TIL a Poly1305 tag with a zero key is always zero. So if you can fixate the key, you can make the tag verify for any message, like with X25519 low order points. It does make sense, at that point the tag is m * 0 + 0 mod 2¹³⁰ - 5
-
-
I just reread both http://cr.yp.to/mac/poly1305-20050329.pdf … and https://cr.yp.to/highspeed/naclcrypto-20090310.pdf … and I'm surprised there's no mention of these problems in either! (Well the key reuse problem is there, but that's also well known, also affects eg. secretbox and in the documentation there)
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Have you ever thought about putting these sorts of things in e.g. 'x/crypto/subtle' or something similar? Almost a cryptographic library equivalent to Rust's 'unsafe'
-
Reason I ask is that I sometimes find myself in the sorts of corner case situations where these kinds of primitives are necessary, and being able to reach for them (and get a maintained and known good implementation) is useful (Not that I have any need for poly1305 right now)
- Još 1 odgovor
Novi razgovor -
-
-
An independent question about crypto: is it possible to generate private keys on a Smartcard with Golang? Or use its random generator?
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.