----- Mail original ----- > De: "Adam Langley" <[email protected]> > À: "RFC Errata System" <[email protected]> > Cc: "Wan-Teh Chang" <[email protected]>, "Nikos Mavrogiannopoulos" > <[email protected]>, "Joachim Strömbergson" <[email protected]>, "Simon > Josefsson" <[email protected]>, "Kathleen Moriarty" > <[email protected]>, "Eric Rescorla" <[email protected]>, "Joseph > Salowey" <[email protected]>, [email protected], "xavier bonnetain" > <[email protected]>, [email protected] > Envoyé: Mardi 13 Février 2018 00:30:11 > Objet: Re: [Technical Errata Reported] RFC7905 (5251)
> On Thu, Feb 1, 2018 at 5:59 AM, RFC Errata System < [email protected] > > wrote: > > Original Text > > > ------------- > > > Poly1305 is designed to ensure that forged messages are rejected with > > > a probability of 1-(n/2^107), where n is the maximum length of the > > > input to Poly1305. In the case of (D)TLS, this means a maximum > > > forgery probability of about 1 in 2^93. > > > Corrected Text > > > -------------- > > > Poly1305 is designed to ensure that forged messages are rejected with > > > a probability of 1-(n/2^106), where n is the maximum length of the > > > input to Poly1305. In the case of (D)TLS, this means a maximum > > > forgery probability of about 1 in 2^92. > > I'm not sure that this errata report is correct. > The full formula is beyond email HTML to express, but see the "Security > Guarantee" section of https://cr.yp.to/mac/poly1305-20050329.pdf > The section seems to be talking about blind forgeries, so C = 0. D = 1 > because this is a per-attempt measure. Then we have 8*L/16 on the top of the > fraction, which is 1/2 * L (where L = byte length of a message). If we > multiply top and bottom by two, we get L / 2^107. For (D)TLS, with a maximum > encrypted plaintext length of ~2^14, that gives 2^{-93}. > Cheers > AGL If we are in the situation C = 0, D = 1 and L=2^{14} for (D)TLS, the forgery probability may indeed not be affected (and may even be smaller). However, the explanation "Poly1305 is designed to ensure that forged messages are rejected with a probability of 1-(n/2^107), where n is the maximum length of the input to Poly1305." is presenting Poly1305 as slightly stronger than it really is (and there is an attack with success probability 2^{-106} with C=1, D=1, L=1, as the hashing key r has 106 effective bits). Regards, Xavier
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
