Hi All,
I'm having trouble finding a reference to the way additional data is
authenticated. In the past, I simply used the following (under an
independent key):
tag = HMAC(AAD, Ciphertext)
Recently, I came across a post by Dr. Bernstein [1] that states "I
find it quite strange to see a call for "minimalism" from people who
keep writing definitions that treat associated data separately from
plaintext. It's clearly more "minimal" for the cryptographer to allow
just plaintext, and to tell the user to put a hash of the associated
data into the plaintext."
I think that means is:
tag = HMAC(HASH(AAD) , Ciphertext)
That raises a few questions for me: what problem does HASH(AAD) solve?
How does the handling change if I want to use a digital signature
rather than an HMAC/CMAC?
In both cases (HMAC/CMAC or digital signature), is leaking timing
information during the hash comparison a concern? (I feel like it
should be because the adversary might not know the hash in advance
under some use cases).
Or is the concern over leaking timing information limited to the
secret data, such as the HMAC/CMAC key or the private exponent?
Jeff
[1]
https://groups.google.com/forum/#!msg/crypto-competitions/n5ECGwYr6Vk/St1FEZoQ-E8J
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
