Why the indirect comparison of MACs in ChaCha20_Poly1305?
3 views
Skip to first unread message
Pascal Chambon
Oct 9, 2021, 11:56:02 AM10/9/21
to PyCryptodome
Hello everyone,
In ChaCha20_Poly1305.py, in the verify method, I was surprised that instead of comparing the 2 MACs (the received one and the real one), the algorithm uses BLAKE2:
secret = get_random_bytes(16)
self._compute_mac()
self._compute_mac()
mac1 = BLAKE2s.new(digest_bits=160, key=secret,
data=self._mac_tag)
mac2 = BLAKE2s.new(digest_bits=160, key=secret,
data=received_mac_tag)
data=self._mac_tag)
mac2 = BLAKE2s.new(digest_bits=160, key=secret,
data=received_mac_tag)
I guess that this is done in order to avoid timing attacks on this operation, am I right ?
thanks
regards,
P. Chambon
Reply all
Reply to author
Forward
0 new messages