3

ChaCha has clear delineations between key, nonce, counter and constants.

What is the reason for not using a XEX-like ($k=0$) approach such that the ChaCha key is 512 bits and all the other things are XOR'ed with the key, and only the key is XOR'ed with the ChaCha permutation output?

ChaCha already has some similarity to Even-Mansour with the way it is constructed, why not go all the way? Currently, it only does partial single key Even-Mansour with partially known key, known plaintext and partially exposed ciphertext.[1]

Attacker doesn't gain any additional control over the input he did not have before, and the security of the cipher when the attacker is passive becomes $2^{512}$.

Are there any downsides?

[1] If ChaCha is an Even-Mansour-like construction then:

  • half of the key is effectively 0
  • constants, counter, nonce are all known, rest of the plaintext is 0
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Loraine Toorla
  • 33
  • 3

1 Answers1

2

The obvious downside is there would be $2^{256}$ weak inputs (key-nonce-counter) due to ChaCha requiring constants to break symmetry (see this paper at 3.1 about NORX permutation based on ChaCha) and collisions between key and nonce/counter which are expected in Even-Mansour, but not in ChaCha. It is also unknown if ChaCha permutation is free of differential and linear characteristics with complexity lower than $2^{512}$.

There is little to no upside since Even-Mansour is considered secure up to $2^{n/2}$.

As to why it is not designed to have 512-bit key. It is because it is considered unnecessary.

Using Keccak permutation would be better. It is 1600-bit and has round constants that break symmetries internally. It could provide 800-bit security in Even-Mansour and plenty of nonce/counter bits. I would still recommend concatenating input like ChaCha instead of xoring them together, as it is waste of insane 1600-bit key that looses strength with number of blocks generated.

LightBit
  • 1,741
  • 14
  • 28