New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: x/crypto/chacha20poly1305: add support for XChaCha20 #23885
Comments
In addition, XChaCha20 also appears to not have the message length or number restrictions that ChaCha20 does:
|
The version at https://godoc.org/github.com/aead/chacha20 was written by @aead who has crypto code in the standard library and /x/crypto. |
Is there a strong reason why it hasn't been included in (For others' reference, https://github.com/aead/chacha20poly1305 is a full AEAD implementation using @aead's chacha20 library that supports XChaCha20.) |
Broader support for XChaCha would indeed be great. A longer nonce can prevent foot-shooting with custom protocols, and is XChaCha is trivial to add to an existing ChaCha implementation. |
@cyphar IIRC the main focus of the C20P1305 implementation in
If this is a proposal/feature request - I think adding XC20P1305 may be useful. We may have to think about a clean API and add hchacha20 functionality. If anyone wants to send a CL - feel free to use any code of https://github.com/aead/chacha20poly1305 and https://github.com/aead/chacha20 However I cannot make any decision about proposals - so check with Adam and/or Filippo. |
We tend to avoid variant proliferation in x/crypto, but an AEAD supporting random nonces is something I do eventually want in the standard library. (See also gtank/cryptopasta#14.) I guess the API would just be However, maybe we should just wait for SIV. |
@FiloSottile Should this proposal be put on hold for now? |
See #24885. |
Typo in bug number. I believe it should be #24485 . |
Currently
golang.org/x/crypto/chacha20poly1305
only supports the IETF ChaCha20, which has a nonce size of 96 bits. However, according to the folks from libsodium, this nonce size is too short to allow you to use random nonces.However, XChaCha20 (which has an extended nonce size of 192 bits, but uses the same underlying construction from my non-cryptographer understanding) has a long enough nonce that random nonces are safe. Here's the quote from
libsodium
:Is there any interest or plan to implement XChaCha20 support? I've found some third-party libraries, but I don't trust them as much as I'd trust
golang.org/x/crypto
maintainers.The text was updated successfully, but these errors were encountered: