Hi Elichai

> About the nonce being 64bit. (rfc7539 changed it to 96bit, which djb later calls xchacha)
> 
> You suggest that we use the "message sequence number" as the nonce for Chacha20, Is this number randomly generate or is this a counter?
> And could it be reseted without rekeying?

The in BIP324 (v2 message transport protocol) proposed AEAD, ChaCha20Poly1305@Bitcoin [1], uses a „message sequence number“. There is no such thing as random nonce described in the BIP (hence the term „sequence number“). The message sequence number starts with 0 and the max traffic before a rekey must occur is 1GB. A nonce/key reuse is conceptually impossible (of course implementations could screw up at this point).

Using XChaCha20 with the possibility of a random nonce could be done, but I don’t see a reason to use it in our case since the usage of a sequence number as nonce seems perfectly save.

[1] https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#chacha20-poly1305bitcoin-cipher-suite