Hi,

On Fri, Dec 23, 2016 at 09:15:28PM +0100, Jason A. Donenfeld wrote:
>   * cookies: use xchacha20poly1305 instead of chacha20poly1305
>   
>   This is a big change. To simplify the security analysis, improve speed, and
>   simplify the code, we now use XChaChaPoly1305 with a random 24-byte nonce,
>   instead of using a random 32-byte salt.

- Is this backwards compatible?

- Could you provide references describing XChaCha20Poly1305 and the
  differences with ChaCha20Poly1305?

- What part of the protocol does this change?  Is it just the initial key
  exchange?

Thanks,
Baptiste