#StackBounty: #stream-cipher #authenticated-encryption #chacha #salsa20 #poly1305 Append data to authenticated ciphertext encrypted usi…

Bounty: 50

Say we have xSalsa20 authenticated using Poly1305. If $ X $ is the ciphertext, $N$ is the nonce value, and $H$ is the authentication tag such that the final ciphertext is $ N || X || H $, then given the key $K$, is it possible to extend $ X $ with more data, without decrypting it, updating $N$ and $Y$ as needed? (I’m not sure if $N$ would need to be changed.)

Salsa20 is a stream cipher so it produces a CSPR key-stream, $ S $, and then then ciphertext becomes $ X = S oplus P $, where $P$ is the plaintext. So I intuitively feel as though this should be a lot easier to do than with a block cipher. Perhaps by generating the same key-stream up until the size of the ciphertext and encrypting the new data with the part of the key-stream past that point. If the authentication tag is generated from the ciphertext then decryption wouldn’t be necessary for that either. Also the nonce would not really be reused in a scheme like this as far as I can see.

How well would this translate to other stream ciphers like XChaCha20-Poly1305?


Get this bounty!!!

#StackBounty: #stream-cipher Mixing Cipher Lower Bounds

Bounty: 100

Let Z be a cipher system consisting of three m-sequence linear feedback shift registers (LFSR) of length 128 bits each which are assumed to be not cryptographically secure and the registers are seeded with IID variables. Lets identify the registers as S for select register, C for the ciphertext register, and D as the decoy register. The enciphering system works as follows:

The output bits of S control the select line of a two input multiplexer with one input being the XOR of the message bits with register C(call these the ciphertext bits as is the usual custom) and the other input being the bits of D, the decoy register.It is assumed that the message bits are held in a buffer until they are selected for output but register C is continually clocked even if it is not selected, so C is constantly losing information ,likewise with register D. So the output of the multiplexer is a pseudorandom mixture of ciphertext bits with decoy bits. In order for the adversary to recover the message he/she must first separate the ciphertext bits from the decoy bits. Of course this is not a very efficient way to encrypt information because by adding decoy bits to the ciphertext bits effectively doubles your information traffic, but let’s say we don’t care about efficiency. How could an adversary separate the ciphertext bits from the decoy bits in polynomial time, neither bitstream gives any information about the other and nothing about the select bits S.


Get this bounty!!!