Questions tagged [poly1305]

Question 1

Introduction In 2005, Daniel J. Bernstein proposed a simple polynomial over $2^{130} - 5$ for fast universal hashing with applications to authenticated encryption [1]. Over the years, Poly1305 gained ...

Question 2

Poly1305 (combined with ChaCha) is now used as the defacto Carter-Wegman MAC when it comes to pure software implementations. I wonder why this is the case when Poly1305 itself is quite slow (This ...

Question 3

What is the security rationale behind incrementing by 1 in stream ciphers like ChaCha20Poly1305—which often only changes one or two bits and is very weak and predictible—versus other methods like ...

Question 4

My knowledge of cryptography nothing beyond basic so I am by no means an expert, but I do know a bit of undergraduate mathematics including number theory. I know that stream ciphers like ChaCha20 is ...

Question 5

A sponge has by definition 'wasted' operations (the part of the state which always remains private but goes through all the ops of the permutation). In return for that waste you get a MAC at the end - ...

Question 6

This is a rather simple question, but answers are nowhere to be found. Are there any variants of Poly-n hashing algorithms which provide bigger outputs (like 32 instead of 16 bytes)? Or, is there any ...

Question 7

How to caculate the inverse of function $x^3$ in $\mathbb{F}_{2^n}$?, Any monomial $x^d$ is a permutation in the field $\mathbb{F}_{2^n}$ iff $gdc(d,2^{n}-1)=1$,why?

Question 8

I'm currently working on replacing the chacha20 encryption in my app with chacha20poly1305, but I'm running into a few questions that I can't seem to find clear answers to, mainly stemming from the ...

Question 9

I am a bit unsure about CMAC and GMAC and maybe someone can help me. As far as I know, CMAC does not use an IV [SP 800-38B ch. 6.2]. Is it then secure if I use the same key for different messages? ......

Question 10

So xChaCha20 has a nonce size large enough to safely use a random nonce with the same key. Poly1305 generally uses the first block of the cipher's output to generate its nonce. For xChaCha20 it would ...

Question 11

In libsodium, there're 3 symmetric encryption(stream cipher) which are AES256-GCM(Hardware-accelerated), XSalsa20Poly1305 and XChaCha20Poly1305(uncertain which version of libsodium add support to ...

Question 12

The Libsodium docs list the AEAD forgery limits for ChaCha20Poly1305 and AES-GCM which seems like a < 128-bit security level but says that it's not a practical concern. I've seen other people say ...

Question 13

Some block cipher keys are weak when used with GCM; see this question. This happens when the multiplier $H$ decided by the key ends up in a small-order subgroup of $\mathbb{F}_{2^{128}}$. Poly1305 ...

Question 14

Poly1305 uses $r, r^2, r^3$ and $r^4$. I understand this if $r$ is a generator of the finite field. But since $r$ can be any random non-zero number, won't its exponents be non-uniform distributed? ...

Question 15

I've just learned about partitioning oracle attacks recently, and I would like to clarify some things that are a little foggy to me right now. According to this thread, The aim is the recovery of a ...

Stack Exchange Network

Questions tagged [poly1305]

Why clamp Poly1305?

Reason for poly1305's popularity?

Why increment counters by 1 in stream ciphers?

Can you use ChaCha20 as one-time pad?

Are sponges inherently inefficient when compared to other constructions?

Poly1305 variants with bigger output?

How to caculate the inverse of function $x^3$ in $\mathbb{F}_{2^n}$

Nonces in chacha20poly1305 vs chacha20

Is CMAC secure without IV and the same key? (authenticate only)

xChaCha20 Block Keys for Poly1305

How to choose between AES256-GCM, XSalsa20Poly1305 and XChaCha20Poly1305?

Security level of Poly1305 and GMAC

Does Poly1305 have weak keys like GCM/GHASH?

Poly1305 reuse of r

Impact of partitioning oracle attacks on file encryption?

Hot Network Questions