0
$\begingroup$

Setting all 48 ChaCha state bytes (key, nonce, initial counter) from one result of strong hash function like sha3-384 or blake2b - correct usage? or bad practice?

PS: using original chacha20 (8bytes nonce/8bytes counter) for encrypting one long file or one-way tcp stream, not multiple small files/messages.

Improve this question
$\endgroup$
9
  • $\begingroup$ Welcome to Cryptography.SE? What is the aim here? are you afraid of the 96 bit nonce and 32-bit counter? Why don't use ChaCha20 with the bundled authentication; Poly1305? Yes, xChaCha20-Poly1305 rfc-draft extends the nonce to 192 bits $\endgroup$
    – kelalaka
    Commented Sep 16, 2023 at 8:57
  • $\begingroup$ As i said, aim = encrypting one-way tcp stream (two way stream uses 2 totally different keys/nonces for Alice->Bob and Bob->Alice), or just a very long file. Original 64bit counter means i can send terabytes of data without changing key/nonce. And btw, blake3 keyed-mac even faster than Poly1305, especially with avx2/avx512 cpu instructions. $\endgroup$
    – Yuri Myakotin
    Commented Sep 16, 2023 at 9:28
  • 1
    $\begingroup$ @YuriMyakotin It's best to chunk the data, so you'd typically increment the nonce for each 16 KiB chunk of plaintext, for example. Then each stream uses a different key. You don't need a 64-bit counter. Look at the STREAM and CHAIN constructions as well as libsodium's secretstream. $\endgroup$
    – samuel-lucas6
    Commented Sep 16, 2023 at 9:35
  • $\begingroup$ chunking - yes, but is there any security reason for zeroing counter each next chunk instead of continuing, if counter is 64 (or even 128, entire "counter and nonce" part ) bit? $\endgroup$
    – Yuri Myakotin
    Commented Sep 16, 2023 at 10:24
  • $\begingroup$ @YuriMyakotin The internal counter is for the block, not chunks. ChaCha20 operates on 64 byte (512-bit) blocks, so your message is processed one block at a time internally. Most APIs don't even expose the internal counter. If you change the nonce, there's no need to keep the counter going. The counter is just there so that the output is different for each block when the same key and nonce are used. There's no security benefit to modifying the counter as well as the nonce. In fact, you're more likely to make a mistake/cause a vulnerability interacting with the counter. $\endgroup$
    – samuel-lucas6
    Commented Sep 16, 2023 at 11:32

1 Answer 1

Reset to default
1
$\begingroup$

I assume input to a hash function would be key and nonce.

I think it is ok to hash key and nonce, if you want to use bigger nonce as XChaCha does something similar to extend nonce, but I would keep counter on zero as does XChaCha.

Recommended usage would be to use XChaCha.

Improve this answer
$\endgroup$
1
  • $\begingroup$ I would also recommend just using XChaCha20. That's more efficient than using a hash function for key derivation/nonce extension, and there's no need to modify the internal counter. $\endgroup$
    – samuel-lucas6
    Commented Sep 16, 2023 at 9:31

Not the answer you're looking for? Browse other questions tagged or ask your own question.