📅 Original date posted:2019-06-17 📝 Original message:Hi Elichai > About the ...

Jonas Schnelli [ARCHIVE] /

npub1nfr…dtxs

2023-06-07 18:18:43

in reply to nevent1q…zp39

📅 Original date posted:2019-06-17
📝 Original message:Hi Elichai

> About the nonce being 64bit. (rfc7539 changed it to 96bit, which djb later calls xchacha)
>
> You suggest that we use the "message sequence number" as the nonce for Chacha20, Is this number randomly generate or is this a counter?
> And could it be reseted without rekeying?

The in BIP324 (v2 message transport protocol) proposed AEAD, ChaCha20Poly1305 at Bitcoin [1], uses a „message sequence number“. There is no such thing as random nonce described in the BIP (hence the term „sequence number“). The message sequence number starts with 0 and the max traffic before a rekey must occur is 1GB. A nonce/key reuse is conceptually impossible (of course implementations could screw up at this point).

Using XChaCha20 with the possibility of a random nonce could be done, but I don’t see a reason to use it in our case since the usage of a sequence number as nonce seems perfectly save.

[1] https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#chacha20-poly1305bitcoin-cipher-suite
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190617/06f5efa8/attachment-0001.sig>;

Author Public Key

npub1nfrrurat393mqymf3s26pujyn5vujlem3pzcukr5p9d4qpklngxq43dtxs

Seen on

wss://relay.nostr.band

Show more details

Published at

2023-06-07 18:18:43

Kind type

1 Short Text Note

Event JSON

{ "id": "54a2032aefc3f7ac75d10db50a6199941e499ec7d339fc0f4c27b31e0549d711", "pubkey": "9a463e0fab8963b013698c15a0f2449d19c97f3b88458e5874095b5006df9a0c", "created_at": 1686161923, "kind": 1, "tags": [ [ "e", "eaa0918106e5f41d1211c7666eb82fba89fb6f4148efeabd48dd6d517c5cf609", "", "root" ], [ "e", "25e681787f11426fa1c100fa1d72ba1835a2cf352087aea174afd91f45907a57", "", "reply" ], [ "p", "25fb72b4fbafb76dbded22a68e588ed20064e76c6365e990dabdd4113ae24c69" ] ], "content": "📅 Original date posted:2019-06-17\n📝 Original message:Hi Elichai\n\n\u003e About the nonce being 64bit. (rfc7539 changed it to 96bit, which djb later calls xchacha)\n\u003e \n\u003e You suggest that we use the \"message sequence number\" as the nonce for Chacha20, Is this number randomly generate or is this a counter?\n\u003e And could it be reseted without rekeying?\n\nThe in BIP324 (v2 message transport protocol) proposed AEAD, ChaCha20Poly1305 at Bitcoin [1], uses a „message sequence number“. There is no such thing as random nonce described in the BIP (hence the term „sequence number“). The message sequence number starts with 0 and the max traffic before a rekey must occur is 1GB. A nonce/key reuse is conceptually impossible (of course implementations could screw up at this point).\n\nUsing XChaCha20 with the possibility of a random nonce could be done, but I don’t see a reason to use it in our case since the usage of a sequence number as nonce seems perfectly save.\n\n[1] https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#chacha20-poly1305bitcoin-cipher-suite\n-------------- next part --------------\nA non-text attachment was scrubbed...\nName: signature.asc\nType: application/pgp-signature\nSize: 833 bytes\nDesc: Message signed with OpenPGP\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190617/06f5efa8/attachment-0001.sig\u003e", "sig": "2acc3e94548e4f1b68177de74f484829c2caa475572596f14a020e45d553f304ae8fb4c02b592d999823106f14ffc2d954ba681f2a50652b2c2b9f3535006427" }