đź“… Original date posted:2019-06-17
đź“ť Original message:Hi Elichai
> About the nonce being 64bit. (rfc7539 changed it to 96bit, which djb later calls xchacha)
>
> You suggest that we use the "message sequence number" as the nonce for Chacha20, Is this number randomly generate or is this a counter?
> And could it be reseted without rekeying?
The in BIP324 (v2 message transport protocol) proposed AEAD, ChaCha20Poly1305 at Bitcoin [1], uses a „message sequence number“. There is no such thing as random nonce described in the BIP (hence the term „sequence number“). The message sequence number starts with 0 and the max traffic before a rekey must occur is 1GB. A nonce/key reuse is conceptually impossible (of course implementations could screw up at this point).
Using XChaCha20 with the possibility of a random nonce could be done, but I don’t see a reason to use it in our case since the usage of a sequence number as nonce seems perfectly save.
[1] https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#chacha20-poly1305bitcoin-cipher-suite
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190617/06f5efa8/attachment-0001.sig>;
Jonas Schnelli [ARCHIVE] /
npub1nf…3dtxs
2023-06-07 18:18:43
in reply to nevent1q…zp39
Author Public Key
npub1nfrrurat393mqymf3s26pujyn5vujlem3pzcukr5p9d4qpklngxq43dtxsPublished at
2023-06-07 18:18:43Event JSON
{
"id": "54a2032aefc3f7ac75d10db50a6199941e499ec7d339fc0f4c27b31e0549d711",
"pubkey": "9a463e0fab8963b013698c15a0f2449d19c97f3b88458e5874095b5006df9a0c",
"created_at": 1686161923,
"kind": 1,
"tags": [
[
"e",
"eaa0918106e5f41d1211c7666eb82fba89fb6f4148efeabd48dd6d517c5cf609",
"",
"root"
],
[
"e",
"25e681787f11426fa1c100fa1d72ba1835a2cf352087aea174afd91f45907a57",
"",
"reply"
],
[
"p",
"25fb72b4fbafb76dbded22a68e588ed20064e76c6365e990dabdd4113ae24c69"
]
],
"content": "📅 Original date posted:2019-06-17\n📝 Original message:Hi Elichai\n\n\u003e About the nonce being 64bit. (rfc7539 changed it to 96bit, which djb later calls xchacha)\n\u003e \n\u003e You suggest that we use the \"message sequence number\" as the nonce for Chacha20, Is this number randomly generate or is this a counter?\n\u003e And could it be reseted without rekeying?\n\nThe in BIP324 (v2 message transport protocol) proposed AEAD, ChaCha20Poly1305 at Bitcoin [1], uses a „message sequence number“. There is no such thing as random nonce described in the BIP (hence the term „sequence number“). The message sequence number starts with 0 and the max traffic before a rekey must occur is 1GB. A nonce/key reuse is conceptually impossible (of course implementations could screw up at this point).\n\nUsing XChaCha20 with the possibility of a random nonce could be done, but I don’t see a reason to use it in our case since the usage of a sequence number as nonce seems perfectly save.\n\n[1] https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#chacha20-poly1305bitcoin-cipher-suite\n-------------- next part --------------\nA non-text attachment was scrubbed...\nName: signature.asc\nType: application/pgp-signature\nSize: 833 bytes\nDesc: Message signed with OpenPGP\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190617/06f5efa8/attachment-0001.sig\u003e",
"sig": "2acc3e94548e4f1b68177de74f484829c2caa475572596f14a020e45d553f304ae8fb4c02b592d999823106f14ffc2d954ba681f2a50652b2c2b9f3535006427"
}