[noise] Ciphertext-indistinguishability from random noise with Poly1305?
Trevor Perrin
trevp at trevp.net
Fri Feb 9 20:21:11 PST 2018
On Thu, Feb 8, 2018 at 2:01 PM, Keziah Elis Biermann
<keziah at kizzycode.de> wrote:
> Hi all,
> I have a question regarding the ciphertext-indistinguishability from random noise if Poly1305 is used as MAC (I'm new here and haven't worked through the entire mailing list yet and hope this hasn't been discussed already).
>
> However, in section "4.2. Cipher functions" (http://noiseprotocol.org/noise.html#cipher-functions) it is written that
>> Encryption […] returns a ciphertext that is the same size as the plaintext plus 16 bytes for authentication data. The entire ciphertext must be indistinguishable from random if the key is secret.
>
> As far as I understand that means that the ciphertext consists of the encrypted data *plus* the authentication-tag (`ciphertext = encrypted_data || authentication_tag`).
>
> If this is true, I'm not sure that the ciphertext is indistinguishable from random noise if you use Poly1305 as MAC because in "RFC 7539 section 2.7" (https://tools.ietf.org/html/rfc7539#section-2.7) it is stated that
>> […] unlike HMAC, Poly1305 is biased […].
>
> And if Poly1305 is biased, the composition of `encrypted_data || poly1305_mac` would also be biased in the last 16 bytes and thus be *distinguishable* from random noise.
Thanks Keziah,
That's a good observation, I assumed ChaCha20/Poly1305 was like
AES-GCM here, and didn't notice this difference.
Probably we should change the spec requirement to require all bytes of
the ciphertext except the last 16 to be indistinguishable, which is
what the default REKEY() function requires.
Trevor
More information about the Noise
mailing list