XChaCha20-Poly1305 is for the case where you don't have a way to guarantee a unique nonce. How would you choose one?
Let's say RNG is totally broken and always spits out zero. Then two messages would use the same nonce if 192-bit hashes collide.
-
-
The probability for it to happen is negligible. And if H includes a key, offline attacks are not even an option.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.