[noise] Ciphertext-indistinguishability from random noise with Poly1305?
Marian Beermann
public at enkore.de
Wed Feb 14 10:23:45 PST 2018
On 14.02.2018 19:05, Tony Arcieri wrote:
> On Wed, Feb 14, 2018 at 9:58 AM, Trevor Perrin <trevp at trevp.net
> <mailto:trevp at trevp.net>> wrote:
>
> The receiver can't do any processing until they have the SIV "tag", so
> doesn't it make sense to put it at the beginning
>
>
> I think what you meant to say is "it doesn't make sense to put it at the
> end" as it prevents incremental decryption which is a good point.
>
Specifically in the context of noise the message sizes are very small
(<64k), though. Therefore the latency reduction you can get by streaming
decryption on a partial ciphertext is small as well.
And then there is the general problem with streaming AEAD, namely, that
it incentivises applications to process bits of plaintext that are not
authenticated (possibly in the belief they are authenticated).
I believe that's the reason that lead e.g. libsodium to forgo any
streaming AEAD APIs.
-Marian
More information about the Noise
mailing list