Since Poly1305's margin of safety for authentication differs from the XChacha20 cipher's margin of safety, ciphers that use the AEAD mode (XChacha20-Poly1305) should further limit the amount of data encrypted with a single key, beneath what is required for a non-authenticating mode. The libsodium recommendation given is 2**63 messages for m sizes of 16KB.
(Note: This only affects wyng metadata, not data.)
For a non-counter based mode, this is easily handled by setting the _maxcount constant to 2**63 and then advancing the counter by ceil(len(m) // 16384) for each message m.
Counter mode cannot use this formula, however, because of startup requirements. A good alternative is to recognize that in counter mode, encryptions of archive.ini (metadata root) far outnumber encryptions of other metadata, so using the worst-case for archive.ini size as the average m len to adjust the _maxcounter safety margin is possible. We can also cap the max number of volumes represented in archive.ini at 1024 (which seems more than enough) and arrive at worst case size of about 42-45KB. Ceil(45/16) = 3, which is more than covered by subtracting 2 bits of counter space: _maxcount = 2**61.
Since Poly1305's margin of safety for authentication differs from the XChacha20 cipher's margin of safety, ciphers that use the AEAD mode (XChacha20-Poly1305) should further limit the amount of data encrypted with a single key, beneath what is required for a non-authenticating mode. The libsodium recommendation given is 2**63 messages for m sizes of 16KB.
(Note: This only affects wyng metadata, not data.)
For a non-counter based mode, this is easily handled by setting the _maxcount constant to 2**63 and then advancing the counter by ceil(len(m) // 16384) for each message m.
Counter mode cannot use this formula, however, because of startup requirements. A good alternative is to recognize that in counter mode, encryptions of archive.ini (metadata root) far outnumber encryptions of other metadata, so using the worst-case for archive.ini size as the average m len to adjust the _maxcounter safety margin is possible. We can also cap the max number of volumes represented in archive.ini at 1024 (which seems more than enough) and arrive at worst case size of about 42-45KB. Ceil(45/16) = 3, which is more than covered by subtracting 2 bits of counter space: _maxcount = 2**61.
Related: #159 #161