- The tag is to best I can tell, a tag. It's not really a signature, it's not a hash, it's pretty close to a mac. Is tag in this case colloquially synonymous with anything else?
It is not just close to a MAC—it is a MAC. Various synonyms:
- message authentication code / MAC
- MAC tag
- authenticator
- authenticator tag
- authentication tag
- Is it right to say ChaCha20 in AEAD-mode? I know GCM has GHASH and GMAC, but I think those are the Galois part. Would be it be fair-enough to say I'm using ChaCha20 in HMAC mode? What would be the right way to phrase this?
ChaCha/Poly1305, as used in, e.g., is a specific authenticated cipher (or AEAD). So is AES-GCM. You shouldn't worry about the method by which they are constructed—what is important is the security contract of the whole thing. You should generally forget the archaic ‘mode of operation’ way of thinking that requires a user to choose a block cipher and a mode of operation from two different cauldrons of unintelligible acronym soup and then mix them.
If you use ChaCha/Poly1305 with an empty ciphertext, there's no specific name for it, but it would be like AES-GMAC, which is AES-GCM with an empty ciphertext. You could say you are using ChaCha/Poly1305 as a (nonce-based) message authentication code, I guess.
If you're really interested in the acronym soup (which is not useful in isolation outside the cryptography literature):
- GHASH is a universal hash family based on polynomial evaluation in $\operatorname{GF}(2^{128})$. Cheap in hardware, slow and often leaky through side channels in software.
- GCM is a method of constructing a nonce-based authenticated cipher out of a 128-bit block cipher and GHASH.
- GMAC is GCM with an empty ciphertext (but usually nonempty additional data) which serves as a nonce-based message authentication code.
None of these are ever used much if at all outside AES-GCM. And:
- HMAC is a method of constructing a pseudorandom function family out of a fixed hash function like SHA-256. It is not related to GMAC, GCM, GHASH, Poly1305, ChaCha, or AES, except insofar as (a) it can also be used as a message authentication code like AES-GMAC or ChaCha/Poly1305 with empty ciphertext, and (b) it can also be used as a PRF, including as a stream cipher, like ChaCha.
I find it a little annoying that GMAC has a specifically named mode for what I want to do, but my searching Chacha NMAC came up with obscure dance videos. In code I'll just call it MAC and move along.
Small check on this way of using ChaCha as a nonce-based MAC - obviously nonces are never to be re-used - I have done the XOR on plain and cipher text to see the issue... but does the same sudden death / catastrophic failure exist if you re-used a nonce with no encrypted payload?
– mint branch conditioner Nov 22 '19 at 02:02