Created by: sebastianv89
OTRv4 uses XSalsa20 for encryption, which seems like a strange choice to me.
The idea behind the double ratchet is that every message gets associated with a unique message key. The idea behind XSalsa20 (compared to Salsa20) is that we have larger nonces so that we can use random nonces without worrying about collisions when encrypting with the same key. In fact, when we have unique keys for every message we can do without a nonce (or equivalent: set the nonce to zero). Alternatively a random-looking nonce can be derived from the chain-key (which is what Signal does). Either solution has the benefit that there is no more need to send the nonce in the data message, giving smaller messages.
Getting rid of the random nonces also means that XSalsa20 can be replaced with Salsa20 (or even ChaCha20) which is more efficient, has seen more rigorous attempts at cryptanalysis and is more widely available in cryptographic libraries.