[noise] Ciphertext-indistinguishability from random noise with Poly1305?

Keziah Elis Biermann keziah at kizzycode.de
Thu Feb 8 06:01:58 PST 2018


Hi all,
I have a question regarding the ciphertext-indistinguishability from random noise if Poly1305 is used as MAC (I'm new here and haven't worked through the entire mailing list yet and hope this hasn't been discussed already).

However, in section "4.2. Cipher functions" (http://noiseprotocol.org/noise.html#cipher-functions) it is written that
> Encryption […] returns a ciphertext that is the same size as the plaintext plus 16 bytes for authentication data. The entire ciphertext must be indistinguishable from random if the key is secret.

As far as I understand that means that the ciphertext consists of the encrypted data *plus* the authentication-tag (`ciphertext = encrypted_data || authentication_tag`).

If this is true, I'm not sure that the ciphertext is indistinguishable from random noise if you use Poly1305 as MAC because in "RFC 7539 section 2.7" (https://tools.ietf.org/html/rfc7539#section-2.7) it is stated that
> […] unlike HMAC, Poly1305 is biased […].

And if Poly1305 is biased, the composition of `encrypted_data || poly1305_mac` would also be biased in the last 16 bytes and thus be *distinguishable* from random noise.

I don't know how strongly biased it is and if it's relevant to Noise, but I wanted to point this out in the unlikely case nobody has stumbled upon this yet.

Best regards and thanks for your amazing work,
	Keziah Biermann
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3256 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20180208/0ae0dd12/attachment.bin>


More information about the Noise mailing list