twiss/webcrypto-modern-algos

XChaCha20-Poly1305 / AES-GCM-SIV / XAES-GCM

Opened this issue · 0 comments

(First let me express great excitement about this proposal! I don't have experience with this specifica standard, but I do have experience with web specs in general in the form of the JS standard. If you're looking for help with anything please ping me.)

This provides ChaCha20-Poly1305. My understanding is that in longer-lived applications you want XChaCha20-Poly1305, which uses a longer nonce. This page lists it in the most preferred tier, above ChaCha20-Poly1305. The extended-nonce variant is a straightforward extension.

As long as I'm suggesting variants constructions with more straightforward nonce analysis, the above page also recommends AES-GCM-SIV above AES-GCM, and Filippo Valsorda recommends something he calls XAES-GCM, the latter of which is easily implementable on top of the existing AES-GCM support. This page discusses tradeoffs around AES-GCM-SIV, XAES-GCM, and various other alternatives.