XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305
draft-irtf-cfrg-xchacha-03
Document | Type |
Expired Internet-Draft
(cfrg RG)
Expired & archived
|
|
---|---|---|---|
Author | Scott Arciszewski | ||
Last updated | 2023-05-02 (Latest revision 2020-01-10) | ||
Replaces | draft-arciszewski-xchacha | ||
RFC stream | Internet Research Task Force (IRTF) | ||
Intended RFC status | (None) | ||
Formats | |||
Additional resources | Mailing list discussion | ||
Stream | IRTF state | Dead IRTF Document | |
Consensus boilerplate | Unknown | ||
Document shepherd | (None) | ||
IESG | IESG state | Expired | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
The eXtended-nonce ChaCha cipher construction (XChaCha) allows for ChaCha-based ciphersuites to accept a 192-bit nonce with similar guarantees to the original construction, except with a much lower probability of nonce misuse occurring. This helps for long running TLS connections. This also enables XChaCha constructions to be stateless, while retaining the same security assumptions as ChaCha. This document defines XChaCha20, which uses HChaCha20 to convert the key and part of the nonce into a subkey, which is in turn used with the remainder of the nonce with ChaCha20 to generate a pseudorandom keystream (e.g. for message encryption). This document also defines AEAD_XChaCha20_Poly1305, a variant of [RFC8439] that utilizes the XChaCha20 construction in place of ChaCha20.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)