Questions tagged [poly1305]
Poly1305-AES is a cryptographic message authentication code (MAC) written by Daniel J. Bernstein. It can be used to verify the data integrity and the authenticity of a message.
75
questions
2
votes
2
answers
109
views
Can you use ChaCha20 as one-time pad?
My knowledge of cryptography nothing beyond basic so I am by no means an expert, but I do know a bit of undergraduate mathematics including number theory.
I know that stream ciphers like ChaCha20 is ...
- 21
3
votes
2
answers
344
views
Are sponges inherently inefficient when compared to other constructions?
A sponge has by definition 'wasted' operations (the part of the state which always remains private but goes through all the ops of the permutation).
In return for that waste you get a MAC at the end - ...
- 224
1
vote
3
answers
146
views
Poly1305 variants with bigger output?
This is a rather simple question, but answers are nowhere to be found. Are there any variants of Poly-n hashing algorithms which provide bigger outputs (like 32 instead of 16 bytes)? Or, is there any ...
- 125
0
votes
1
answer
75
views
How to caculate the inverse of function $x^3$ in $\mathbb{F}_{2^n}$
How to caculate the inverse of function $x^3$ in $\mathbb{F}_{2^n}$?,
Any monomial $x^d$ is a permutation in the field $\mathbb{F}_{2^n}$ iff $gdc(d,2^{n}-1)=1$,why?
- 25
0
votes
0
answers
441
views
Nonces in chacha20poly1305 vs chacha20
I'm currently working on replacing the chacha20 encryption in my app with chacha20poly1305, but I'm running into a few questions that I can't seem to find clear answers to, mainly stemming from the ...
1
vote
2
answers
674
views
Is CMAC secure without IV and the same key? (authenticate only)
I am a bit unsure about CMAC and GMAC and maybe someone can help me.
As far as I know, CMAC does not use an IV [SP 800-38B ch. 6.2]. Is it then secure if I use the same key for different messages? ......
- 113
1
vote
0
answers
248
views
xChaCha20 Block Keys for Poly1305
So xChaCha20 has a nonce size large enough to safely use a random nonce with the same key. Poly1305 generally uses the first block of the cipher's output to generate its nonce. For xChaCha20 it would ...
- 123
0
votes
1
answer
3k
views
How to choose between AES256-GCM, XSalsa20Poly1305 and XChaCha20Poly1305?
In libsodium, there're 3 symmetric encryption(stream cipher) which are AES256-GCM(Hardware-accelerated), XSalsa20Poly1305 and XChaCha20Poly1305(uncertain which version of libsodium add support to ...
- 159
1
vote
1
answer
229
views
Security level of Poly1305 and GMAC
The Libsodium docs list the AEAD forgery limits for ChaCha20Poly1305 and AES-GCM which seems like a < 128-bit security level but says that it's not a practical concern. I've seen other people say ...
- 13
6
votes
2
answers
219
views
Does Poly1305 have weak keys like GCM/GHASH?
Some block cipher keys are weak when used with GCM; see this question. This happens when the multiplier $H$ decided by the key ends up in a small-order subgroup of $\mathbb{F}_{2^{128}}$.
Poly1305 ...
- 2,615
2
votes
1
answer
313
views
Poly1305 reuse of r
Poly1305 uses $r, r^2, r^3$ and $r^4$. I understand this if $r$ is a generator of the finite field. But since $r$ can be any random non-zero number, won't its exponents be non-uniform distributed? ...
- 135
1
vote
0
answers
78
views
Impact of partitioning oracle attacks on file encryption?
I've just learned about partitioning oracle attacks recently, and I would like to clarify some things that are a little foggy to me right now.
According to this thread,
The aim is the recovery of a ...
- 449
1
vote
0
answers
290
views
Implement deterministic authenticated encryption using libsodium
Note: this is my first question on stack exchange, let me know if you miss some details to answer and I will edit the question accordingly
Context
I'm willing to create a git encryption tool (...
- 11
1
vote
2
answers
232
views
Is nonce-less Encrypt-then-HMAC as secure as poly1305
While reading https://crypto.stackexchange.com/a/88732/87450 I noticed that it suggests encrypt-then-HMAC as a defense for partition attacks. However as far as I know unlike poly1305, HMAC does not ...
- 77
1
vote
0
answers
24
views
Is Poly1305 enough for cascading ciphers? [duplicate]
ChaCha20 along with Poly1305 provides confidentiality and integrity. Now suppose I cascade AES on top of ChaCha20. Is it safe to assume that the Poly1305 MAC is still secure, even if I cascade ...
- 449