CryptoDB
What's wrong with Poly1305? - Improving Poly1305 through a Systematic Exploration of Design Aspects of Polynomial Hash Functions
| Authors: | |
|---|---|
| Download: | |
| Presentation: | Slides |
| Abstract: | One of the most popular symmetric encryption schemes in use on the Internet is ChaCha20-Poly1305. It is the default choice in tools like OpenSSH and Wireguard, and one of only three supported ciphersuites in TLS 1.3. ChaCha20Poly1305 utilizes a polynomial-based hash function for constructing Message Authentication Codes via the Wegman-Carter MAC construction. This entails evaluating the polynomial hash over the data, and blinding the output with a pseudorandom value obtained by enciphering a nonce with a blockcipher. More specifically, it uses Poly1305, originally designed with specific hardware in mind. Today, nearly 20 years later, we ask the following question: Given today's advancements and applications would we still converge to this same design? |
| Video: | https://youtu.be/EUkBH_TcxcA |
BibTeX
@misc{rwc-2024-35374,
title={What's wrong with Poly1305? - Improving Poly1305 through a Systematic Exploration of Design Aspects of Polynomial Hash Functions},
note={Video at \url{https://youtu.be/EUkBH_TcxcA}},
howpublished={Talk given at RWC 2024},
author={Jean Paul Degabriele and Jan Gilcher and Jérôme Govinden and Kenneth G. Paterson},
year=2024
}