Consider supporting wide or variable nonce width for XChaChaPoly
Intensity opened this issue · comments
Intensity commented
It looks like the XChaChaPoly cipher is setting 16 out of 24 of its nonce bytes to zero.
While this cipher may be outside the spec, there are a few options available to make use of the additional nonce bytes for those who enable the feature. For example, in stateless transport mode, allowing more than 8 bytes (64 bits) of nonce - up to the maximum.
Or, in stateful modes, either going with the wider range throughout the code, or subdividing this, so that part of the nonce is up to the user but the remaining bytes are updated independently.