All Questions
29
questions
2
votes
2
answers
109
views
Can you use ChaCha20 as one-time pad?
My knowledge of cryptography nothing beyond basic so I am by no means an expert, but I do know a bit of undergraduate mathematics including number theory.
I know that stream ciphers like ChaCha20 is ...
0
votes
0
answers
442
views
Nonces in chacha20poly1305 vs chacha20
I'm currently working on replacing the chacha20 encryption in my app with chacha20poly1305, but I'm running into a few questions that I can't seem to find clear answers to, mainly stemming from the ...
1
vote
0
answers
248
views
xChaCha20 Block Keys for Poly1305
So xChaCha20 has a nonce size large enough to safely use a random nonce with the same key. Poly1305 generally uses the first block of the cipher's output to generate its nonce. For xChaCha20 it would ...
0
votes
1
answer
3k
views
How to choose between AES256-GCM, XSalsa20Poly1305 and XChaCha20Poly1305?
In libsodium, there're 3 symmetric encryption(stream cipher) which are AES256-GCM(Hardware-accelerated), XSalsa20Poly1305 and XChaCha20Poly1305(uncertain which version of libsodium add support to ...
1
vote
0
answers
78
views
Impact of partitioning oracle attacks on file encryption?
I've just learned about partitioning oracle attacks recently, and I would like to clarify some things that are a little foggy to me right now.
According to this thread,
The aim is the recovery of a ...
1
vote
0
answers
290
views
Implement deterministic authenticated encryption using libsodium
Note: this is my first question on stack exchange, let me know if you miss some details to answer and I will edit the question accordingly
Context
I'm willing to create a git encryption tool (...
2
votes
2
answers
410
views
Can I use ChaCha20-Poly1305 as my KDF?
I have two devices that use a PSK. One is embedded and extremely resource confined. I'm already using ChaCha20-Poly1305 so it would be "free" to reuse this. There is no transport encryption ...
2
votes
1
answer
586
views
How to increase Poly1305 performance?
I was analysing the Chacha20 algorithm and the Poly1305 MAC generation from RFC 7539.
It seems that the Chacha20 is quite faster compared to AES on CPUs without hardware support like AES-NI.
But ...
8
votes
3
answers
3k
views
What should the nonce value be for client-side encryption?
I am using the following chacha20poly1305 Rust library to encrypt some data in a desktop application. The user provides the key, which never leaves their device, to locally encrypt some data, and then ...
2
votes
1
answer
1k
views
Why is it secure to reuse key and nonce in ChaCha20-Poly1305 AEAD construction?
While looking at the ChaCha20 and Poly1305 AEAD construction as defined by RFC 8439, more precisely its use of the key and the nonce, I came up with the questions below. Maybe someone with some in-...
3
votes
0
answers
371
views
Why are integers considered "little endian" in ChaCha20 function?
Why the ChaCha20 - IETF algorithm that generates 512 bit keystream per 32 bit counter (that gets incremented), considers "the input words" that form the internal state as little endian ? ...
1
vote
1
answer
473
views
Poly1305 Key for MAC generation
I just went through https://www.rfc-editor.org/rfc/rfc7539#section-2.6 (sections 2.5 and 2.6). There it is described how to generate one-time Poly1305 keys using the ChaCha20 block function (for this ...
5
votes
2
answers
554
views
Append data to authenticated ciphertext encrypted using a stream cipher
Say we have xSalsa20 authenticated using Poly1305. If $ X $ is the ciphertext, $N$ is the nonce value, and $H$ is the authentication tag such that the final ciphertext is $ N || X || H $, then given ...
4
votes
3
answers
2k
views
Largest message size for XChaCha20-Poly1305
libsodium documentation says that XChaCha20-Poly1305 can encrypt a message of arbitrary size.
However, the only specification available (still a draft) explains that under the hood the IETF version of ...
6
votes
1
answer
1k
views
Does ChaCha20-Poly1305 need random nonce?
RFC 7539 says:
A 96-bit nonce -- different for each invocation with the same key
It doesn't explicitly say whether it has to be random or not. If we use an ever incrementing counter. Would that be ...