RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 7905, "ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)", June 2016

Source of RFC: tls (sec)

Errata ID: 5251
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT

Reported By: Xavier Bonnetain
Date Reported: 2018-02-01
Held for Document Update by: Paul Wouters
Date Held: 2024-03-18

Section 4. Security says:

   Poly1305 is designed to ensure that forged messages are rejected with
   a probability of 1-(n/2^107), where n is the maximum length of the
   input to Poly1305.  In the case of (D)TLS, this means a maximum
   forgery probability of about 1 in 2^93.

It should say:

   Poly1305 is designed to ensure that forged messages are rejected with
   a probability of 1-(n/2^106), where n is the maximum length of the
   input to Poly1305.  In the case of (D)TLS, this means a maximum
   forgery probability of about 1 in 2^92.

Notes:

The security claimed on poly1305 is slightly beyond what was proven by the designer (see https://cr.yp.to/mac/poly1305-20050329.pdf), and the trivial forgery attempt with a message of length 1 succeeds with probability 2^{-106}.

Paul Wouters(AD): See https://mailarchive.ietf.org/arch/msg/tls/dBMIsLsaA7XevXpd9hzJ6skMqE4/

Report New Errata



Advanced Search