[messaging] HChaCha [was Secure OpenPGP Key Pair Synchronization]
David Leon Gil
coruus at gmail.com
Wed Apr 22 18:01:58 PDT 2015
The proof of security for XSalsa20 applies, without modification, to
'XChaCha20'. (It, in fact, applies equally well to X-AES, but the security
strength for that is quite poor because of AES's blocksize.)
One can derive a similar result in the indifferentiabity framework, as
well. (It follow straightforwardly from Coron et al.'s Chop-MD result.)
On Fri, Apr 10, 2015 at 2:46 AM Michael Rogers <michael at briarproject.org>
> On 08/04/15 16:06, David Leon Gil wrote:
> > If (1), I'd suggest Scrypt(hash=HChaCha20, kdf=Shake255)
> Side question: Has HChaCha been formally described and/or proven secure?
> There are various bits of code floating around on the net that apply the
> HSalsa20/XSalsa20 design to ChaCha to get HChaCha/XChaCha, but does the
> XSalsa20 security proof still apply?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging