Hacker News new | past | comments | ask | show | jobs | submit login

> * A global standard

ChaCha is standard enough to make it into TLS and IPSec

Even then, they actually used a tweaked version of ChaCha20 that uses a 96-bit nonce (just barely large enough to be suitable for randomly-generated nonces) and a 32-bit counter (limiting its use to 128GiB for a given nonce). Also, an extension XChaCha20 was recently published which performs an extra 20 rounds to initialize the cipher state, allowing for 192-bit nonces with no corresponding reduction in counter size.

So now there's three variants of ChaCha20

  * ChaCha20 (256-bit key, 64-bit nonce, 64-bit counter)
  * IETF ChaCha20 (256-bit key, 96-bit nonce, 32-bit counter)
  * XChaCha20 (256-bit key, 192-bit nonce, 64-bit counter)

> an extension XChaCha20 was recently published

It has? With test vectors and all? I want that, do you have a link?

I could have sworn I saw a paper on this recently. I may have hallucinated it.

Edit: Shit, considering it further, what I was remembering was the recent paper on BLAKE2X, not XChaCha20.

Yes, but that's true of all sorts of things that aren't really global standards. Don't get me wrong: you should use Salsa ciphers. I'm just trying to provide the most honest possible accounting.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact