[noise] Ciphertext-indistinguishability from random noise with Poly1305?

Trevor Perrin trevp at trevp.net
Wed Feb 14 09:58:14 PST 2018


On Wed, Feb 14, 2018 at 5:25 PM, Tony Arcieri <bascule at gmail.com> wrote:
> On Tue, Feb 13, 2018 at 11:44 PM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> That wouldn't work for things like SIV, where the ciphertext starts
>> with a "synthetic nonce", instead of ending with an authentication
>> tag.  But I'm not sure this synthetic nonce necessarily fulfills the
>> indistinguishability requirement I described, either.
>>
>> Maybe we could draw a sharper distinction between "authentication tag"
>> AEADs and "SIV-like" (or "other")?
>
>
> I've been wondering if it was somewhat of a mistake (in e.g. RFC 5297) for
> SIV tags to be placed at the beginning of messages instead of the end.
> There's no particularly good reason why they should be at the beginning and
> it makes the schemes that much more awkward to use, especially for things
> like in-place APIs where now you have to leave room at the beginning of a
> buffer for the tag instead of at the end.

The receiver can't do any processing until they have the SIV "tag", so
doesn't it make sense to put it at the beginning, in case the message
is arriving incrementally and the receiver wants to get started
decrypting ASAP?

Trevor


More information about the Noise mailing list