Re: The Poly1305-AES message-authentication code

From: David Wagner (
Date: 11/06/04

Date: Sat, 6 Nov 2004 22:11:46 +0000 (UTC)

D. J. Bernstein wrote:
>You are assigning blame incorrectly. I could start a similar paragraph
>with ``If you use the Diffie-Hellman shared secret on occasion to create
>one of your session keys.''

Ok, I'll accept that criticism. But fortunately, we are not forced
to use Diffie-Hellman key exchange with a static shared secret. There
are other protocols that don't have this problem. As I mentioned in my
previous post, I prefer protocols with forward secrecy, and forward
secrecy fixes this problem.

Yes, there will usually still be a long-lived private key to protect.
But one key is potentially easier to protect than multiple keys.
(For instance, I may be able to store my private key on cryptographic
hardware, something that I probably can't do with a MAC key.)

And if I use a key-exchange protocol with forward secrecy, compromise
of my private key won't necessarily compromise past and future sessions.
(It won't compromise past sessions, if the other party's private key
remains secure. It won't compromise future sessions, if I'm able to
change my private key after the compromise of my old private key.)

>If you have a leak, eliminate the leak.

This is good advice, but I don't have full confidence in my abilities
to eliminate all leaks. Therefore, I'd rather build a system with
belt-and-suspenders security. I'll eliminate all the leaks I know about
and am able to eliminate, and I'll also strive to design the cryptosystem
to minimize the harmful effects of unintended leakage of crypto keys.
That's my preferred design philosophy, anyway. Perhaps it is overkill;
I don't know.

Relevant Pages

  • Re: Does IBE or ECC crypto switch to a traditional symmetric scheme for bulk data?
    ... >> HSM where the host computer never needs to know what the private key ... > The only HSM with which I am familiar is the Fortezza card. ... If there is a compromise on ...
  • Re: Pubkey
    ... Alexander Klimov wrote: ... > the pubkey to authorized_keys ... The private key ofcourse has to be stored safely. ... compromise of a system containing these private keys can lead to a chain ...
  • Re: Forward secrecy from two RNGs
    ... >> compromise of Carol's data didn't depend on a single point of failure, ... >> Sue's RNG both being compromised doesn't really worry me, ... both of Sue's long-term private key or Sue's RNG is ...
  • Re: 3des encryption question
    ... they can match the text to the crypto text and get the key back. ... > if someone knows the original and encrypted form of some information that ... > have encrypted with my private key using 3des in .net, ...