On Wed, May 01, 2024 at 02:38:52PM +0200, Jean-Philippe Aumasson wrote:
> Switching from ChaCha20 to ChaCha12 might still raise eyebrows but I
> dont think any respectable crypto/security expert will suspect a
> JiaTan situation.
I also mentioned this earlier in the thread; that is, to switch to ChaCha12 if
ChaCha8 makes us uncomfortable. It's not without precedent also:
- eSTREAM recommends Salsa20/12 in their final portfolio
- Adiantum uses XChaCha12
- Rust uses ChaCha12 rand::rngs::StdRng
There may be other precedent of ChaCha12 with from non-trivial projects I'm
unfamiliar with.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o