TIL a Poly1305 tag with a zero key is always zero. So if you can fixate the key, you can make the tag verify for any message, like with X25519 low order points. It does make sense, at that point the tag is m * 0 + 0 mod 2¹³⁰ - 5
-
-
Well, before I got distracted by this horror while writing tests... I had just completed a long-running quest: the generic chacha20poly1305 code now has ZERO allocations, opening the door to separate chacha20 and poly1305 assembly \o/ https://go-review.googlesource.com/c/crypto/+/206977 …
Prikaži ovu nit -
Novi razgovor -
-
-
Wait, are you exposing the Universal Hash Function or the MAC? It should xor the result into a block cipher, if I'm not mistaken.
-
Because if you expose the UHF, that will break if you just look at it the wrong way, yeah.
- Još 9 drugih odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.