Re: The Poly1305-AES message-authentication code

From: David Wagner (
Date: 11/06/04

Date: Sat, 6 Nov 2004 22:11:46 +0000 (UTC)

D. J. Bernstein wrote:
>You are assigning blame incorrectly. I could start a similar paragraph
>with ``If you use the Diffie-Hellman shared secret on occasion to create
>one of your session keys.''

Ok, I'll accept that criticism. But fortunately, we are not forced
to use Diffie-Hellman key exchange with a static shared secret. There
are other protocols that don't have this problem. As I mentioned in my
previous post, I prefer protocols with forward secrecy, and forward
secrecy fixes this problem.

Yes, there will usually still be a long-lived private key to protect.
But one key is potentially easier to protect than multiple keys.
(For instance, I may be able to store my private key on cryptographic
hardware, something that I probably can't do with a MAC key.)

And if I use a key-exchange protocol with forward secrecy, compromise
of my private key won't necessarily compromise past and future sessions.
(It won't compromise past sessions, if the other party's private key
remains secure. It won't compromise future sessions, if I'm able to
change my private key after the compromise of my old private key.)

>If you have a leak, eliminate the leak.

This is good advice, but I don't have full confidence in my abilities
to eliminate all leaks. Therefore, I'd rather build a system with
belt-and-suspenders security. I'll eliminate all the leaks I know about
and am able to eliminate, and I'll also strive to design the cryptosystem
to minimize the harmful effects of unintended leakage of crypto keys.
That's my preferred design philosophy, anyway. Perhaps it is overkill;
I don't know.