Hot take: cryptography engineering wouldn’t be that hard if we all just commented our damn code. A lot of the magic _makes sense_!
GHASH and POLYVAL values have to be encrypted with AES to become MAC tags. Neither function on its own is a MAC and the key is reversible. I think naked Polyval1305 is also not a MAC, but it needs the nonce to be encrypted, rather than the output, to make it one.
-
-
Naked Poly1305 is a MAC AFAIK, it just has single-use keys and no nonce, which is why the original Poly1305-AES construction uses AES to derive them from (key, nonce).
-
I stand corrected, the tag isn't encrypted in RFC 8439. (You can do it that way, but AEAD_ChaCha20_Poly1305 doesn't.) In any case the article doesn't mention single-use keys.
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.