Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [poly1305]

Poly1305-AES is a cryptographic message authentication code (MAC) written by Daniel J. Bernstein. It can be used to verify the data integrity and the authenticity of a message.

Poly1305-AES is a cryptographic message authentication code (MAC) written by Daniel J. Bernstein. It can be used to verify the data integrity and the authenticity of a message.

77 questions
23
votes
3 answers

Why is Poly1305 popular given its 'sudden death' properties?

ECDSA has the undesirable property that if a key pair reuses a nonce in a signing operation, the cryptosystem experiences catastrophic failure in the form of private key leakage. I've heard this referred to as "sudden death" cryptography. Of course…
edifice
  • 333
  • 2
  • 5
12
votes
3 answers

What happened to Poly1305AES? Is it obsolete?

I've been told that Poly1305AES is a great choice of MAC for constrained (embedded) environments. I'd checked out DJB's writing on it briefly, and have to say that I found its simplicity likeable, performance convincing & security proofs rigorous…
ulidtko
  • 349
  • 2
  • 11
11
votes
3 answers

Is Poly1305 an information-theoretically secure MAC?

I have heard some people say that the Poly1305 authenticator is a "nuclear" MAC i.e. it is information-theoretically secure. After reading the paper I see it is based on the Wegman-Carter MAC which is supposedly the natural authentication pairing…
lightspeeder
  • 368
  • 3
  • 9
11
votes
1 answer

Poly1305-AES vs AES-GCM

What are the advantages of Poly1305-AES over AES-GCM? Please note I am not talking about chacha20-Poly1305 that has been widely adopted, including by Google. But I would like to know pros and cons of Poly1305-AES vs AES-GCM
user12480
  • 293
  • 2
  • 9
11
votes
2 answers

Are poly1305 authenticators distinguishable from random data?

Assume Alice authenticates a message $M$ with nonce $N$ and secret key $K$, creating authenticator $A$. She then sends $A$ across the network. The Poly1305 paper does not seem to specify whether it is possible for an adversary, whom has seen $A$, to…
Jay Sullivan
  • 235
  • 1
  • 8
10
votes
1 answer

How does NaCl Poly1305 implementation do modular multiplication?

The NaCl ref implementation of Poly1305 performs modular multiplication to calculate a polynomial $\mod 2^{130} - 5$ using the following modular multiplication function: static void mulmod(unsigned int h[17],const unsigned int r[17]) { unsigned…
archie
  • 1,998
  • 17
  • 28
10
votes
2 answers

Nonce encryption with Poly1305-Chacha20

I have seen that a couple of companies (like Google, Apple HomeKit) are adding "ChaCha20-Poly1305" as an encryption option. Poly1305 requires algorithm to encrypt the nonce. The Poly1305-AES specification uses the AES algorithm to encrypt the nonce,…
rose
  • 277
  • 1
  • 9
8
votes
3 answers

What should the nonce value be for client-side encryption?

I am using the following chacha20poly1305 Rust library to encrypt some data in a desktop application. The user provides the key, which never leaves their device, to locally encrypt some data, and then the encrypted data is sent to a server for…
Rima Salloum
  • 81
  • 1
  • 2
7
votes
1 answer

Can Poly1305 be used with block ciphers running in CTR mode?

Is the use of Poly1305 limited to stream ciphers? (note, I'm not talking about Poly1305-AES )? Can it be used with block ciphers running in CTR mode? If so, what other considerations/limitations are there? I like the simplicity of using a single…
hunter
  • 4,051
  • 6
  • 29
  • 42
7
votes
2 answers

Is there an upper limit to plaintext size in XSalsa20Poly1305?

While fiddling with the NaCl implementation in Go, specifically SecretBox, a general crypto question came up after reading the documentation. Quote: Package secretbox encrypts and authenticates small messages. I haven't seen this before. Is there…
Awn
  • 1,632
  • 1
  • 15
  • 18
7
votes
1 answer

Reason for poly1305's popularity?

Poly1305 (combined with ChaCha) is now used as the defacto Carter-Wegman MAC when it comes to pure software implementations. I wonder why this is the case when Poly1305 itself is quite slow (This paper showing it being 2x slower than UMAC/VMAC). Is…
DerekKnowles
  • 594
  • 2
  • 13
7
votes
1 answer

Why does NaCl's crypto_secretbox for xsalsa20-poly1305 require the first 32 bytes to be zero?

The NaCl web site says this is a requirement of the API, but its seems more than just an API issue. It means the first 32 bytes of the first salsa20 block are effectively ignored. I didn't see anything in the documentation that explains the reason…
skillzero
  • 129
  • 1
  • 7
6
votes
2 answers

Does Poly1305 have weak keys like GCM/GHASH?

Some block cipher keys are weak when used with GCM; see this question. This happens when the multiplier $H$ decided by the key ends up in a small-order subgroup of $\mathbb{F}_{2^{128}}$. Poly1305 has a very similar structure to GHASH. It's the…
Myria
  • 2,635
  • 15
  • 26
6
votes
1 answer

Does ChaCha20-Poly1305 need random nonce?

RFC 7539 says: A 96-bit nonce -- different for each invocation with the same key It doesn't explicitly say whether it has to be random or not. If we use an ever incrementing counter. Would that be secured? Generating cryptographically secured…
Saptarshi Basu
  • 528
  • 5
  • 17
6
votes
2 answers

ChaCha cipher + Poly1305

The Poly1305-AES paper summarizes the MAC as $$ \mathrm{Poly1305}(m, \mathrm{AES}_k(n)) = {H_r(m) + \mathrm{AES}_k(n)} \mod 2^{128} $$ Can I presume that $+$ here is just meant as a form of 16-byte mixing $H_r(m)$ and $\mathrm{AES}_k(n)$, and that…
orlp
  • 4,355
  • 21
  • 31
1
2 3 4 5 6