commit aab8797dd74a397a26aa206aca8826ec9f954c2d
parent 01a47046b606bcdf743d749ba34ceb758015dafa
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Mon, 8 Jun 2026 19:13:18 +0200
update
Diffstat:
1 file changed, 2 insertions(+), 0 deletions(-)
diff --git a/draft-schanzen-cake.xml b/draft-schanzen-cake.xml
@@ -698,9 +698,11 @@ sn_enc = mask[0..8] XOR sn_nbo
or compatibility specifically requires it.
With ChaCha20, we would have to increment the nonce as it cannot be chosen securely at random
(not long enough).
+ We could actually still use it, and then have to stick to a suitable rekey schedule.
XChaCha20 is the generally recommended cipher for any use case and we use it.
The only downside seems to be that XChaCha20 is practically not specified anywhere
(although it can be trivially defined in this document based on HChaCha) and only really implemented in libsodium.
+ We could also use XSalsa20 which is better specified (and availiable). We use it already for GNS (EDKEY encryption).
</t>
<t>
We must define which KEM is to be used.
