Is the use of Poly1305 limited to stream ciphers? (note, I'm not talking about Poly1305-AES )? Can it be used with block ciphers running in CTR mode? If so, what other considerations/limitations are there? I like the simplicity of using a single key for encryption/authentication, but authenticated modes like GCM are limited to block ciphers.
Asked
Active
Viewed 585 times
1 Answers
4
Q2: No, Poly1305 not limited to stream ciphers. Yes, Poly1305 can be used with block ciphers running in CTR mode, if you use it appropriately.
I don't know whether the NaCl use is secure (whether NaCl uses it appropriately); I haven't tried to analyze NaCl. Given that NaCl was built by reputable cryptographers, I would be inclined to guess that it's probably fine. I realize this doesn't answer your full question.
Alternatively, if you were asking because you were thinking of designing your own scheme that makes use of Poly1305, my reaction is: if you're designing it, you should just use some reputable authenticated encryption scheme. From an engineering perspective, that's probably the best solution: it minimizes the chances you foul things up somehow. If you try to use Poly1305 in some custom way you design, the risk of introducing security problems is higher.
D.W.
- 36,982
- 13
- 107
- 196