Find a way to do 2PC of Poly1305 outside of garbled circuits.

[themighty1]

A Chacha20 circuit has ~2x less AND gates per byte of output compared to the AES128 circuit. So, it is desirable to prefer a Chacha20 ciphersuite if the webserver supports it.

However, there is still the unsolved problem: doing the MAC function Poly1305 is expensive inside GC. Similar problem with GHASH was solved in TLSNotary by doing GHASH outside of GC using only OT.

Research needs to be done to see what 2PC techniques can be applied to Poly1305.

[sinui0]

A Chacha20 circuit has ~2x less AND gates per byte of output compared to the AES128 circuit

How did you determine this? Is there a ChaCha20 circuit somewhere I can play with?

[themighty1]

I looked at https://en.wikipedia.org/wiki/Salsa20 pseudocode and saw that it performs: 10 loops * 8 quarterrounds * 4 additions of 32 bit values + 16 extra additions. I know that 32-bit adder requires 31AND gates, thus 10 * 8 * 4 * 31 + (16 * 31)= 10416 AND gates for a 64-byte Chacha20' output -> 162 AND gates per byte of output.

Whereas AES (without key schedule) (https://github.com/n-for-1-auth/circuits/tree/main/aes) requires 5120AND gates for 16 bytes of output -> 320 AND gates per byte of output.

[themighty1]

No, last time I searched, I didnt see any Bristol Format chacha/salsa circuits.

[themighty1]

Poly1305 works the same way as GHASH - it multiplies powers of the MAC key with the ciphertext block. We just need to adapt out GHASH 2PC to work with the Poly1305 field.

[sinui0]

Closing, this research question has been solved. We will be able to implement this MAC algo using the same approach as we use for GHASH: A2M + M2A conversions using OT