search

jedisct1 / libsodium-doc

Gitbook documentation for libsodium
https://libsodium.org
ISC License
166 stars 159 forks source link

Clarifying secretstream robustness #122

Closed samuel-lucas6 closed 3 years ago

samuel-lucas6 commented 3 years ago

Libsodium's secretstream construction always authenticates an extra all-zero (minus 8 bits for the tag) block to ensure robustness.

I'd like to ask how large the secretstream all-zero block is for ensuring robustness (as mentioned here).

By including a 128-bit fixed string in the message and verifying it during the decryption process

Furthermore, where has the 128-bit fixed string figure come from? I had a glance at this paper and that seemed to suggest the padding fix could vary depending on the encryption algorithm, but I may be reading that incorrectly.

Many thanks!

jedisct1 commented 3 years ago

I'd like to ask how large the secretstream all-zero block is for ensuring robustness (as mentioned here).

The block size when the secretstream construction is instantiated with ChaCha20 is 512 bits. 8 bits are reserved for the tag, that leaves 504 padding bits.

How large the padding should be depends on the MAC function and on your protocol. [Some new results on Poly1305 multi collisions].

With a universal hash function such as GCM or Poly1305, it makes sense to use a padding the same size as the tag, even though using more than 128 bit is unlikely to provide any practical security margin.

In secretstream, since the first block is reserved for the tag, the 504 extra bits come for free.