ChaCha20Poly1305: Nonce is not incremented above 2^70, allowing for inadvertent reuse
Opened this issue · 1 comments
This is security-breaking behavior, potentially. Simply generating a random nonce each time is not sufficient in this scenario. We need to use a counter as well, to ensure that we don't use a given nonce + MAC key more than once for the same encrypted information.
This takes place here: https://github.com/blur-network/blur/blob/master/src/crypto/chacha.c#L142
And has relevance here:
Line 3997 in 5971fe6
... among other places, too.
For the implications of what this inadvertent reuse could result in, see:
https://github.com/miscreant/miscreant/wiki/Nonce-Reuse-Misuse-Resistance
This was mentioned as a prospective change in #53
Why don't we place a hard stop at 2^70 at this point? If we can't securely encrypt data larger than that (limitation of chacha20), or if it never happens ... why not place a stop there instead of making it a user's responsibility?
Edit: Need to look into difficulty calculations, as this has probably the most relevance there, where we frequently deal with larger than 70-bit numbers.