On Thu, Dec 17, 2015 at 02:14:18PM -0500, James Cloos wrote: > Given the issues w/ gcm currently under discussion, and that poly1305 > was originally proposed to use w/ aes, should tls recommend aes-poly1305 > instead of aes-gcm for those who want to continue to use aes? > > Or does chacha-poly1305 not fall victim to the 2^36 attack not because > of the aead but rather because of chacha?
AFAIK, there are two possible reasons for the difference (one or both may contribute): - Chacha20 is PRF(unction), AES is PRP(ermutation). - Chacha20-Poly1305 has per-packet r and s, AES-Poly1305 and AES-GCM only has per-packet s and per-key r (as originally proposed). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
