The draft of chacha20 uses a 64-bit nonce, but the final version of chacha20 specification uses a 96-bit nonce.
The #9792 PR adds chacha20 to bitcoin. We can see the function
ChaCha20::SetIV(uint64_t iv) is using 64 bits for setting the nonce value. The
chacha20.cpp mentions that it follows the chacha20 implementation from here.
Is there any specific reason for bitcoin using a 64-bit nonce? Wouldn’t it be better to use a 96-bit nonce as recommended?