[Cryptography] XChaCha20 standardized?
Tony Arcieri
bascule at gmail.com
Mon Dec 4 19:48:00 EST 2017
On Mon, Dec 4, 2017 at 10:54 AM, Jason Cooper <cryptography at lakedaemon.net>
wrote:
> While digging into libsodium [1] (An ISC licensed chacha20-poly1305 AEAD
> crypto library), I found they recently added support for
> chacha20-poly1305-ietf and xchacha20-poly1305-ietf. The difference
> between the original and these two new ones being nonce size.
>
XChaCha20 uses the HChaCha20 function to hash the longer nonce in the same
manner as XSalsa20.
This is somewhat unique to libsodium, although easily added to any other
library that has ChaCha20/HChaCha20.
> 1) Has anyone seen a formal specification of XChaCha20 anywhere?
>
> 2) Has anyone seen a formal security analysis of XChaCha20, akin to
> DJB's analysis in the XSalsa20 paper?
>
No
> 3) If neither the specification or the analysis exist, would it be worth
> the effort to draft up an RFC?
>
Sure. why not. It would be nice if there were only one version of
XChaCha20, and people don't invent a separate incompatible XChaCha20 based
on the original djb version of ChaCha20. That said, I think that may have
already happened.
Regardless, I'm a bit confused since libsodium chose to name it
> xchacha20-poly1305-ietf. Which, to me, implies that it has been
> specified by the IETF somewhere and at least formally reviewed...
This is to indicate it's using the IETF version of ChaCha20 (as opposed to
the original djb version), and NOT that it has been specified by the IETF.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171204/2f5b623d/attachment.html>
More information about the cryptography
mailing list