I have read that in general stream ciphers do not provide data integrity. Can ChaCha20 be implemented in such a way (perhaps like counter mode with message authentication in AES) to provide this?
Asked
Active
Viewed 792 times
1 Answers
7
ChaCha20 has Ind-CPA security and beyond this ( Ind-CCAx.. [1]), you need integrity and authentication. And note that Authenticated Encryption > Ind-CCA.
ChaCha20 is already teamed with Poly1305 authenticator to provide confidentiality, integrity and authentication. It exists in TLS standards and one of the five cipher suites in TLS 1.3 as ChaCha20_Poly1305.
If you are going to use ChaCha20 it is better to use XChaCha20-Poly1305 since it has larger nonce sizes (192-bit) so that randomly generated nonces are safe against the collisions, you need $2^{96}$ random nonces to hit another one with 50% probability and that is almost impossible.
kelalaka
- 48,443
- 11
- 116
- 196
I would just like to note that your most significant weakness was and still is a badly seeded RNG causing a collision in the nonce, e.g. at OS startup for some devices.
β orlp Mar 25 '21 at 21:42