[adgjlsfhk1]

> AES-GCM has a 96-bit nonce.

why do cryptographers ever do things with fewer than 256 bits? like sure speed is nice, but it's also really nice to know that even if you have a birthday attack and lose another factor of a billion somewhere you're still fine.

[technion]

Aes has a blocksize of 128bits, which so 96 bit is the nonce size that gets you a 32 bit counter. You probably don't want a smaller counter. Things xsalsa technically have a larger nonce but in reality still derive a smaller nonce.

[tptacek]

Right, but the larger key (in XSalsa and X-everything-else) effectively gets mixed into the key, which is fine.