Closed samuel-lucas6 closed 3 years ago
I'd like to ask how large the secretstream all-zero block is for ensuring robustness (as mentioned here).
The block size when the secretstream
construction is instantiated with ChaCha20 is 512 bits. 8 bits are reserved for the tag, that leaves 504 padding bits.
How large the padding should be depends on the MAC function and on your protocol. [Some new results on Poly1305 multi collisions].
With a universal hash function such as GCM or Poly1305, it makes sense to use a padding the same size as the tag, even though using more than 128 bit is unlikely to provide any practical security margin.
In secretstream
, since the first block is reserved for the tag, the 504 extra bits come for free.
I'd like to ask how large the secretstream all-zero block is for ensuring robustness (as mentioned here).
Furthermore, where has the 128-bit fixed string figure come from? I had a glance at this paper and that seemed to suggest the padding fix could vary depending on the encryption algorithm, but I may be reading that incorrectly.
Many thanks!