It looks like the chacha20 functions have variants with an "ic" parameter,
which lets you specify the block counter, but the salsa20 functions don't
have this for some reason.

-Kenton

On Wed, Jan 12, 2022 at 6:59 PM Jens Alfke <j...@mooseyard.com> wrote:

>
> Hmm if you're using a plain xsalsa20 stream and not secret boxes, does
> that mean you're implementing only encryption, not authentication? Note
> that XSalsa20 and related ciphers work by generating a random stream, and
> then XORing it with the plaintext.
>
>
> FYI: It turns out that my stream-encryption code is totally broken anyway.
> I naively believed that Sodium’s `crypto_stream_xor` implemented a stream
> cipher, as the name implies — but it doesn’t. The key and nonce parameters
> are both const, so it’s stateless, and just xor’s the buffer with the same
> bit-stream every time it’s called.
>
> I am not a cryptographer, but I find this baffling and pointless. Why call
> this a “stream cipher” when the API only allows you to encrypt a single
> (variable-size) block of data?
>
> Looks like I’m forced to implement a chunk-based protocol after all. Good
> news is it’ll be tamper-proof.
>
> —Jens
>

-- 
You received this message because you are subscribed to the Google Groups 
"Cap'n Proto" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to capnproto+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/capnproto/CAJouXQncR%3DwDAFW28EXai%3DuYaTTVeS%3DT1W4csLt5UttG0_WkRg%40mail.gmail.com.

Reply via email to