UkoeHB: Why was Twofish chosen over Chacha re: JAMTIS? I only see the reasons for not Blake2b, not not Chacha.

What's wrong with Blake2b?

sech1: Nothing, yet Twofish was chosen over it for perf (a choice I wouldn't agree with due to the complexity of incorporating Twofish as a primitive).

Chacha should be competitive on perf/faster, more widely usable, have more libs actively maintained, and shares some cryptanalysis with Blake.

Blake2b is already in Monero codebase though

I'd prefer Blake2b to Twofish. I'd prefer Chacha to Twofish, which I think is also in codebase yet I'd have to check. If Blake2b is out for perf, we should evaluate the potentially faster, in family, more popular Chacha.

chacha20 is in the codebase (it's used to encrypt the wallet file).

<kayabanerve[m]> "Chacha should be competitive..." <- any thoughts about blake3 ? or Is it just not suitable ?

Blake3 may make sense for large data sets. This isn't a large data set

kayabanerve[m]: chacha and blake2b are not block ciphers

Yes, but why do you need a block cipher?

chacha requires an iv

And despite Blake2b not being a block cipher, it was still evaluated.

Only if they key is reused.

with a block cipher you can do a single block with no iv

the key has to be reused for ciphering the index

ciphering the indices of all addresses*

... and then are we sure calculating unique IVs + Chacha isn't faster?

If so, ack, just running this to completion.

how do you get a unique iv?

Uhhhhh I think you can just use a counter.

how do you recover the unique iv during balance recovery?

I won't sign off on that but known IV isn't a break, if you know two distinct IVs, AFAIK. So as long as the IV uses are ordered, it should be near-free.

* a break, even if you

in balance recovery all you have is an address tag with no other information, how do you get the proper iv?

*I'm not sure the IV uses are ordered. I'm saying I don't believe we need additional hashes to calculate IVs so the performance is possibly still viable.

If we don't have the ability to add in any other context, and keys aren't unique, we don't have a mechanism.

So then sure, an IV-less system makes sense if you absolutely can't change that API.

I'd have to read the exact flow. I just find it surprising if we are so rigid. I'm unsure why we'd have non-unique keys in the first place since shared keys are now binding to linking tags (or at least, some shared keys are).

section 8.5.2 step 5 raw.githubusercontent.com/UkoeHB/Se…ng_seraphis/Impl-Seraphis-0-0-2.pdf

Address tags are attached to addresses, encrypted address tags are attached to enotes. Encrypted address tags use blake2b just like encoded amounts.

I see the issue. Thanks for linking that. I'll drop my commentary.

👍

So we do need a block cipher, which is why Twofish is the best candidate. Got it.

yep