[noise] Ciphertext-indistinguishability from random noise with Poly1305?
Tony Arcieri
bascule at gmail.com
Wed Feb 14 10:43:42 PST 2018
On Wed, Feb 14, 2018 at 10:23 AM, Marian Beermann <public at enkore.de> wrote:
> And then there is the general problem with streaming AEAD, namely, that
> it incentivises applications to process bits of plaintext that are not
> authenticated (possibly in the belief they are authenticated).
>
With SIV modes you have to decrypt before authenticating, since the SIV
tags are computed from the plaintext and not the ciphertext.
> I believe that's the reason that lead e.g. libsodium to forgo any
> streaming AEAD APIs.
libsodium supports a streaming API, however it authenticates ciphertexts in
chunks and does not expose unauthenticated plaintexts:
https://download.libsodium.org/doc/secret-key_cryptography/secretstream.html
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20180214/12be6755/attachment.html>
More information about the Noise
mailing list