Even then, they actually used a tweaked version of ChaCha20 that uses a 96-bit n... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

stouset on Jan 10, 2017 | parent | context | favorite | on: The design of Chacha20

Even then, they actually used a tweaked version of ChaCha20 that uses a 96-bit nonce (just barely large enough to be suitable for randomly-generated nonces) and a 32-bit counter (limiting its use to 128GiB for a given nonce). Also, an extension XChaCha20 was recently published which performs an extra 20 rounds to initialize the cipher state, allowing for 192-bit nonces with no corresponding reduction in counter size.

So now there's three variants of ChaCha20

  * ChaCha20 (256-bit key, 64-bit nonce, 64-bit counter)
  * IETF ChaCha20 (256-bit key, 96-bit nonce, 32-bit counter)
  * XChaCha20 (256-bit key, 192-bit nonce, 64-bit counter)

loup-vaillant on Jan 11, 2017 [–]

> an extension XChaCha20 was recently published

It has? With test vectors and all? I want that, do you have a link?

stouset on Jan 11, 2017 | [–]

I could have sworn I saw a paper on this recently. I may have hallucinated it.

Edit: Shit, considering it further, what I was remembering was the recent paper on BLAKE2X, not XChaCha20.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact