[Noise] Encrypt-then-MAC

Jonathan Rudenberg jonathan at titanous.com
Tue Jul 1 23:08:24 PDT 2014

The Noise255/Noise448 ciphersuites[0] appear to calculate the Poly1305 tag on the plaintext of the box, not the ciphertext (Encrypt-and-MAC).
draft-agl-tls-chacha20poly1305-04[1] specifies that the tag should be calculated on the ciphertext, and it is my understanding that Encrypt-then-MAC is generally the recommended construction.

I’m not a cryptographer, so I’d like to understand why Encrypt-and-MAC was chosen and whether there are tradeoffs in this context.


[0] https://github.com/trevp/noise/wiki/Ciphersuites#noise255-and-noise448
[1] http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04#section-5

More information about the noise mailing list