Understanding Prolonged-Nonce Constructs (by learning XChaCha)

7 thoughts on “Understanding Prolonged-Nonce Constructs (by learning XChaCha)”

  1. I always enjoy reading your blog posts with my morning coffee—you’re an engaging technical writer! Keep ‘em up. Academia, and most of industry, severely lacks your talents.

  2. Not quite germane to the article (which is great btw) exactly but something which has come up in a few posts/comments:

    What is the nature of the overlap between DAE+nonce and MRAE-constructions?

  3. Good post, and one of the better explanations I’ve read of why HChaCha has provably equivalent security even without the final state addition.

    Relatedly, one thing I’ve never seen addressed in discussions of XChaCha that I’ve always wondered about is the significance (if any) of the fact that some of the nonce bits (128 of them) are used to generate a derived 256 bit key while the remaining 64 bits are used directly as a nonce value in the actual key stream generation. It’s not obvious how this would be problematic, but it’s interesting that the bits of the nonce are treated differently and I wonder if that results in some unexpected property.

    One example I can think of is that because HChaCha takes in 384 bits and outputs only 256 bits, there must be many values of different key and (partial) nonce inputs that generate the same HChaCha output. If you keep the remaining 64 bits of nonce the same, you could generate identical keystreams with different key+nonce values. Not obvious how you’d exploit this property, but it’s different behavior than normal ChaCha and maybe not what you’d expect from an ideal 256-bit key and 192-bit nonce stream cipher.


Leave a Comment