Access MAC keys in NaCl/libsodium

Question

According to https://cr.yp.to/highspeed/naclcrypto-20090310.pdf, NaCl derives a MAC key from the shared secret and the nonce in crypto_box APIs.

Alice uses the first 32 bytes of the long stream (generated from the shared secret and nonce using salsa20) to compute an authenticator of the encrypted packet.

However, this procedure is internal. I wonder if there is an API to derive the MAC key manually?

score 0 · Accepted Answer · answered Feb 16 '18 at 10:17

0

The box construction uses the xsalsa20 cipher (originally -- there is also a variant using xchacha20).

The first block of that cipher are used as a Poly1305 key. The remaining blocks are XORed with the message to compute the ciphertext.

So, you can simply use crypto_stream() to compute the Poly1305 key.

answered Feb 16 '18 at 10:17

Frank Denis

1,475
9
12

Okay. Thanks. IMO accessing the MAC key can be a useful API. – qweruiop Feb 17 '18 at 16:48
Probably not :) Remember that this is a one-time key. It should be used only once. Authenticating different messages (or ciphertexts) with the same key can lead to key recovery. – Frank Denis Feb 17 '18 at 19:05

Access MAC keys in NaCl/libsodium

1 Answers1