>> Hmm if you're using a plain xsalsa20 stream and not secret boxes, does that >> mean you're implementing only encryption, not authentication? Note that >> XSalsa20 and related ciphers work by generating a random stream, and then >> XORing it with the plaintext.
FYI: It turns out that my stream-encryption code is totally broken anyway. I naively believed that Sodium’s `crypto_stream_xor` implemented a stream cipher, as the name implies — but it doesn’t. The key and nonce parameters are both const, so it’s stateless, and just xor’s the buffer with the same bit-stream every time it’s called. I am not a cryptographer, but I find this baffling and pointless. Why call this a “stream cipher” when the API only allows you to encrypt a single (variable-size) block of data? Looks like I’m forced to implement a chunk-based protocol after all. Good news is it’ll be tamper-proof. —Jens -- You received this message because you are subscribed to the Google Groups "Cap'n Proto" group. To unsubscribe from this group and stop receiving emails from it, send an email to capnproto+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/capnproto/FD4A7BDA-5DF1-4F4B-B574-57EFB4DE72FB%40mooseyard.com.
