Hi Elichai > About the nonce being 64bit. (rfc7539 changed it to 96bit, which djb later > calls xchacha) > > You suggest that we use the "message sequence number" as the nonce for > Chacha20, Is this number randomly generate or is this a counter? > And could it be reseted without rekeying?
The in BIP324 (v2 message transport protocol) proposed AEAD, ChaCha20Poly1305@Bitcoin [1], uses a „message sequence number“. There is no such thing as random nonce described in the BIP (hence the term „sequence number“). The message sequence number starts with 0 and the max traffic before a rekey must occur is 1GB. A nonce/key reuse is conceptually impossible (of course implementations could screw up at this point). Using XChaCha20 with the possibility of a random nonce could be done, but I don’t see a reason to use it in our case since the usage of a sequence number as nonce seems perfectly save. [1] https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#chacha20-poly1305bitcoin-cipher-suite
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
