Thanks, I just couldn't find where is the message sequence number comes from. So if it's max 1GB and it's an incremental counter that cannot be reseted without a rekeying than it's perfectly fine :). Thanks for the answer! On Mon, Jun 17, 2019 at 12:20 PM Jonas Schnelli wrote: > Hi Elichai > > > About the nonce being 64bit. (rfc7539 changed it to 96bit, which djb > later calls xchacha) > > > > You suggest that we use the "message sequence number" as the nonce for > Chacha20, Is this number randomly generate or is this a counter? > > And could it be reseted without rekeying? > > The in BIP324 (v2 message transport protocol) proposed AEAD, > ChaCha20Poly1305@Bitcoin [1], uses a „message sequence number“. There is > no such thing as random nonce described in the BIP (hence the term > „sequence number“). The message sequence number starts with 0 and the max > traffic before a rekey must occur is 1GB. A nonce/key reuse is conceptually > impossible (of course implementations could screw up at this point). > > Using XChaCha20 with the possibility of a random nonce could be done, but > I don’t see a reason to use it in our case since the usage of a sequence > number as nonce seems perfectly save. > > [1] > https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52#chacha20-poly1305bitcoin-cipher-suite > -- PGP: 5607C93B5F86650C