3

LibSodium, (https://github.com/jedisct1/libsodium), has a function crypto_box_detached() which does authenticated encryption using the public key of the recipient and the private key of the sender (using Curve25519). I believe this function is compatible with Daniel J. Berinstein's corresponding function in NaCl (http://nacl.cr.yp.to/), although with a different interface.

  1. If Alice creates a message for Bob using this function and a random nonce, is it possible for Eve to distinguish the ciphertext+MAC from random data?

  2. What about if Eve has the public keys of Alice and Bob, does that make it easier to distinguish it from random data?

  3. If Eve has their public keys, can she in any way deduce that the message came from Alice or that it is destined for Bob?

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
maglar
  • 168
  • 1
  • 5

1 Answers1

5

I'll answer the related questions in order:

  1. No, because a ciphertext (generated from a key stream generated by a stream cipher) should be indistinguishable from random data, and a MAC should be as well.

  2. No, because #1 depends on the secret, and the secret was derived using a Diffie-Hellman key agreement algorithm, using the given curve. To know information about the secret, it is required to obtain one of the private keys.

  3. No, because that follows directly from #1 and #2.

Notes:

  • traffic analysis is not taken into account for this answer as it is outside the scope of the cryptographic properties;
  • the size of the ciphertext (equal to the plaintext size) + MAC size may leak some information to an attacker.

It seems that the detached variant was explicitly defined to separate the tag and the ciphertext, so it seems a bit strange to talk about ciphertext + MAC (only the order of ciphertext and MAC seems different from the non-detached variant of the same method).

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313