jonathan at titanous.com
Tue Jul 1 23:08:24 PDT 2014
The Noise255/Noise448 ciphersuites appear to calculate the Poly1305 tag on the plaintext of the box, not the ciphertext (Encrypt-and-MAC).
draft-agl-tls-chacha20poly1305-04 specifies that the tag should be calculated on the ciphertext, and it is my understanding that Encrypt-then-MAC is generally the recommended construction.
I’m not a cryptographer, so I’d like to understand why Encrypt-and-MAC was chosen and whether there are tradeoffs in this context.
More information about the noise