Regarding review of Poly1305. There’s DJB’s paper: http://link.springer.com/chapter/10.1007/11502760_3#page-1 Wang, Lin, and Wu, A Variant of Poly1305 MAC and Its Security Proof: http://link.springer.com/chapter/10.1007/11596981_55#page-2 (and a few more from the same authors) Procter & Cid, On Weak Keys and Forgery Attacks against Polynomial-based MAC Schemes, http://eprint.iacr.org/2013/144.pdf Handschuh & Preneel, Key Recovery Attacks on Universal Hash Functions Based MAC Algorithms,
Do a whole bunch of articles that say “Poly1305 [some-number] is a secure MAC algorithm. Now we’ll talk about something completely different” count? So while there are few papers addressing Poly1306 itself, there are plenty addressing MACs based on universal hashes, and giving Poly1305 as an example. Yoav On Mar 31, 2014, at 11:17 AM, Yaron Sheffer <yaronf.i...@gmail.com> wrote: > Thank you Yoav. My personal responses below. > > Also, I would like a comment from someone in the know: ChaCha (or at least > its cousin Salsa) has had extensive cryptographic review, including an open > competition. I am not sure the same is true for Poly1305, can someone > enlighten me? > > Best, > Yaron > > On 03/31/2014 10:12 AM, Yoav Nir wrote: >> Hi. >> >> I’ve posted a new version of the ChaCha20-Poly1305 draft. > > [...] > >> >> Comments are, of course, welcome, and I’d like to repeat my questions >> from the London meeting: >> - Should this be a WG item. > Yes, it's time we had good alternative crypto. >> - Should we apply for early identifier assignment > No, I don't see such a rush to implement. But feel free to prove me wrong. >> - Should this be extended for IKE (current draft covers only ESP) > Yes, we need alternative crypto for IKE just as we do for ESP. >> >> Yoav >> >> Begin forwarded message: >> >>> *From: *internet-dra...@ietf.org <mailto:internet-dra...@ietf.org> >>> *Subject: **New Version Notification for >>> draft-nir-ipsecme-chacha20-poly1305-02.txt* >>> *Date: *March 31, 2014 at 9:44:43 AM GMT+3 >>> *To: *Yoav Nir <ynir.i...@gmail.com <mailto:ynir.i...@gmail.com>>, >>> "Yoav Nir" <ynir.i...@gmail.com <mailto:ynir.i...@gmail.com>> >>> >>> >>> A new version of I-D, draft-nir-ipsecme-chacha20-poly1305-02.txt >>> has been successfully submitted by Yoav Nir and posted to the >>> IETF repository. >>> >>> Name:draft-nir-ipsecme-chacha20-poly1305 >>> Revision:02 >>> Title:ChaCha20 and Poly1305 and their use in IPsec >>> Document date:2014-03-31 >>> Group:Individual Submission >>> Pages:7 >>> URL: >>> http://www.ietf.org/internet-drafts/draft-nir-ipsecme-chacha20-poly1305-02.txt >>> Status: >>> https://datatracker.ietf.org/doc/draft-nir-ipsecme-chacha20-poly1305/ >>> Htmlized: >>> http://tools.ietf.org/html/draft-nir-ipsecme-chacha20-poly1305-02 >>> Diff: >>> http://www.ietf.org/rfcdiff?url2=draft-nir-ipsecme-chacha20-poly1305-02 >>> >>> Abstract: >>> This document describes the use of the ChaCha20 stream cipher along >>> with the Poly1305 authenticator, combined into an AEAD algorithm for >>> IPsec. >>> >>> >>> >>> >>> Please note that it may take a couple of minutes from the time of >>> submission >>> until the htmlized version and diff are available at tools.ietf.org >>> <http://tools.ietf.org>. >>> >>> The IETF Secretariat >>> >> >> >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
