Add XChaChaPoly1305

[ofer-dev]

Disclaimer: I am not a cryptographer or security professional, and it is not unlikely that I am mistaken.

Kcp-go currently lacks authenticated encryption support, which is considered best practice. x/crypto currently supports AES-GCM and x/chachapoly.

AES-GCM is limited to ~ 64GB for a single key + nonce and ~ 350GB (16KB messages) for a single key so it shouldn't be used unless frequent key rotation is guaranteed.

chachapoly1305 does not have these limitations but uses 64 bits nonce making nonce collision possible, although unlikely.

xchachapoly1305 uses 192 bits nonce preventing nonce collisions and allowing use of random nonce, a single key + nonce can encrypt 2^64 bytes and up to 2^64 messages for a single key. x/crypto have platform specific optimized assembly implementation for AMD64, ppc64le, s390x and arm64(x/chacha20 not poly1305) which on my machine (Intel Haswell) are about 40% faster than salsa20 and roughly on par with aes128-cfb. It also supports additional data that together with public key based key exchange allow implementing replay attack resistant scheme.

References https://libsodium.gitbook.io/doc/secret-key_cryptography/aead https://pkg.go.dev/golang.org/x/[email protected]/chacha20poly1305?tab=doc

Thanks, Ofer

[xtaci]

I'm think about some kind of OTP(one-time-pad), like : https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm