It looks like the chacha20 functions have variants with an "ic" parameter, which lets you specify the block counter, but the salsa20 functions don't have this for some reason.
-Kenton On Wed, Jan 12, 2022 at 6:59 PM Jens Alfke <[email protected]> wrote: > > Hmm if you're using a plain xsalsa20 stream and not secret boxes, does > that mean you're implementing only encryption, not authentication? Note > that XSalsa20 and related ciphers work by generating a random stream, and > then XORing it with the plaintext. > > > FYI: It turns out that my stream-encryption code is totally broken anyway. > I naively believed that Sodium’s `crypto_stream_xor` implemented a stream > cipher, as the name implies — but it doesn’t. The key and nonce parameters > are both const, so it’s stateless, and just xor’s the buffer with the same > bit-stream every time it’s called. > > I am not a cryptographer, but I find this baffling and pointless. Why call > this a “stream cipher” when the API only allows you to encrypt a single > (variable-size) block of data? > > Looks like I’m forced to implement a chunk-based protocol after all. Good > news is it’ll be tamper-proof. > > —Jens > -- You received this message because you are subscribed to the Google Groups "Cap'n Proto" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/capnproto/CAJouXQncR%3DwDAFW28EXai%3DuYaTTVeS%3DT1W4csLt5UttG0_WkRg%40mail.gmail.com.
