jedisct1
commented
1 year ago IETF ChaCha was tailored for TLS. It has a smaller nonce size and would not be a good fit.
If we want to support for an IETF construction, I think we should use HPKE instead, even if restricted to X25519 and ChaChaPoly.
Given that there is now an IETF version, would it make sense to update the protocol and add support for it along the existing xsalsa and xchacha?