Do I understand correctly that XSalsa20 + Poly1305 provides authentication without a tag? If so, then how does that work?
I came to that conclusion by reading http://nacl.cr.yp.to/secretbox.html, "Secret-key authenticated encryption", where it states (as far as I understand) that the ciphertext has the same length as the plaintext.
The documentation is a bit misleading about crypto_secretbox_xsalsa20poly1305 that uses a 16-byte authentication tag of poly1305. The libsodium has more clear explanation on it. From Bernstein' paper's abstract;
Poly1305-AES computes a 16-byte authenticator of a variable-length message, using a 16-byte AES key, a 16-byte additional key, and a 16-byte nonce
I would be surprised that one authenticates an arbitrary message without using a MAC tag (Wikipedia quote);
In cryptography, a message authentication code (MAC), sometimes known as a tag, is a short piece of information used to authenticate a message—in other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed.
Therefore the short piece of information must be somewhere!.
