Re: [dev] securiy guidance

From: Michael Forney <>
Date: Thu, 8 Mar 2018 13:18:33 -0800

On 2018-03-07, <> wrote:
> Looking at the chacha API one needs to use a nonce, in the monocypher
> implementation it is 24 bits wide, which would give the option of almost
> 17M runs with a single key. IIUC adding a salt would further randomize
> the output and possibly prevent some other forms of attacks but won't
> replace the nonce as the salt cannot be secret either.

It is actually 24 *bytes*, so 192 bits. My understanding is that the
difference between ChaCha20 and XChaCha20 is the extended nonce size
(ChaCha20 uses a 64-bit nonce). This is big enough to select at random
and be confident there won't be a collision.

See the nonce description in
Received on Thu Mar 08 2018 - 22:18:33 CET

This archive was generated by hypermail 2.3.0 : Thu Mar 08 2018 - 22:24:19 CET