XChaCha20-Poly1305 / AES-GCM-SIV / XAES-GCM
Opened this issue · 0 comments
(First let me express great excitement about this proposal! I don't have experience with this specifica standard, but I do have experience with web specs in general in the form of the JS standard. If you're looking for help with anything please ping me.)
This provides ChaCha20-Poly1305. My understanding is that in longer-lived applications you want XChaCha20-Poly1305, which uses a longer nonce. This page lists it in the most preferred tier, above ChaCha20-Poly1305. The extended-nonce variant is a straightforward extension.
As long as I'm suggesting variants constructions with more straightforward nonce analysis, the above page also recommends AES-GCM-SIV above AES-GCM, and Filippo Valsorda recommends something he calls XAES-GCM, the latter of which is easily implementable on top of the existing AES-GCM support. This page discusses tradeoffs around AES-GCM-SIV, XAES-GCM, and various other alternatives.