[noise] Ciphertext-indistinguishability from random noise with Poly1305?

Marian Beermann public at enkore.de
Thu Feb 8 06:25:03 PST 2018 

Hi Keziah,

sounds about right.

Note that "ciphertext-indistinguishability from random noise" is
unrelated to the security notions of IND-CPA or IND-CCA2:

Since the authenticator is calculated from the ciphertext (and uses part
of the keystream as its key), it cannot compromise above properties: the
authenticator has access to essentially the same data as the attacker in
the above models (sans one-time key).

-Marian

On 02/08/2018 03:01 PM, Keziah Elis Biermann wrote:
> Hi all,
> I have a question regarding the ciphertext-indistinguishability from random noise if Poly1305 is used as MAC (I'm new here and haven't worked through the entire mailing list yet and hope this hasn't been discussed already).
> 
> However, in section "4.2. Cipher functions" (http://noiseprotocol.org/noise.html#cipher-functions) it is written that
>> Encryption […] returns a ciphertext that is the same size as the plaintext plus 16 bytes for authentication data. The entire ciphertext must be indistinguishable from random if the key is secret.
> 
> As far as I understand that means that the ciphertext consists of the encrypted data *plus* the authentication-tag (`ciphertext = encrypted_data || authentication_tag`).
> 
> If this is true, I'm not sure that the ciphertext is indistinguishable from random noise if you use Poly1305 as MAC because in "RFC 7539 section 2.7" (https://tools.ietf.org/html/rfc7539#section-2.7) it is stated that
>> […] unlike HMAC, Poly1305 is biased […].
> 
> And if Poly1305 is biased, the composition of `encrypted_data || poly1305_mac` would also be biased in the last 16 bytes and thus be *distinguishable* from random noise.
> 
> I don't know how strongly biased it is and if it's relevant to Noise, but I wanted to point this out in the unlikely case nobody has stumbled upon this yet.
> 
> Best regards and thanks for your amazing work,
> 	Keziah Biermann
> 
> 
> 
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise
>

More information about the Noise mailing list