[noise] Ciphertext-indistinguishability from random noise with Poly1305?

Trevor Perrin trevp at trevp.net
Wed Feb 14 21:55:12 PST 2018


On Thu, Feb 15, 2018 at 4:33 AM, Alex <alex at centromere.net> wrote:
> On Wed, 14 Feb 2018 17:53:49 +0000
> Trevor Perrin <trevp at trevp.net> wrote:
>
>> CON:  It's an unnecessary requirement for an AEAD scheme.  Somewhere
>> down the line someone might show up with an AEAD that doesn't fit this
>> requirement but is otherwise good, and we will then be in the awkward
>> position of disallowing their AEAD for a superfluous reason that is
>> irrelevant to their use case.
>>
>
> Can we use "SHOULD" here? Why does it have to be all or nothing?


This is similar to the discussion David and I had, where I was pushing
for the Disco/Strobe SymmetricState to have the exact same properties
as the existing SymmetricState.

I think we want a framework where all crypto algorithms of the same
type have the same properties, thus can be replaced easily.
Algorithms should only differ in "quantitative" metrics like
performance and cryptanalytic resistance.

Otherwise, protocol designers are going to have to inspect their
particular crypto-algorithm choices for various subtleties
(indistinguishable or not?), and that seems error-prone and like it
gives up a lot of the advantages of a modular framework.

Trevor


More information about the Noise mailing list