When encrypting a string through the Libsodium secret box feature, the ciphertext is 48 bytes longer than the plain text message ...
I am wondering why this is ... since the nonce is only 24 bytes.
Asked
Active
Viewed 622 times
2 Answers
5
Notice that $\operatorname{secretbox}$ has a $16$-byte MAC too. For reference, I've included $\operatorname{box}$ too.
$$ \operatorname{secretbox} : \text{24 nonce} + \text{0 xsalsa} + \text{16 poly1305}\\ \operatorname{box} : \text{32 curve25519} + \text{24 nonce} + \text{0 xsalsa} + \text{16 poly1305} $$
However, the nonce is user-controlled and normally not included in the ciphertext overhead as it is usually never sent, often a protocol-level counter.
You say "secret box" but you mean the normal "box" which uses a public key. Your ciphertext is expanded with your $32$-byte ephemeral public key and the $16$-byte MAC.
cypherfox
- 1,422
- 7
- 16
-
-
Chacha is a stream cipher with no padding. So no overhead. BTW: updated answer regarding the validity of counting nonces here. – cypherfox Mar 17 '18 at 13:12
-
-
Thanks. But 24 + 16 is still not equal to 48 ... So I am still missing something that's probably obvious ... – abc Mar 17 '18 at 13:18
-
-
I checked and you are right that in crypto_boxes ONLY 16 bytes are added after encryption ... The 48 bytes I talked about are relevant when using sodium_crypto_box_seal .... – abc Mar 17 '18 at 13:56
-
1
Sealed boxes: public key (32 bytes) + MAC (16 bytes).
The nonce is deterministic, as a new key pair is created for every message.
Frank Denis
- 2,964
- 15
- 17