[noise] Ciphertext-indistinguishability from random noise with Poly1305?

Keziah Elis Biermann keziah at kizzycode.de
Mon Feb 12 09:53:24 PST 2018


> Probably we should change the spec requirement to require all bytes of
> the ciphertext except the last 16 to be indistinguishable, which is
> what the default REKEY() function requires.

This would be the easy solution, but IMHO it would be cleaner to
 – require that the underlaying cipher-construction (e.g. AES-CTR for AES-GCM) is a strong PRF/PRP
 – require that the authentication-tag is appended to the encrypted bytes

This would ensure that (if you encrypt 32 bytes) the first 32 bytes of the ciphertext are always indistinguishable from random data if you don't know the key.

– Keziah
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3256 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20180212/664c4855/attachment.bin>


More information about the Noise mailing list