Skip to content

Version 1.20.0
Compare
Choose a tag to compare
@paragonie-security paragonie-security released this 30 Apr 01:02
· 67 commits to master since this release
v1.20.0
This tag was signed with the committer’s verified signature.
paragonie-security P.I.E. Security Team
GPG key ID: 6B97A1C2826404DA
Learn about vigilant mode.
e592a3e

What's Changed

  • #157 - Update Wycheproof tests, fix Poly1305 implementation in response to Wycheproof failure

Full Changelog: v1.19.0...v1.20.0

Poly1305 bug?

If you had a specific bit pattern in your Poly1305 key and ciphertext, you would generate an invalid authentication tag. This was caught by the ChaCha20-Poly1305 tests included in Project Wycheproof.

We don't believe this is a security issue because:

  1. Letting attackers control the key going into Poly1305 would defeat the security of this algorithm.
  2. Years of integration and compatibility testing with ext/sodium never encountered the conditions necessary to trigger the bug. (Specifically, a ciphertext of all bits set was one of the conditions necessary to trigger it.)
  3. The impact of triggering the bug is an incorrect authentication tag.

Additionally, if you turned fast multiplication on, you would have not triggered the bug at all.

This slows down our Poly1305 implementation slightly.

Assets 4
Loading