7

Is the use of Poly1305 limited to stream ciphers? (note, I'm not talking about Poly1305-AES )? Can it be used with block ciphers running in CTR mode? If so, what other considerations/limitations are there? I like the simplicity of using a single key for encryption/authentication, but authenticated modes like GCM are limited to block ciphers.

hunter
  • 3,895
  • 5
  • 25
  • 38

1 Answers1

4

Q2: No, Poly1305 not limited to stream ciphers. Yes, Poly1305 can be used with block ciphers running in CTR mode, if you use it appropriately.

I don't know whether the NaCl use is secure (whether NaCl uses it appropriately); I haven't tried to analyze NaCl. Given that NaCl was built by reputable cryptographers, I would be inclined to guess that it's probably fine. I realize this doesn't answer your full question.

Alternatively, if you were asking because you were thinking of designing your own scheme that makes use of Poly1305, my reaction is: if you're designing it, you should just use some reputable authenticated encryption scheme. From an engineering perspective, that's probably the best solution: it minimizes the chances you foul things up somehow. If you try to use Poly1305 in some custom way you design, the risk of introducing security problems is higher.

D.W.
  • 35,877
  • 12
  • 95
  • 183
  • @DW - I have no intention of designing my own scheme, but for lack of ample information/advice regarding Poly1305, I'll follow your advice and go with something more reputable (such as encrypt-then-HMAC) when GCM mode is not an option. I've been running some tests and it turns out that calculating a SHA256 HMAC is much faster than Poly1305 anyway, so there seems little reason to take the risk of using it. – hunter Jun 13 '13 at 19:14
  • 3
    @hunter - SHA256-HMAC being faster than Poly1305 sounds like a broken implementation of Poly1305. Even in the Java performance ghetto, you can get Poly1305 down to 7 cycle per byte, while SHA256-HMAC is in the 30-50 cycles per byte range. In my experience, Poly1305 is faster than all other MACs (including Skein, SipHash etc.). – archie Oct 14 '13 at 06:59