On 2018-03-07, pet...@riseup.net <pet...@riseup.net> wrote: > Looking at the chacha API one needs to use a nonce, in the monocypher > implementation it is 24 bits wide, which would give the option of almost > 17M runs with a single key. IIUC adding a salt would further randomize > the output and possibly prevent some other forms of attacks but won't > replace the nonce as the salt cannot be secret either.
It is actually 24 *bytes*, so 192 bits. My understanding is that the difference between ChaCha20 and XChaCha20 is the extended nonce size (ChaCha20 uses a 64-bit nonce). This is big enough to select at random and be confident there won't be a collision. See the nonce description in https://monocypher.org/manual/crypto_chacha20_init.html#DESCRIPTION