XChaCha20 limits

[hakavlad]

Thanks for the Guidelines! Very useful!

I would like to add some clarification regarding the limits.

You wrote:

XChaCha20-Poly1305 and non-IETF ChaCha20-Poly1305 have no practical limits (~2^64 bytes).

But:

XChaCha20-Poly1305 exists in 2 variants: with 32-bit and 64-bit counter.

32-bit: XChaCha20-Poly1305 defined in https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha-03
Example: https://pycryptodome.readthedocs.io/en/latest/src/cipher/chacha20.html
Max message size: 2^32 - 1 blocks.

64-bit: XChaCha20-Poly1305 libsodium: https://libsodium.gitbook.io/doc/secret-key_cryptography/aead/chacha20-poly1305/xchacha20-poly1305_construction
Limit is 2^64-1 bytes due to Poly1305 limitations.

And 64-bit XChaCha20 https://libsodium.gitbook.io/doc/advanced/stream_ciphers/xchacha20
Limit is 2^64 blocks. The same: ChaCha20-DJB.

Next:

For ChaCha20-Poly1305-IETF, you can encrypt 256 GB using a key and nonce pair for one message, but there's no practical limit for a single key (2^64 bytes).

Actually you can encrypt 2^96 * 256 GiB. It's limit for a single key with a sequential nonce. Not 2^64 bytes.

[samuel-lucas6]

Sorry for my slow reply. Thank you for bringing these things up as they do need to be corrected. I believe I just copied that figure from the libsodium docs.