All Questions
9
questions
0
votes
1
answer
161
views
Can the security of Salsa20/Chacha20 be expanded to 448-bits if I fill the nonce and the Nothing-up-my-sleeve numbers with key material?
As I studied, Salsa20/Chacha20 is basically a hash function that accepts a 64-byte input and returns a output of the same size of input.
128-bits of the input are filled with four "Nothing-up-my-...
2
votes
0
answers
165
views
How are ChaCha-based ARC4Random CSPRNGs initialized and reseeded?
I'm doing a spare-time project to collect cryptographic algorithms, implement them, and lastly benchmark them.
For the CSPRNG part, I'm evaluating NIST-SP-800-90Ar1 HMAC-DRBG and CTR-DRBG (Hash-DRBG ...
3
votes
0
answers
211
views
Does varying ChaCha rounds add any security?
This paper introduces 'Freestyle' a randomized, and variable round version of the ChaCha cipher. It uses the concept of hash based halting condition, where a decryption attempt with an incorrect key ...
1
vote
1
answer
107
views
Storing values under different keys (e.g. during key rotation)
If you are encrypting some secrets (database passwords, access tokens, etc).
When it comes to key rotation, you'll need to store those encrypted values twice, for a short period of time (under the ...
16
votes
3
answers
2k
views
Why is the core ChaCha primitive not good for use in a CRCF? Why create BLAKE?
Why is the core ChaCha primitive not good for use in a collision-resistant compression function (crypto hash)? Why go through the trouble to create BLAKE?
What's wrong with using the core ChaCha ...
1
vote
0
answers
53
views
Round counts and permutation usage for hashing for a Merkle tree
Are there any current recommendations for performant hashing in a Merkle tree?
It appears the hash based signatures in Sphincs use Blake2 everywhere (see Table 1 on page 22 of https://sphincs.cr.yp....
6
votes
1
answer
1k
views
Would it be safe to use the message hash as the IV in ChaCha?
This seemed like an option if the hash is unpredictable.
It could be the hash of the message or the hash of the message + some common secret (apart from the key).
The only circumstance in which the ...
5
votes
1
answer
939
views
Can ChaCha be turned into a collision resistant hash function by xoring keystreams?
In his paper about RFSB Bernstein states that the compression function
$(m_1,\ m_2,\ m_3,\ ...\ ,\ m_n) \rightarrow c_1[m_1]\ \oplus\ c_2[m_2]\ \oplus c_3[m_3]\ \oplus\ ... \oplus\ c_n[m_n]$
is ...
4
votes
1
answer
988
views
Where is HChaCha20 formally defined?
I stumbled upon the Q&A “Advantages of HS1-SIV over ChaCha20-Poly1305-SIV?” which mentions “HChaCha20” in the question.
Trying to look it up via the usual research sources, I failed to find an ...