In the Libsodium v1.0.12 and v1.0.13 Security Assessment one can read
The ChaCha20-Poly1305 implementation combines a stream cipher and is resistant to timing attacks by design. In addition, this particular construction has two additional variants implemented in libsodium: an IETF version [7] and one with an extended nonce (XChaCha20-Poly1305) [4]. One benefit of the XChaCha20Poly1305 construction is that it enables nonce misuse-resistant schemes.
However, I don't understand how XChaCha20-Poly1305 construction is nonce misuse-resistant.
From my understanding, XChaCha20 works as follows:
- Generates a 192-bit random nonce (6 32-bit words $nonce_0,...,nonce_5$)
- Build the initial block $B \leftarrow \begin{matrix} c_0 & c_1 & c_2 & c_3\\ k_0 & k_1 & k_2 &k_3\\ k_4 & k_5 & k_6 &k_7\\ nonce_0 & nonce_1 & nonce_2 & nonce_3 \end{matrix}$ where $c_i$ are constants and $k_i$ are key words
- Runs ChaCha without the final block addition $B' \leftarrow \mathtt{HChaCha20}(B)$
- Build the subblock $B'' \leftarrow \begin{matrix} c_0 & c_1 & c_2 & c_3\\ B'_0 & B'_1 & B'_2 &B'_3\\ B'_{12} & B'_{13} & B'_{14} &B'_{15}\\ counter_0 & counter_1 & nonce_4 & nonce_5 \end{matrix}$
- Runs ChaCha20 using $B''$.
In this way, using the same nonce will output the same keystream. However, as I understand, nonce-misuse resistance schemes ensure that a repeated random nonce doesn't result in plaintext compromise.
So it seems that when using XChaCha20-Poly1305 with random nonce, one can ensure that the probablity of a repeated nonce is negligible. But this is not the definition of a nonce miseuse-resistant scheme.
How to build a nonce misuse-resistant schemes using XChaCha20Poly1305?
