De:"Adam Langley" <agl@google.com>= ;=C0:"RFC Errata System" <rfc-editor@rfc-editor.org>

<= b>Cc: "Wan-Teh Chang" <wtc@google.com>, "Nikos Mavrogiannopoulos"= <nmav@redhat.com>, "Joachim Str=F6mbergson" <joachim@secworks.se&= gt;, "Simon Josefsson" <simon@josefsson.org>, "Kathleen Moriarty" <= ;Kathleen.Moriarty.ietf@gmail.com>, "Eric Rescorla" <ekr@rtfm.com>= , "Joseph Salowey" <joe@salowey.net>, sean+ietf@sn3rd.com, "xavier bo= nnetain" <xavier.bonnetain@inria.fr>, tls@ietf.orgEnvoy=E9: Mardi 13 F=E9vrier 2018 00:30:11Objet:Re: [Technical Errata R= eported] RFC7905 (5251)On Thu, Feb 1, 2018 at 5:59 AM, RFC E= rrata System <rfc-editor@rfc-editor.org> wrote:

<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft:1px solid rgb(204,204,204);padding-left:1ex">Original Text

-------------

Poly1305 is designed to ensure that forged messages are reject= ed with

a probability of 1-(n/2^107), where n is the maximum length of= the

input to Poly1305. In the case of (D)TLS, this means a m= aximum

forgery probability of about 1 in 2^93.

Corrected Text

--------------

Poly1305 is designed to ensure that forged messages are reject= ed with

a probability of 1-(n/2^106), where n is the maximum length of= the

input to Poly1305. In the case of (D)TLS, this means a m= aximum

forgery probability of about 1 in 2^92.

If we are in the situation C =3D 0, D =3D 1 and L=3D=
2^{14} for (D)TLS, the forgery probability may indeed not be affected (and =
may even be smaller). However, the explanation "Poly1305 is designed to ens=
ure that forged messages are rejected with a probability of 1-(n/2^107), wh=
ere n is the maximum length of the input to Poly1305." is presenting Poly13=
05 as slightly stronger than it really is (and there is an attack with succ=
ess probability 2^{-106} with C=3D1, D=3D1, L=3D1, as the hashing key r has=
106 effective bits).

Regards,

Xavier