Comment by vishnumohandas
5 years ago
From the literature we have read, XChaCha20 coupled with Poly1305 is safe for DARE, ChaCha20 in isolation isn't. We're employing the former.
5 years ago
From the literature we have read, XChaCha20 coupled with Poly1305 is safe for DARE, ChaCha20 in isolation isn't. We're employing the former.
That is what I was saying. Just reasoning just in case, because it was not written. Threat models are the most important aspects in cryptography and you could include them to support you decisions.
We have outlined this within our architecture[1], but I left out Poly1305 in my previous comment in the context of the original question comparing XChaCha20 with AES256.
The devil truly is in the details. :)
[1]: https://ente.io/architecture#implementation-details
I did read that, but I meant that you should describe threat models, and from that point describe implementation how it relates to threats. So describing pure implementation leaves still many questions, and is less convincing. Threat models helps for question "why". Why this is selected? It gives feeling that you have thoroughly gone through the selection process. In cryptography, there are so many different algorithms and they are meant for different uses. There is no one good for everything. It is important to note, that why this is good for this scenario. And what are pros and cons.
If you have correctly described your threat model, it is easier to convince others, that your algorithm selection is good, even if it might have been good already. It leaves so many mistakes out. And from that point of view, it is also easier to sell, especially as you are branding as E2EE service.