Clarify "zero nonce"

[paulmillr]

encrypt[key](plaintext) is ChaCha20-Poly1305 from RFC 7539 with a zero nonce.

Everyone keeps saying we should never reuse nonces.

Is age using zero nonces because the underlying messages never repeat? If so, the spec should clarify this part. Also, what is zero? Empty byte array, or a byte array with [0x0]?

[mdouchement]

This comment should explain:

age/internal/age/primitives.go

Lines 24 to 28 in e43cf8b

	// The nonce is fixed because this function is only used in places where the
	// spec guarantees each key is only used once (by deriving it from values
	// that include fresh randomness), allowing us to save the overhead.
	// For the code that encrypts the actual payload, look at the
	// filippo.io/age/internal/stream package.

[paulmillr]

Yeah, just would be great to have this clarified in the spec.

[paulmillr]

What about multi-target attacks? https://blog.cr.yp.to/20151120-batchattacks.html

[FiloSottile]

ChaCha20Poly1305 keys are 256 bits, so they have plenty of multi-target margin even with a fixed nonce. A version of the spec that uses AES-128 would have to generate the nonce from the same source as the key.