[noise] Ciphertext-indistinguishability from random noise with Poly1305?
Tony Arcieri
bascule at gmail.com
Wed Feb 14 09:25:42 PST 2018
On Tue, Feb 13, 2018 at 11:44 PM, Trevor Perrin <trevp at trevp.net> wrote:
> That wouldn't work for things like SIV, where the ciphertext starts
> with a "synthetic nonce", instead of ending with an authentication
> tag. But I'm not sure this synthetic nonce necessarily fulfills the
> indistinguishability requirement I described, either.
>
> Maybe we could draw a sharper distinction between "authentication tag"
> AEADs and "SIV-like" (or "other")?
I've been wondering if it was somewhat of a mistake (in e.g. RFC 5297) for
SIV tags to be placed at the beginning of messages instead of the end.
There's no particularly good reason why they should be at the beginning and
it makes the schemes that much more awkward to use, especially for things
like in-place APIs where now you have to leave room at the beginning of a
buffer for the tag instead of at the end.
Something I've considered adding to Miscreant are APIs which make it easy
to work with the plaintext/ciphertext and tag as separate
buffers/parameters, so people who wanted to reverse the order (to make it
easier to have compatibility with AEADs which place the tag at the end) can
easily do so.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20180214/ade21484/attachment.html>
More information about the Noise
mailing list