Mfcttrf

Is BitLocker useful in the case of stolen laptop?

C++ - using const reference to prolong a member of a temporary, ok or UB?

A medieval fantasy adventurer lights a torch in a 100% pure oxygen room. What happens?

What does "synoptic" mean in avionics?

How can a resurrection system prevent the cheapening of death?

Georgian capital letter “Ⴒ” (“tar”) in pdfLaTeX

Were Roman public roads build by private companies?

Are programming languages necessary/useful for operations research practitioner?

Which version of ChaCha is more secure?

How seriously should I take a CBP interview where I was told I have a red flag and could only stay for 30 days?

Can a magnet rip protons from a nucleus?

Are there take-over requests from autopilots?

Is it appropriate for a professor to require students to sign a non-disclosure agreement before being taught?

Writing a worded mathematical expression

What's the biggest organic molecule that could have a smell?

Are scroll bars dead in 2019?

How to predict the decomposition products of for example barium carbonate?

Are there any instances of members of different Hogwarts houses coupling up and marrying each other?

How do you build a Dominant 7th chord?

Which ping implementation is Cygwin using?

Dividing Divisive Divisors

Sol Ⅲ = Earth: What is the origin of this planetary naming scheme?

„nichts wie raus hier“ - explanation based on the literal meaning?

Did Picard get in trouble when he was in command of the Stargazer and lost his ship?

Which version of ChaCha is more secure?

Where are the ChaCha20 test vectors/examples?chacha20-poly1305 padding and length encodingCollision or second preimage for the ChaCha core?Symmetric encryption algorithms with large IVs and authentication?Nonce reuse resistanceWhere is HChaCha20 formally defined?Is XChaCha20-Poly1305 nonce misuse-resistant?Is streaming API to ChaCha20-Poly1305 possible or recommended against?Reason for 3 rounds ChaCha in ChaCha20Poly1305@opensshLargest message size for XChaCha20-Poly1305

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

1

1

$begingroup$

Which version of ChaCha is more secure?

XChaCha20-Poly1305-IETF

ChaCha20-IETF-Poly1305 

ChaCha20-Poly1305

I am looking for 256bit strength for large datasets.

I am having trouble disambiguating the delta between these ciphers available in libSodium.

chacha libsodium

share|improve this question

asked 8 hours ago

WoodstockWoodstock

2611010 bronze badges

$endgroup$

add a comment | 

1

1

$begingroup$

Which version of ChaCha is more secure?

XChaCha20-Poly1305-IETF

ChaCha20-IETF-Poly1305 

ChaCha20-Poly1305

I am looking for 256bit strength for large datasets.

I am having trouble disambiguating the delta between these ciphers available in libSodium.

chacha libsodium

share|improve this question

asked 8 hours ago

WoodstockWoodstock

2611010 bronze badges

$endgroup$

add a comment | 

$begingroup$

Which version of ChaCha is more secure?

XChaCha20-Poly1305-IETF

ChaCha20-IETF-Poly1305 

ChaCha20-Poly1305

I am looking for 256bit strength for large datasets.

I am having trouble disambiguating the delta between these ciphers available in libSodium.

chacha libsodium

share|improve this question

asked 8 hours ago

WoodstockWoodstock

2611010 bronze badges

$endgroup$

XChaCha20-Poly1305-IETF

ChaCha20-IETF-Poly1305 

ChaCha20-Poly1305

share|improve this question

asked 8 hours ago

WoodstockWoodstock

2611010 bronze badges

share|improve this question

asked 8 hours ago

WoodstockWoodstock

2611010 bronze badges

asked 8 hours ago

WoodstockWoodstock

2611010 bronze badges

asked 8 hours ago

WoodstockWoodstock

2611010 bronze badges

1 Answer
1

active

oldest

votes

4

$begingroup$

The only difference between these is the nonce size (and, consequently, the internal counter size). The core function is exactly the same. They all offer the exact same security level if they are used as expected.

The trade-offs are described in the AEAD section of the documentation.

XChaCha20-Poly1305-IETF is the one that has the largest nonce size. This significantly reduces the risk of reuse, since it can be randomly chosen without any practical risk of collision. This can also be leveraged to build nonce misuse-resistant schemes.

Unless you specifically need compatibility with a different implementation that doesn't support the XChaCha20 version, this is the one you want to use in virtually all cases.

XChaCha20-Poly1305-IETF is very likely to become the function used by the high-level API in a future libsodium release. Which means that other variants will not be available any longer in minimal builds.

