Comment by nicce
5 years ago
Have you correctly evaluated your threat scenarios?
ChaCha is streaming cipher, which is meant to be used on transmission phase, not on data-on-rest(DARE). That is significant difference. In this case, you are implementing Photo storage service, where data is laying mostly on your servers, and not disappearing after the transmission. What is the threat model?
In general, streaming ciphers are considered as weaker alternatives for DARE ciphers. The main risk lies on nonce. In service like this, you are using long-term key. xChaCha provides 192-bit nonce. How likely you are generating identical nonces?
Well. In this case, it might be that this streaming cipher is safe. 192-bit nonce is quite big number.
For example AES-GCM with 96-bit nonce has max message amount of 2^32 when used deterministically [1]
In theory, the AES alternative is much weaker than your current implementation.
[1]: https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=51288...
From the literature we have read, XChaCha20 coupled with Poly1305 is safe for DARE, ChaCha20 in isolation isn't. We're employing the former.
That is what I was saying. Just reasoning just in case, because it was not written. Threat models are the most important aspects in cryptography and you could include them to support you decisions.
We have outlined this within our architecture[1], but I left out Poly1305 in my previous comment in the context of the original question comparing XChaCha20 with AES256.
The devil truly is in the details. :)
[1]: https://ente.io/architecture#implementation-details
1 reply →