Nikos Mavrogiannopoulos <n.mavrogiannopou...@gmail.com> writes: > Indeed, the reason (I presume) for this construction is to avoid a "flaw" > in polynomial MACs. The "flaw" is that if you use a constant key per > session, once an attacker manages to make few forgeries he can recover the > key.
Assuming there's no nonce, right? But on second reading, I think the draft uses no poly1305 nonce, or at least, doesn't use a nonce in the same way as with poly1305-aes. But then, the question is how the 32 byte key is used. For poly1305-aes, you have 16 bytes specifying the point where the polynomial is evaluated, and a 16 byte aes key used to encrypt the nonce. Question is how the other 16 bytes are used. I guess they're also mixed into the digest output in some way. > That construction (or at least a very similar one) is described by > Bernstein in "Cryptography in NaCl". Ok, I have to look that up, probably that will make everything clear. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
