For ChaCha20-Poly1305-IETF, you can encrypt 256 GB using a key and nonce pair for one message, but there's no practical limit for a single key (2^64 bytes).
Actually you can encrypt 2^96 * 256 GiB. It's limit for a single key with a sequential nonce. Not 2^64 bytes.
Sorry for my slow reply. Thank you for bringing these things up as they do need to be corrected. I believe I just copied that figure from the libsodium docs.
Thanks for the Guidelines! Very useful!
I would like to add some clarification regarding the limits.
You wrote:
But:
XChaCha20-Poly1305 exists in 2 variants: with 32-bit and 64-bit counter.
32-bit: XChaCha20-Poly1305 defined in https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha-03 Example: https://pycryptodome.readthedocs.io/en/latest/src/cipher/chacha20.html Max message size:
2^32 - 1
blocks.64-bit: XChaCha20-Poly1305 libsodium: https://libsodium.gitbook.io/doc/secret-key_cryptography/aead/chacha20-poly1305/xchacha20-poly1305_construction Limit is
2^64-1
bytes due to Poly1305 limitations.And 64-bit XChaCha20 https://libsodium.gitbook.io/doc/advanced/stream_ciphers/xchacha20 Limit is
2^64
blocks. The same: ChaCha20-DJB.Next:
Actually you can encrypt
2^96 * 256 GiB
. It's limit for a single key with a sequential nonce. Not 2^64 bytes.