tarsha.
+
+       Miscellaneous:
+
+       * New ASM_FLAGS variable recognized by configure.
+
+       * Delete all arcfour assembly code. Affects 32-bit x86, 32-bit
+         and 64-bit sparc.
+
 NEWS for the Nettle 3.8.1 release
 
        This is a bugfix release, fixing a few portability issues