Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
Indeed, the reason (I presume) for this construction is to avoid a "flaw" in polynomial MACs. The "flaw" is that if you use a constant key per session, once an attacker manages to make few forgeries he can recover the key.
Assuming there's no nonce, right? But on second reading, I think the draft uses no poly1305 nonce, or at least, doesn't use a nonce in the same way as with poly1305-aes.
But then, the question is how the 32 byte key is used. For poly1305-aes, you have 16 bytes specifying the point where the polynomial is evaluated, and a 16 byte aes key used to encrypt the nonce. Question is how the other 16 bytes are used. I guess they're also mixed into the digest output in some way.
That construction (or at least a very similar one) is described by Bernstein in "Cryptography in NaCl".
Ok, I have to look that up, probably that will make everything clear.
Regards, /Niels