[Cryptography] XChaCha20 standardized?
Jason Cooper
cryptography at lakedaemon.net
Mon Dec 4 13:54:58 EST 2017
All,
While digging into libsodium [1] (An ISC licensed chacha20-poly1305 AEAD
crypto library), I found they recently added support for
chacha20-poly1305-ietf and xchacha20-poly1305-ietf. The difference
between the original and these two new ones being nonce size.
The original libsodium chacha20-poly1305 AEAD construction used a 64bit
nonce. When chacha20-poly1305 AEAD was formally specified in RFC 7539
[2], they used a 96bit nonce. libsodium calls this
chacha20-poly1305-ietf.
A 2008 paper by DJB, "Extending the Salsa20 nonce", described XSalsa20
with a 192bit nonce [3]. libsodium apparently applied this concept to
ChaCha20 to create XChaCha20 [4]. This seems attractive, but I'm
reluctant to deploy anything without a formal specification. So,
1) Has anyone seen a formal specification of XChaCha20 anywhere?
2) Has anyone seen a formal security analysis of XChaCha20, akin to
DJB's analysis in the XSalsa20 paper?
3) If neither the specification or the analysis exist, would it be worth
the effort to draft up an RFC?
Regardless, I'm a bit confused since libsodium chose to name it
xchacha20-poly1305-ietf. Which, to me, implies that it has been
specified by the IETF somewhere and at least formally reviewed...
thx,
Jason.
[1] https://download.libsodium.org/doc/
[2] https://tools.ietf.org/html/rfc7539
[3] https://cr.yp.to/snuffle/xsalsa-20081128.pdf
[4] https://download.libsodium.org/doc/key_derivation/index.html#nonce-extension
More information about the cryptography
mailing list