The proof of security for XSalsa20 applies, without modification, to 'XChaCha20'. (It, in fact, applies equally well to X-AES, but the security strength for that is quite poor because of AES's blocksize.)
One can derive a similar result in the indifferentiabity framework, as well. (It follow straightforwardly from Coron et al.'s Chop-MD result.) - David On Fri, Apr 10, 2015 at 2:46 AM Michael Rogers <[email protected]> wrote: > On 08/04/15 16:06, David Leon Gil wrote: > > If (1), I'd suggest Scrypt(hash=HChaCha20, kdf=Shake255) > > Side question: Has HChaCha been formally described and/or proven secure? > There are various bits of code floating around on the net that apply the > HSalsa20/XSalsa20 design to ChaCha to get HChaCha/XChaCha, but does the > XSalsa20 security proof still apply? > > Cheers, > Michael > >
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
