>> Hmm if you're using a plain xsalsa20 stream and not secret boxes, does that >> mean you're implementing only encryption, not authentication? Note that >> XSalsa20 and related ciphers work by generating a random stream, and then >> XORing it with the plaintext.
FYI: It turns out that my stream-encryption code is totally broken anyway. I naively believed that Sodium’s `crypto_stream_xor` implemented a stream cipher, as the name implies — but it doesn’t. The key and nonce parameters are both const, so it’s stateless, and just xor’s the buffer with the same bit-stream every time it’s called. I am not a cryptographer, but I find this baffling and pointless. Why call this a “stream cipher” when the API only allows you to encrypt a single (variable-size) block of data? Looks like I’m forced to implement a chunk-based protocol after all. Good news is it’ll be tamper-proof. —Jens -- You received this message because you are subscribed to the Google Groups "Cap'n Proto" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/capnproto/FD4A7BDA-5DF1-4F4B-B574-57EFB4DE72FB%40mooseyard.com.
