hi @filippo

The Go chachapoly source has a comment that states:

// Note that this is too short to be safely generated at random if the same
// key is reused more than 2³² times.
NonceSize = 12

https://cs.opensource.google/go/x/crypto/+/master:chacha20poly1305/chacha20poly1305.go;l=22-24`

According to the birthday paradox I would have expected a higher number of safe key re-use, at most 2^48 times for this 96 bit nonce. Do you know why 2^32 is stated?