Re: [Cfrg] Review of draft-arciszewski-xchacha-02

Laurens Van Houtven <> Tue, 18 December 2018 14:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8832B126CC7 for <>; Tue, 18 Dec 2018 06:50:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id o-JERmtuNGFX for <>; Tue, 18 Dec 2018 06:50:10 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 70078124B0C for <>; Tue, 18 Dec 2018 06:50:10 -0800 (PST)
Received: by with SMTP id w21so12992384ioc.1 for <>; Tue, 18 Dec 2018 06:50:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=lvh; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nidn/JAv9jOXJdFnWSVR7waptzclDAK2ZZkiB0q9eGQ=; b=M99lxSDa8O1rfbYA8+tqNo/vsfu44ySkmlfdpnPzY13GYGnMdaH9bZ+En0Exn9w918 N1e5FuSV5ByfgOQex6YUMO6JhMugsuQ+/pwd2TJi9ul8LLmd3OYqlNMm9OfQQvW7K+O2 LHux3lUAmbM90lOjZlwiSCAwqOCCeYGi8373V9VXWl0pUyPiZ8zyM3tA8eERtMh7pB1W MiO2qx+nL2ZCxO28U/n5R3dg68ZpzeCowvLYYZ1iiO8tO9Pic2kZelPtiYoanSxrXlj+ H3pvTGkQfuZ81B7of2YQPQ2L6U+LdnrBPM85Y24kSD7+eK1WW3AvMiw8o1IWFFpftInF kqcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nidn/JAv9jOXJdFnWSVR7waptzclDAK2ZZkiB0q9eGQ=; b=j8lvTHZoisV9gg5H06ZBmRW5Rns3bwy0wbP+hyVNq/uu5BI5b5gXIoNi1AAquE8ggN uBL203c+gqRwdKaNyKgk06oCZl9VQc7fLxP67PKq3k9fVGPp15LFXBGkegQKevmb8Tin iNmQAba2zOFKIVM7XOwZCJuoBnsMgqzouyDEkGyTBDh0o24BE/rI29YnXFDZq04F5dag p5lbOXta7nRF6FSKfE9UKQm/ayKX/g3LW4UALSoozqIFnqT7mgkwaYR3Imh6Rf4boDy9 FohgWfRpic4zR6sHesIBajkPMRU6N0cTb0XbzeOk2/pjkxJVT4/bdf5CDlo1DUmVumf0 XA9Q==
X-Gm-Message-State: AA+aEWYnlc/RqwO7OlxvNV6GfSc4E/YJGCpip2j8OkvZJ8Xi/ZQPUBEZ bYNFui4qKN36YPIqqxIma+vDEWpzmLhsXf/XAP72pQ==
X-Google-Smtp-Source: AFSGD/X4o0YI5qMVo2I+vUaiyM3IoozaoU6y8Pn0ebHPN4mpxOzAoQKq9dT4fJaa1OI3E2X/7CupYlY8j3dX3gWw5lU=
X-Received: by 2002:a6b:6309:: with SMTP id p9mr15936113iog.203.1545144609551; Tue, 18 Dec 2018 06:50:09 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Laurens Van Houtven <>
Date: Tue, 18 Dec 2018 08:49:56 -0600
Message-ID: <>
To: "Salz, Rich" <>
Cc: Neil Madden <>, "" <>
Content-Type: multipart/alternative; boundary="000000000000948405057d4d036e"
Archived-At: <>
Subject: Re: [Cfrg] Review of draft-arciszewski-xchacha-02
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 18 Dec 2018 14:50:13 -0000

Just another voice for an argument I'm sure has been made before: I agree
with the original spec, the best possible name is XChaCha20 and not
XNChaCha20 or whatever. Here's why:

- XSalsa20 already exists. "XNChaCha20" or whatever suggests that it's...
like XSalsa but with ChaCha and... whatever an N is. The N does not clarify
anything by itself; you'd have to read the spec anyway, and reading the
introductory paragraphs seems like a pretty low bar for using a
crytpographic primitive. Once you do that, you couldn't have any confusion
anymore about what's extended about this cipher. And you'd need to read
that anyway to know what the X meant in the first place :-
- A extended number of rounds wouldn't make sense for these ciphers. For
reduced rounds, that namespace already exists in e.g. Salsa20/8 (which is
Salsa20 but with 8 rounds [1]). There is no Salsa20 with more than 20
rounds because 20 rounds are already considered quite conservative; but if
you were to make a 24-round ChaCha, ChaCha20/24 would be the consistent
name for it.
- An extended key space wouldn't make sense for these ciphers, because they
already have 256 bit keys and target the security level you'd expect from
- The name XChaCha20 is already in use in the popular libsodium library[2]
-- who arrived at the same name because, well, IMO the derivation is
obvious it's much more surprising to me anyone is suggesting something else
than that someone else got at the same name via the same process :-)



On Tue, Dec 18, 2018 at 7:17 AM Salz, Rich <> wrote:

> To repeat what I said earlier, "XChaCha" is a bad name.  Can we use
> XNChaCha or something similar to show that is an extended NONCE, and not
> something like extended keysize or number of rounds?
> _______________________________________________
> Cfrg mailing list