-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 29/11/14 00:35, Yawning Angel wrote:
On Fri, 28 Nov 2014 17:57:26 +0000 Michael Rogers <michael@briarproject.org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 28/11/14 15:50, Yawning Angel wrote:
A one time poly1305 key is calculated for each box, based on 32 bytes of zeroes encrypted with a one time Salsa20 key/counter derived from the nonce and the box key. You can view the use of Salsa20 there as an arbitrary keyed hash function (in the case of the original paper, AES was used).
Hope that clarifies things somewhat,
Thanks - this is similar to the argument I came up with. I called my argument hand-wavy because it relies on HSalsa20 and Salsa20 being PRFs, and I don't know how big an assumption that is.
For what it's worth "7 Nonce and stream" both support using a counter here as the nonce, and refers to 'The standard ("PRF") security conjecture for Salsa20". IIRC the security proof for the extended nonce variants also hinges on the underlying algorithms being PRFs as well, so it's something I'm comfortable in assuming.
Awesome, thanks! Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJUeYwsAAoJEBEET9GfxSfM9PsIAIADA/7Lfkx9kxxkvfggMNQZ Ln71QB//POwEskJSVftg/NE30pdw9KiYA8EJLA5El62UxUT4NS8OOyiGTSXz3IDo dvBcnOls9HAVYeE7HjOeKdiwwitjBv0+QFetGY+0XNAjkmHLkU+cQdO9+jkJ122l nWLFaOj1o3qjx7QHiL7TKqFf+Rh1P/quurNBYrexM2uRxsAXQgncGMVaLgGAdvmu h09NotPW5sDTmu4m6HgRFQKYD15sPkkF2C65IkQNiO0Al7NIVcxq6JEtzLMcK66t jZpvZe+U/XrgEFqzkxYep20bFITTovXkC6cMhm4iA5X58ZKWnGf8eBxVs/RCDCY= =2auj -----END PGP SIGNATURE-----