Key usage limits and re-keying

[ahdinosaur]

Looks like AEAD algorithms have usage limits: https://www.ietf.org/archive/id/draft-irtf-cfrg-aead-limits-07.html

ChaCha20-Poly1305's limit is 2^100. Wait... that's plenty good.

But @noble/ciphers says 2^46: https://github.com/paulmillr/noble-ciphers#encryption-limits. Why the difference?

Will look into this more. If the limit is low enough, we could set a threshold to automatically re-key.

The idea would be to have the 96-bit nonce constructed similar to STREAM and libsodium's secretstream:

• 64-bits are a preset (random) nonce
• 32-bits are a incrementing counter starting at 0.
• When the 32-bit counter overflows, automatically re-key.

[ahdinosaur]

libsodium says: https://doc.libsodium.org/secret-key_cryptography/aead/chacha20-poly1305/ietf_chacha20-poly1305_construction

The IETF variant of the ChaCha20-Poly1305 construction can safely encrypt a practically unlimited number of messages...

[paulmillr]

libsodium says:

that's false.

The top URL you've given:

https://www.ietf.org/archive/id/draft-irtf-cfrg-aead-limits-07.html#section-6.4

Section 6.4 clearly says limit for AEAD is 2^46. 2^100 is for pure chacha without poly