Author: Elichai Turkel 2019-06-17 17:13:05
Published on: 2019-06-17T17:13:05+00:00
In an email conversation, Elichai Turkel asked Jonas Schnelli about the message sequence number for Chacha20. Schnelli replied that the proposed AEAD in BIP324 uses a "message sequence number" instead of a random nonce. The sequence number starts with 0 and can't be reset without rekeying. The maximum traffic before rekeying must occur is 1GB, and a nonce/key reuse is conceptually impossible. While XChaCha20 allows for a random nonce, using a sequence number as a nonce is safe. The conversation also mentioned the change from a 64-bit to a 96-bit nonce in RFC7539.
Updated on: 2023-06-13T19:30:24.351498+00:00