[messaging] HChaCha [was Secure OpenPGP Key Pair Synchronization]

David Leon Gil coruus at gmail.com
Wed Apr 22 18:01:58 PDT 2015

The proof of security for XSalsa20 applies, without modification, to
'XChaCha20'. (It, in fact, applies equally well to X-AES, but the security
strength for that is quite poor because of AES's blocksize.)

One can derive a similar result in the indifferentiabity framework, as
well. (It follow straightforwardly from Coron et al.'s Chop-MD result.)

- David
On Fri, Apr 10, 2015 at 2:46 AM Michael Rogers <michael at briarproject.org>

> On 08/04/15 16:06, David Leon Gil wrote:
> > If (1), I'd suggest Scrypt(hash=HChaCha20, kdf=Shake255)
> Side question: Has HChaCha been formally described and/or proven secure?
> There are various bits of code floating around on the net that apply the
> HSalsa20/XSalsa20 design to ChaCha to get HChaCha/XChaCha, but does the
> XSalsa20 security proof still apply?
> Cheers,
> Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150423/28f02404/attachment.html>

More information about the Messaging mailing list