
Adiantum: encryption for the low end - l2dy
https://lwn.net/Articles/776721/
======
AnaniasAnanas
> Two rounds of XChaCha12 are followed by an AES-256 encryption, but of just
> 16 bytes

I am not a cryptographer so I am a bit clueless on topics like this but I am
wondering, why are they doing this? Does this provide any significant benefit
to just chacha12 or chacha12 + poly1305?

~~~
coolspot
I was curious too, found answer in comments of original publication:

> Normally there is just one XChaCha12 invocation per encryption or
> decryption. There's another to derive subkeys, but that's only needed when
> setting a new key.

~~~
AnaniasAnanas
I don't understand why they use AES though.

------
nemo1618
I'd be really interested to try out a Go port of this. Given that Adiantum is
a construction built from existing primitives, should I expect that it won't
be difficult to port?

------
anomie31
What was wrong with chacha?

~~~
anomie31
Never mind, I didn't finish reading.

