David-Sarah Hopwood wrote: > Note that with this approach, the extended nonce in XSalsa > (http://cr.yp.to/snuffle/xsalsa-20081128.pdf) isn't really necessary. > Using plain Salsa20/20 (even with a zero nonce, or by deriving the > nonce in the same way as the key), might reduce implementation complexity.
Deriving the nonce in the same way as the key (and similarly the IV for AES CTR mode) is better. This can only help against cryptanalytic attacks, and is almost free in terms of performance and implementation complexity. -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