Since your use case appears to be encrypting large messages, the higher-level secretstream API is a better fit. It uses XChaCha20-Poly1305-IETF internally.

share|improve this answer

edited 7 hours ago

answered 7 hours ago

Frank DenisFrank Denis

1,78399 silver badges77 bronze badges

$endgroup$

• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  Thanks @Frank Denis
  $endgroup$
  – Woodstock
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  we consider the IV reuse as a security risk. If they have different IV lengths how will they have the same security levels?
  $endgroup$
  – kelalaka
  1 hour ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f73220%2fwhich-version-of-chacha-is-more-secure%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

4

$begingroup$

The only difference between these is the nonce size (and, consequently, the internal counter size). The core function is exactly the same. They all offer the exact same security level if they are used as expected.

The trade-offs are described in the AEAD section of the documentation.

XChaCha20-Poly1305-IETF is the one that has the largest nonce size. This significantly reduces the risk of reuse, since it can be randomly chosen without any practical risk of collision. This can also be leveraged to build nonce misuse-resistant schemes.

Unless you specifically need compatibility with a different implementation that doesn't support the XChaCha20 version, this is the one you want to use in virtually all cases.

XChaCha20-Poly1305-IETF is very likely to become the function used by the high-level API in a future libsodium release. Which means that other variants will not be available any longer in minimal builds.

Since your use case appears to be encrypting large messages, the higher-level secretstream API is a better fit. It uses XChaCha20-Poly1305-IETF internally.

share|improve this answer

edited 7 hours ago

answered 7 hours ago

Frank DenisFrank Denis

1,78399 silver badges77 bronze badges

$endgroup$

• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  Thanks @Frank Denis
  $endgroup$
  – Woodstock
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  we consider the IV reuse as a security risk. If they have different IV lengths how will they have the same security levels?
  $endgroup$
  – kelalaka
  1 hour ago
  

  
  
  
  

add a comment | 

4

$begingroup$

The only difference between these is the nonce size (and, consequently, the internal counter size). The core function is exactly the same. They all offer the exact same security level if they are used as expected.

The trade-offs are described in the AEAD section of the documentation.

XChaCha20-Poly1305-IETF is the one that has the largest nonce size. This significantly reduces the risk of reuse, since it can be randomly chosen without any practical risk of collision. This can also be leveraged to build nonce misuse-resistant schemes.

Unless you specifically need compatibility with a different implementation that doesn't support the XChaCha20 version, this is the one you want to use in virtually all cases.

XChaCha20-Poly1305-IETF is very likely to become the function used by the high-level API in a future libsodium release. Which means that other variants will not be available any longer in minimal builds.

Since your use case appears to be encrypting large messages, the higher-level secretstream API is a better fit. It uses XChaCha20-Poly1305-IETF internally.

share|improve this answer

edited 7 hours ago

answered 7 hours ago

Frank DenisFrank Denis

1,78399 silver badges77 bronze badges

$endgroup$

• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  Thanks @Frank Denis
  $endgroup$
  – Woodstock
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  we consider the IV reuse as a security risk. If they have different IV lengths how will they have the same security levels?
  $endgroup$
  – kelalaka
  1 hour ago
  

  
  
  
  

add a comment | 

$begingroup$

The only difference between these is the nonce size (and, consequently, the internal counter size). The core function is exactly the same. They all offer the exact same security level if they are used as expected.

The trade-offs are described in the AEAD section of the documentation.

XChaCha20-Poly1305-IETF is the one that has the largest nonce size. This significantly reduces the risk of reuse, since it can be randomly chosen without any practical risk of collision. This can also be leveraged to build nonce misuse-resistant schemes.

Unless you specifically need compatibility with a different implementation that doesn't support the XChaCha20 version, this is the one you want to use in virtually all cases.

XChaCha20-Poly1305-IETF is very likely to become the function used by the high-level API in a future libsodium release. Which means that other variants will not be available any longer in minimal builds.

Since your use case appears to be encrypting large messages, the higher-level secretstream API is a better fit. It uses XChaCha20-Poly1305-IETF internally.

share|improve this answer

edited 7 hours ago

answered 7 hours ago

Frank DenisFrank Denis

1,78399 silver badges77 bronze badges

$endgroup$

share|improve this answer

edited 7 hours ago

answered 7 hours ago

Frank DenisFrank Denis

1,78399 silver badges77 bronze badges

answered 7 hours ago

Frank DenisFrank Denis

1,78399 silver badges77 bronze badges

answered 7 hours ago

Frank DenisFrank Denis

1,78399 silver badges77 bronze badges