Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
btw. It would be nice if the list would notify the poster when messages are being held.
It's intended to do that, but I'm not very good at mailman configuration, so I guess I have messed that up somehow.
Also please use Nikos for my name.
Noted, sorry about that.
Do you think the current function could provide information on the plaintext? From a quick look it is not obvious to me, but I haven't checked thoroughly.
The poly_hash function clearly has data-dependent timing. If it is useful for the attacker, I don't know.
Note that the current limit on the code is 16MB messages per tag, not per key, so it is oversufficient for all practical uses of a MAC (which is not the same as a hash).
I consider handling of large files to be an important application of any MAC. When encrypting a large file (typical cases: session key derived from a passphrase, or random session key encrypted with RSA), the session key should always include a MAC key for authenticating the data. And streaming operation is important, and then you don't even know in advance if the file is going to be small or large.
I haven't checked but if adding support for larger messages per tag would reduce performance, but if this is the case I think it would be pretty counter-productive.
It should make no difference for short messages. The "layer-2" hashing for large messages will be some four times slower than for short messages. Not sure what the overall slowdown would be; the layer-2 work may still be a small fraction of the time spent in the layer-1 hashing.
Regards, /Niels