TIL a Poly1305 tag with a zero key is always zero. So if you can fixate the key, you can make the tag verify for any message, like with X25519 low order points. It does make sense, at that point the tag is m * 0 + 0 mod 2¹³⁰ - 5
-
-
It's Sunday night, I'm at
@recursecenter, and I'm auditing uses of x/poly1305 to make a point. I'm terrified I'll find vulnerabilities in the process. Help?Prikaži ovu nit -
Well, before I got distracted by this horror while writing tests... I had just completed a long-running quest: the generic chacha20poly1305 code now has ZERO allocations, opening the door to separate chacha20 and poly1305 assembly \o/ https://go-review.googlesource.com/c/crypto/+/206977 …
Prikaži ovu nit -
Novi razgovor -
-
-
this is why it’s good not to put cryptography in the standard library :P
-
So that it's someone else's problem? :P
- Još 2 druga odgovora
Novi razgovor -
-
-
will you deprecate it?
- Kraj razgovora
Novi razgovor -
-
-
We exposed it in pyca/cryptography because of SSH. Unfortunate though.
-
Oh, right, SSH does that weird thing. One more reason to split up the chacha20poly1305 assembly.
Kraj razgovora
Novi razgovor -
-
-
Really no one should be using a universal hash outside of a construction explicitly designed for one (i.e. AEAD mode that properly derives a unique key per nonce and/or encrypts the output). It's "hazmat".
- Još 1 odgovor
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.