RFC Errata
RFC 7905, "ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)", June 2016
Source of RFC: tls (sec)
Errata ID: 5251
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Xavier Bonnetain
Date Reported: 2018-02-01
Held for Document Update by: Paul Wouters
Date Held: 2024-03-18
Section 4. Security says:
Poly1305 is designed to ensure that forged messages are rejected with a probability of 1-(n/2^107), where n is the maximum length of the input to Poly1305. In the case of (D)TLS, this means a maximum forgery probability of about 1 in 2^93.
It should say:
Poly1305 is designed to ensure that forged messages are rejected with a probability of 1-(n/2^106), where n is the maximum length of the input to Poly1305. In the case of (D)TLS, this means a maximum forgery probability of about 1 in 2^92.
Notes:
The security claimed on poly1305 is slightly beyond what was proven by the designer (see https://cr.yp.to/mac/poly1305-20050329.pdf), and the trivial forgery attempt with a message of length 1 succeeds with probability 2^{-106}.
Paul Wouters(AD): See https://mailarchive.ietf.org/arch/msg/tls/dBMIsLsaA7XevXpd9hzJ6skMqE4/