----- Mail original ----- > De: "Adam Langley" <a...@google.com> > À: "RFC Errata System" <rfc-edi...@rfc-editor.org> > Cc: "Wan-Teh Chang" <w...@google.com>, "Nikos Mavrogiannopoulos" > <n...@redhat.com>, "Joachim Strömbergson" <joac...@secworks.se>, "Simon > Josefsson" <si...@josefsson.org>, "Kathleen Moriarty" > <kathleen.moriarty.i...@gmail.com>, "Eric Rescorla" <e...@rtfm.com>, "Joseph > Salowey" <j...@salowey.net>, sean+i...@sn3rd.com, "xavier bonnetain" > <xavier.bonnet...@inria.fr>, tls@ietf.org > Envoyé: Mardi 13 Février 2018 00:30:11 > Objet: Re: [Technical Errata Reported] RFC7905 (5251)

## Advertising

> On Thu, Feb 1, 2018 at 5:59 AM, RFC Errata System < rfc-edi...@rfc-editor.org > > wrote: > > Original Text > > > ------------- > > > Poly1305 is designed to ensure that forged messages are rejected with > > > a probability of 1-(n/2^107), where n is the maximum length of the > > > input to Poly1305. In the case of (D)TLS, this means a maximum > > > forgery probability of about 1 in 2^93. > > > Corrected Text > > > -------------- > > > Poly1305 is designed to ensure that forged messages are rejected with > > > a probability of 1-(n/2^106), where n is the maximum length of the > > > input to Poly1305. In the case of (D)TLS, this means a maximum > > > forgery probability of about 1 in 2^92. > > I'm not sure that this errata report is correct. > The full formula is beyond email HTML to express, but see the "Security > Guarantee" section of https://cr.yp.to/mac/poly1305-20050329.pdf > The section seems to be talking about blind forgeries, so C = 0. D = 1 > because this is a per-attempt measure. Then we have 8*L/16 on the top of the > fraction, which is 1/2 * L (where L = byte length of a message). If we > multiply top and bottom by two, we get L / 2^107. For (D)TLS, with a maximum > encrypted plaintext length of ~2^14, that gives 2^{-93}. > Cheers > AGL If we are in the situation C = 0, D = 1 and L=2^{14} for (D)TLS, the forgery probability may indeed not be affected (and may even be smaller). However, the explanation "Poly1305 is designed to ensure that forged messages are rejected with a probability of 1-(n/2^107), where n is the maximum length of the input to Poly1305." is presenting Poly1305 as slightly stronger than it really is (and there is an attack with success probability 2^{-106} with C=1, D=1, L=1, as the hashing key r has 106 effective bits). Regards, Xavier

_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls