[noise] Ciphertext-indistinguishability from random noise with Poly1305?
Keziah Elis Biermann
keziah at kizzycode.de
Tue Feb 20 04:34:40 PST 2018
> Anyways, here's a few options for our AEAD functions:
>
> (1) Require a 16-byte tag at the end, with the previous data encrypted
> using a cipher (Keziah's proposal).
>
> (2) Impose an indistinguishability requirement on the entire
> ciphertext, including the tag/SIV, where ever it is.
>
> (3) If the first 32 bytes of output from calling ENCRYPT() on 32 bytes
> of zeros *aren't* indistinguishable, then you're required to supply a
> REKEY() function.
>
>
> I think I still prefer (2) because:
> - it's what we're currently doing
> - it enables us to easily define REKEY() or build
> unfingerprintable/indistinguishable protocols, with any
> Noise-compatible AEAD
> - the indistinguishability requirement doesn't seem that onerous
I forgot that it's one goal from noise to look as random as possible; in this case I'd also prefer (2), especially since I learned that Poly1305-tags *are* indistinguishable.
(2) is simple, fulfilled by all common AEAD-schemes and it's no change to the status-quo.
– Keziah
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3256 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20180220/32c38465/attachment.bin>
More information about the Noise
mailing list