MAC position

[jrabausch]

Hello @konovod ,

I used your shard to implement the Branca Token spec and it works perfectly fine.

One thing i noticed is, that the Crypto.encrypt and Crypto.decrypt functions assume that the MAC is placed after the nonce and before the chiphertext. Implementations using libsodium (e.g. PHP's sodium_crypto_aead_xchacha20poly1305_ietf_encrypt) seem to handle this differently in that they place the MAC after the chiphertext.

Since Monocypher has a section about compatibility with libsodium, this might be something to look into.

Kind regards
Johannes

[konovod]

Hello, thanks for report!
Monocypher itself has only detached mode (separate pointers to nonce, mac and message), so of course is compatible.
I created encrypt`decrypt` to implement something that can be easily used without thinking that it could be compatible with existing protocols.
In a Libsodium's combined mode MAC is placed after cyphertext, but nonce (npub) is still a separate pointer and can be placed anywhere (so it could be "cyphertext-MAC-nonce", or "cyphertext-MAC" with nonce calculated separately). So even order "nonce-cyphertext-MAC" won't be fully compatible with libsodium.

But looks like Branca tokens use exact this order ("nonce-cyphertext-MAC"). So i think it is fine to change order to match it, I'll make a fix in a few days.

[jrabausch]

You are totally right. I was just thinking people using the encrypt function might expect the MAC beeing placed after the ciphertext regardless the nonce position. As of Branca it does not matter, because I am using the LibMonocypher.aead_lock method directly anyways.
If it generally makes more sense to place the MAC before the ciphertext, then keep your implementation as it is.

Thanks for clarification!