TIL a Poly1305 tag with a zero key is always zero. So if you can fixate the key, you can make the tag verify for any message, like with X25519 low order points. It does make sense, at that point the tag is m * 0 + 0 mod 2¹³⁰ - 5
-
-
Why did we expose Poly1305 in x/crypto again? 𝘱𝘪𝘤𝘬𝘴 𝘶𝘱 𝘥𝘦𝘱𝘳𝘦𝘤𝘢𝘵𝘪𝘰𝘯 𝘩𝘢𝘮𝘮𝘦𝘳
Prikaži ovu nit -
It's Sunday night, I'm at
@recursecenter, and I'm auditing uses of x/poly1305 to make a point. I'm terrified I'll find vulnerabilities in the process. Help?Prikaži ovu nit -
Well, before I got distracted by this horror while writing tests... I had just completed a long-running quest: the generic chacha20poly1305 code now has ZERO allocations, opening the door to separate chacha20 and poly1305 assembly \o/ https://go-review.googlesource.com/c/crypto/+/206977 …
Prikaži ovu nit -
Novi razgovor -
-
-
Hey, I use Poly1305 .... in a presentation on how incomprehensible security advice can be.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
- Još 1 odgovor
Novi razgovor -
-
It's fine because it doesn't interfere with Poly1305 being ε-almost-Δ-universal. But you're right that a naive user might imagine it has the same properties as HMAC, which it certainly doesn't. BTW, Adiantum also uses it.
-
Nit: in the paper introducing it, "Poly1305" refers to a construction that composes that εAΔU function with AES to build a secure MAC; the thing we're talking about here is Poly1305's h-function.
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
