On Wed, May 01, 2024 at 02:38:52PM +0200, Jean-Philippe Aumasson wrote: > Switching from ChaCha20 to ChaCha12 might still raise eyebrows but I > dont think any respectable crypto/security expert will suspect a > JiaTan situation. I also mentioned this earlier in the thread; that is, to switch to ChaCha12 if ChaCha8 makes us uncomfortable. It's not without precedent also: - eSTREAM recommends Salsa20/12 in their final portfolio - Adiantum uses XChaCha12 - Rust uses ChaCha12 rand::rngs::StdRng There may be other precedent of ChaCha12 with from non-trivial projects I'm unfamiliar with. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o
