Skip to content Skip to footer
0 items - $0.00 0
Menu

Show HN: Moochacha, quantum-safe file encryption (analyzed by Frama-C) by markdascher

6CommentsShare Post
Show HN: Moochacha, quantum-safe file encryption (analyzed by Frama-C) by markdascher
Show

Show HN: Moochacha, quantum-safe file encryption (analyzed by Frama-C) by markdascher

February 27, 2023
6Comments
Share This Article
Share Post
Newsletter

Sed ut perspiciatis unde.

Subscribe

Send to HN

You can not select more than 25 topics
Topics must start with a letter or number, can include dashes (‘-‘) and can be up to 35 characters long.

WARNING: This is a personal project, unsafe for real data. Don’t use it.

Encrypt files using a random keyfile, like enchive without public keys. Plain
256-bit encryption satisfies even the most paranoid quantum computing fears.

Each file’s encryption key derives from a common keyfile plus a 256-bit random
seed. Keep the keyfile secret. Its passphrase discourages only casual snooping,
given that passphrases can be discovered by brute-force or hidden camera.

Currently uses Argon2id, BLAKE2b, and ChaCha20-Poly1305 from libsodium.

License

Copyright 2022-2023 Mark Dascher
Licensed under the ISC License.

Specification

WARNING: All details are still subject to change.

Argon2id makes two passes of 1 GiB by default. The memory limit is adjustable
between 1 MiB and 512 GiB, but only in even powers of two. Therefore, there are
only 20 possibilities to try when the correct value is inevitably forgotten.

ChaCha20-Poly1305 refers to the IETF/TLS variant, having a 96-bit nonce. Here
the nonce is treated as a single little-endian integer consisting of 12 bytes.

salt = 16 random bytes
keyP = Argon2id(salt, "ADIOS MOOCHACHA" || 0 || password)
keyW = 32 random bytes
wrap = ChaCha20-Poly1305(keyP, nonce=0, msg=keyW)
keyfile = (salt, wrap)

After creating or unlocking the keyfile, encryption of plaintext can begin. The
maximum file size is 2^108 + 8191 = 324,518,553,658,426,726,783,156,020,584,447
bytes which…ought to be enough for anybody?

A sequential 96-bit ChaCha20 nonce is exactly as safe as a random 192-bit
XChaCha20 nonce, even without overflow checking. Still, go ahead and check for
nonce overflow if you want, since it’s mathematically the weakest point.

plaintext = (p0, p1, ..., pN); where p0 is 12288 bytes,
                               each inner p is 4096 bytes,
                               and pN is 0-4095 bytes.
         or (p0); where p0 is 0-12287 bytes.

seed = 32 random bytes
keyF = BLAKE2b-256(keyW, msg=seed)

c0 = ChaCha20-Poly1305(keyF, nonce=0, msg=p0)
c1 = ChaCha20-Poly1305(keyF, nonce=1, msg=p1)
...
cN = ChaCha20-Poly1305(keyF, nonce=N, msg=pN)

ciphertext = (seed, c0, c1, ..., cN); where c0 is 12304 bytes,
                                      each inner c is 4112 bytes,
                                      and cN is 16-4111 bytes.
          or (seed, c0); where c0 is 16-12303 bytes.

W

Read More

0Likes
Show comments (6)

Leave a comment

In the Shadows of Innovation”

© 2025 HackTech.info. All Rights Reserved.

Sign Up to Our Newsletter

Be the first to know the latest updates

Whoops, you're not connected to Mailchimp. You need to enter a valid Mailchimp API key.