[Noise] Encrypt-then-MAC

Trevor Perrin trevp at trevp.net
Tue Jul 1 23:27:42 PDT 2014

Typo, fixed, thanks :-)


On Tue, Jul 1, 2014 at 11:08 PM, Jonathan Rudenberg
<jonathan at titanous.com> wrote:
> The Noise255/Noise448 ciphersuites[0] appear to calculate the Poly1305 tag on the plaintext of the box, not the ciphertext (Encrypt-and-MAC).
> draft-agl-tls-chacha20poly1305-04[1] specifies that the tag should be calculated on the ciphertext, and it is my understanding that Encrypt-then-MAC is generally the recommended construction.
> I’m not a cryptographer, so I’d like to understand why Encrypt-and-MAC was chosen and whether there are tradeoffs in this context.
> Jonathan
> [0] https://github.com/trevp/noise/wiki/Ciphersuites#noise255-and-noise448
> [1] http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04#section-5
> _______________________________________________
> noise mailing list
> noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise

More information about the noise mailing list