Published on: 2019-06-17T17:13:05+00:00
In an email conversation between Elichai Turkel and Jonas Schnelli, the topic of the message sequence number for Chacha20 is discussed. Schnelli explains that the proposed AEAD in BIP324 uses a "message sequence number" as the nonce instead of a random nonce. The sequence number starts at 0 and cannot be reset without rekeying. Additionally, the maximum amount of traffic allowed before rekeying is 1GB, and there is no possibility of nonce/key reuse. While XChaCha20 allows for a random nonce, using a sequence number as a nonce is considered safe.The discussion also touches on the change from a 64-bit to a 96-bit nonce in RFC7539. Elichai suggests using the "message sequence number" as the nonce for Chacha20, which prompts a query about whether this number is randomly generated or a counter, and if it can be reset without rekeying. If the number is randomly generated, then a 64-bit nonce may not be secure enough, and it is suggested to either use Chacha20 from RFC7539, which has a 96-bit nonce and 32-bit counter, or manually increment the nonce every time. However, if the number is simply a counter, then a 64-bit nonce should suffice.This email thread emphasizes the importance of understanding nonce and its security implications when implementing cryptographic protocols.
Updated on: 2023-08-02T01:00:18.342511+00:00