21 Jan
2014
21 Jan
'14
3:56 p.m.
On Tue, Jan 21, 2014 at 10:40 AM, Niels Möller nisse@lysator.liu.se wrote:
Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
Indeed, the reason (I presume) for this construction is to avoid a
"flaw"
in polynomial MACs. The "flaw" is that if you use a constant key per session, once an attacker manages to make few forgeries he can recover
the
key.
Assuming there's no nonce, right?
Indeed.
But on second reading, I think the draft uses no poly1305 nonce, or at least, doesn't use a nonce in the same way as with poly1305-aes.
They have nothing in common. The nonce and the key used by poly1305 in poly1305-chacha are the first blocks generated by chacha.
regards, Nikos