Switch to ChaCha20 for symmetric encryption about halite HOT 6 CLOSED

XChaCha20 has a 192-bit nonce instead of a 96-bit nonce, which changes the risk of random nonce collision to "roughly one in a billion after a few billion messages" to "virtually never".

from halite.

do you know if switching from XSalsa20 to ChaCha20 in halite code is as simple as just replacing encrypt / decrypt / generating key / constants for nonces etc, and keep the key derivation & authentication just like it is already coded?

We generally don't recommend making changes to Halite. We're already planning on switching the stream cipher in v5.

from halite.

We aren't going to ever switch to ChaCha20. We might switch to XChaCha20.

We're investigating other changes for Halite 5, which will almost certainly stop using Xsalsa20 and target PHP 8.1 and newer.

from halite.

Thank you for your answer. Any reason to choose XChaCha20 against ChaCha20?

from halite.

OK thank you for those explanations.

Anyway, as I'm working for a project that must follow the guide I initially posted in this thread, I must encrypt my app data using ChaCha20 and I didn't find other serious high level crypto library in PHP that would do this "the good way" (except using AES implementation by defuse but it is faaaar slower that halite symmetric encryption using XSalsa20 (more that 700 times slower) or my modified version using ChaCha20).

As you seem to have knowledge @paragonie-security , do you know if switching from XSalsa20 to ChaCha20 in halite code is as simple as just replacing encrypt / decrypt / generating key / constants for nonces etc, and keep the key derivation & authentication just like it is already coded?

I could perhaps post a PR (which obviously would not be accepted as it is not planned for halite to switch to ChaCha20) in this "issue" in order to better illustrate what I did?

from halite.

Done in #176 :)

from halite.