XChaCha20-Poly1305 is for the case where you don't have a way to guarantee a unique nonce. How would you choose one?
-
-
Yes, that would achieve the same result.
-
If we think about it as updating DRBG state, we can see that we could invoke hash function less by only hashing high-entropy bits…
-
…also we only have a 192-bit nonce so we're close to SHA-1 w.r.t. collisions, so better not be hashing attacker-controlled bits.
-
Also, unless one is using BLAKE2 (w/ BLAKE2 & ChaCha20 sharing code), hash + XChaCha20-Poly1305 seems expensive in multiple axes.
-
It has a cost, but the worst that can happen is getting deterministic nonces.
-
Let's say RNG is totally broken and always spits out zero. Then two messages would use the same nonce if 192-bit hashes collide.
-
The probability for it to happen is negligible. And if H includes a key, offline attacks are not even an option.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.