You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I used your shard to implement the Branca Token spec and it works perfectly fine.
One thing i noticed is, that the Crypto.encrypt and Crypto.decrypt functions assume that the MAC is placed after the nonce and before the chiphertext. Implementations using libsodium (e.g. PHP's sodium_crypto_aead_xchacha20poly1305_ietf_encrypt) seem to handle this differently in that they place the MAC after the chiphertext.
Hello, thanks for report!
Monocypher itself has only detached mode (separate pointers to nonce, mac and message), so of course is compatible.
I created encrypt`decrypt` to implement something that can be easily used without thinking that it could be compatible with existing protocols.
In a Libsodium's combined mode MAC is placed after cyphertext, but nonce (npub) is still a separate pointer and can be placed anywhere (so it could be "cyphertext-MAC-nonce", or "cyphertext-MAC" with nonce calculated separately). So even order "nonce-cyphertext-MAC" won't be fully compatible with libsodium.
But looks like Branca tokens use exact this order ("nonce-cyphertext-MAC"). So i think it is fine to change order to match it, I'll make a fix in a few days.
You are totally right. I was just thinking people using the encrypt function might expect the MAC beeing placed after the ciphertext regardless the nonce position. As of Branca it does not matter, because I am using the LibMonocypher.aead_lock method directly anyways.
If it generally makes more sense to place the MAC before the ciphertext, then keep your implementation as it is.
Hello @konovod ,
I used your shard to implement the Branca Token spec and it works perfectly fine.
One thing i noticed is, that the
Crypto.encrypt
andCrypto.decrypt
functions assume that the MAC is placed after the nonce and before the chiphertext. Implementations using libsodium (e.g. PHP'ssodium_crypto_aead_xchacha20poly1305_ietf_encrypt
) seem to handle this differently in that they place the MAC after the chiphertext.Since Monocypher has a section about compatibility with libsodium, this might be something to look into.
Kind regards
Johannes
The text was updated successfully, but these errors were encountered: