[noise] Ciphertext-indistinguishability from random noise with Poly1305?
Samuel Neves
samuel.c.p.neves at gmail.com
Wed Feb 14 01:14:07 PST 2018
The first 32 bytes of the ChaCha20 stream are used to derive the two
one-time Poly1305 keys, r and s. They are not used to encrypt
plaintext. The tag is then (polyeval(ciphertext, clamp(r)) + r) mod
2^128. Whatever the distribution of polyeval(ciphertext, clamp(r)) mod
2^128 may be, the one-time key s is always a fresh output from
ChaCha20, which is presumed to be indistinguishable from random. As
such, so is the tag.
I guess the RFC may be referring to the polynomial evaluation portion
of Poly1305?
Best regards,
Samuel Neves
On Thu, Feb 8, 2018 at 2:01 PM, Keziah Elis Biermann
<keziah at kizzycode.de> wrote:
> Hi all,
> I have a question regarding the ciphertext-indistinguishability from random noise if Poly1305 is used as MAC (I'm new here and haven't worked through the entire mailing list yet and hope this hasn't been discussed already).
>
> However, in section "4.2. Cipher functions" (http://noiseprotocol.org/noise.html#cipher-functions) it is written that
>> Encryption […] returns a ciphertext that is the same size as the plaintext plus 16 bytes for authentication data. The entire ciphertext must be indistinguishable from random if the key is secret.
>
> As far as I understand that means that the ciphertext consists of the encrypted data *plus* the authentication-tag (`ciphertext = encrypted_data || authentication_tag`).
>
> If this is true, I'm not sure that the ciphertext is indistinguishable from random noise if you use Poly1305 as MAC because in "RFC 7539 section 2.7" (https://tools.ietf.org/html/rfc7539#section-2.7) it is stated that
>> […] unlike HMAC, Poly1305 is biased […].
>
> And if Poly1305 is biased, the composition of `encrypted_data || poly1305_mac` would also be biased in the last 16 bytes and thus be *distinguishable* from random noise.
>
> I don't know how strongly biased it is and if it's relevant to Noise, but I wanted to point this out in the unlikely case nobody has stumbled upon this yet.
>
> Best regards and thanks for your amazing work,
> Keziah Biermann
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise
>
More information about the Noise
mailing list