XSalsa and XChaCha do something extremely similar. In order to extend the nonce space by 128 bits you basically run a round of ChaCha against 128 bits of your nonce. Those 128 bits represent 96 bits of nonce and 32 bits of counter. Because you know you'll never encode more than 1 full block of data, the counter won't overlap. 256 bits of internal state become the key for the next round of ChaCha plus the remaining 64 bits of nonce and you get to use the full counter space because nonce just became the key.The paper is also extremely approachable.
https://cr.yp.to/snuffle/xsalsa-20110204.pdf
I wonder if processes like this extend cryptographically in most symmetric ciphers. To add more nonce, encrypt your nonce, output becomes key for next round, add more nonce, repeat. Like all things crypto though, your search space could absolutely collapse if the cipher doesn't have the right properties.
No comments yet.