Open ahdinosaur opened 9 months ago
libsodium says: https://doc.libsodium.org/secret-key_cryptography/aead/chacha20-poly1305/ietf_chacha20-poly1305_construction
The IETF variant of the ChaCha20-Poly1305 construction can safely encrypt a practically unlimited number of messages...
libsodium says:
that's false.
The top URL you've given:
https://www.ietf.org/archive/id/draft-irtf-cfrg-aead-limits-07.html#section-6.4
Section 6.4 clearly says limit for AEAD is 2^46. 2^100 is for pure chacha without poly
Looks like AEAD algorithms have usage limits: https://www.ietf.org/archive/id/draft-irtf-cfrg-aead-limits-07.html
ChaCha20-Poly1305's limit is
2^100
. Wait... that's plenty good.But
@noble/ciphers
says2^46
: https://github.com/paulmillr/noble-ciphers#encryption-limits. Why the difference?Will look into this more. If the limit is low enough, we could set a threshold to automatically re-key.
The idea would be to have the 96-bit nonce constructed similar to STREAM and libsodium's secretstream: