The following errata report has been submitted for RFC7905,
"ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)".
--
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5251
--
Type: Technical
Reported by: Xavier Bonnetain
Section: 4. Security
Original Text
-
Poly1305 is designed to ensure that forged messages are rejected with
a probability of 1-(n/2^107), where n is the maximum length of the
input to Poly1305. In the case of (D)TLS, this means a maximum
forgery probability of about 1 in 2^93.
Corrected Text
--
Poly1305 is designed to ensure that forged messages are rejected with
a probability of 1-(n/2^106), where n is the maximum length of the
input to Poly1305. In the case of (D)TLS, this means a maximum
forgery probability of about 1 in 2^92.
Notes
-
The security claimed on poly1305 is slightly beyond what was proven by the
designer (see https://cr.yp.to/mac/poly1305-20050329.pdf), and the trivial
forgery attempt with a message of length 1 succeeds with probability 2^{-106}.
Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party
can log in to change the status and edit the report, if necessary.
--
RFC7905 (draft-ietf-tls-chacha20-poly1305-04)
--
Title : ChaCha20-Poly1305 Cipher Suites for Transport Layer
Security (TLS)
Publication Date: June 2016
Author(s) : A. Langley, W. Chang, N. Mavrogiannopoulos, J.
Strombergson, S. Josefsson
Category: PROPOSED STANDARD
Source : Transport Layer Security
Area: Security
Stream : IETF
Verifying Party : IESG
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls