| CARVIEW |
Select Language
HTTP/2 200
date: Thu, 17 Jul 2025 09:29:43 GMT
content-type: text/html; charset=UTF-8
content-encoding: gzip
set-cookie: PHPSESSID=07vt893gkonfiejngvsg14g4g6; path=/
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
vary: Accept-Encoding
strict-transport-security: max-age=31536000; includeSubDomains
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
cf-cache-status: DYNAMIC
server: cloudflare
cf-ray: 9608b76878fd9dfa-BLR
alt-svc: h3=":443"; ma=86400
RFC Errata Report » RFC Editor
Search RFCs
The Series
For Authors
Sponsor
RFC Errata
Found 1 record.
Status: Held for Document Update (1)
RFC 7905, "ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)", June 2016
Source of RFC: tls (sec)
Errata ID: 5251
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Xavier Bonnetain
Date Reported: 2018-02-01
Held for Document Update by: Paul Wouters
Date Held: 2024-03-18
Section 4. Security says:
Poly1305 is designed to ensure that forged messages are rejected with a probability of 1-(n/2^107), where n is the maximum length of the input to Poly1305. In the case of (D)TLS, this means a maximum forgery probability of about 1 in 2^93.
It should say:
Poly1305 is designed to ensure that forged messages are rejected with a probability of 1-(n/2^106), where n is the maximum length of the input to Poly1305. In the case of (D)TLS, this means a maximum forgery probability of about 1 in 2^92.
Notes:
The security claimed on poly1305 is slightly beyond what was proven by the designer (see https://cr.yp.to/mac/poly1305-20050329.pdf), and the trivial forgery attempt with a message of length 1 succeeds with probability 2^{-106}.
Paul Wouters(AD): See https://mailarchive.ietf.org/arch/msg/tls/dBMIsLsaA7XevXpd9hzJ6skMqE4/
IAB • IANA • IETF • IRTF • ISE • ISOC • IETF Trust
Reports • Privacy Statement • Site Map • Contact Us