I have to encrypt the communications between two devices. I was planning on using a timestamp(in seconds) and the serial number as the nonce. I know its impossible for me to send more than 100 messages a second. So potentially the nonce can repeat a couple of times in a second, but the internal chacha counter should work to make each nonce unique correct?
Asked
Active
Viewed 1,147 times
1 Answers
5
So potentially the nonce can repeat a couple of times in a second, but the internal chacha counter should work to make each nonce unique correct?
No.
YOUR OBLIGATION in the ChaCha security contract is to choose a unique nonce for every message you send; IN EXCHANGE, ChaCha provides IND-CPA security, meaning roughly confidentiality against a passive eavesdropper.
ChaCha does nothing to fulfill its contractual obligations for you if you violate your contractual obligations to ChaCha. The ‘counter’ is an implementation detail of how ChaCha encrypts a single message; ChaCha itself keeps no state between messages—that is your job. If you repeat a nonce, the security contract is null and void, and ChaCha provides no security whatsoever.
If you're exchanging messages sequentially in a conversation, I recommend that you simply count the number of messages you have sent so far and use that as the nonce. This way you can cheaply reject replays too by refusing to accept old message numbers.
If you have no persistent state, but you do have access to an entropy source, you could use XChaCha instead of ChaCha (it is easy to write an XChaCha implementation in terms of a ChaCha implementation); then you can pick the 192-bit nonce independently and uniformly at random for each message, and send it along with the message. But I recommend using message sequence numbers instead if you can.
By the way: You are actually using ChaCha as part of the authenticated cipher ChaCha/Poly1305, right? I hope you're not building an application out of an unauthenticated cipher!
Squeamish Ossifrage
- 49,816
- 3
- 122
- 230