Re: [Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha20-poly1305-00.txt
Robert Ransom <rransom.8774@gmail.com> Tue, 28 January 2014 00:21 UTC
Return-Path: <rransom.8774@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 988421A029C for <cfrg@ietfa.amsl.com>; Mon, 27 Jan 2014 16:21:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NaMsZq2z_C4N for <cfrg@ietfa.amsl.com>; Mon, 27 Jan 2014 16:21:54 -0800 (PST)
Received: from mail-qc0-x236.google.com (mail-qc0-x236.google.com [IPv6:2607:f8b0:400d:c01::236]) by ietfa.amsl.com (Postfix) with ESMTP id E8D4F1A02B7 for <cfrg@irtf.org>; Mon, 27 Jan 2014 16:21:53 -0800 (PST)
Received: by mail-qc0-f182.google.com with SMTP id c9so9244618qcz.13 for <cfrg@irtf.org>; Mon, 27 Jan 2014 16:21:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=46EcV4xF9V9wbR5qqKJF47bkHavhuXPbjlDSL84uj2o=; b=a9rSGH1X+fO34siDGiIa2w95rN4UUD6V7Wqw6gmPHxJJATO58Aqm5AYStakPyfirbH dgi9VXwujSaZtobD4hNW2zbPT9lM9jx9Wq+F2Y86oKVef6kfPDUzTwQqZdFO9qHZ3UP1 g5mPNvTnpFGHCxEV9UG7yDKoZfxhHG/udr15Kr4PPsQMd7GqmJijLdxmuc0fTXBZfos0 PGr+mlbnKQW3C44znqQKg6AoEBMdgyWw1jaFxYTP+1FXpua4IbhfCuOy5G7Jfq/kOIcK ifu7fcxUgWkAYlfLUxvYh1JGW21VnC1XiTzgbskzAYAIDBULfw8t7eEkrltv0fE6SVZa MDxw==
MIME-Version: 1.0
X-Received: by 10.229.139.199 with SMTP id f7mr13979378qcu.2.1390868511457; Mon, 27 Jan 2014 16:21:51 -0800 (PST)
Received: by 10.140.86.42 with HTTP; Mon, 27 Jan 2014 16:21:51 -0800 (PST)
In-Reply-To: <2DD6FE86-A5C6-4144-8778-2DFFCA8AD5F8@checkpoint.com>
References: <20140127114546.8921.73181.idtracker@ietfa.amsl.com> <2DD6FE86-A5C6-4144-8778-2DFFCA8AD5F8@checkpoint.com>
Date: Mon, 27 Jan 2014 16:21:51 -0800
Message-ID: <CABqy+spVbfA2aGKaEftKrokbdXPZjQB9RDjT2b371H_bPB+NWQ@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha20-poly1305-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2014 00:21:55 -0000
On 1/27/14, Yoav Nir <ynir@checkpoint.com> wrote: > Hi > > I've submitted the below draft about ChaCha20 and Poly1305. This document > aims to describe the algorithms (and AGL's AEAD based on them) in such a way > that an implementer will be able to write code that implements these > functions with only this document as a reference. The intention is for this > document to serve as a reference for future documents entitled "ChaCha20, > Poly1305 and their use in XXX". I personally intend to use it for an IPsec > document. > > This version -00 is quite drafty, and I'm not sure of my calculations, > especially in Poly1305 (I used "bc" for all of them). So this document needs > review. IMO it could also make a good undergraduate project that will also > help to verify the examples and test vectors interspersed throughout. More > test vectors is another thing this document needs. > > This document > > * does not introduce any new crypto - it's all from DJB and AGL. > * does not provide security proofs - there's plenty of that in academic > papers, although I would be happy to link to those as informative > references. > * does not have any timing data or performance numbers. Those are very > platform-dependent, so I don't know if they're appropriate. If they are, > I'll be happy to include them. > > There are a few open issues I'd like to address: > > 1. When converting a 256-bit buffer into a pair of numbers, k & r, Adam's > draft takes "r" from the first 128 bits, and "k" from the following bits. > DJB's sample code seems to go the other way. I went with Adam's way. You're confusing Poly1305 with Poly1305-AES. Poly1305 uses a key of the form (r, s) to authenticate one message; Poly1305-AES uses a key of the form (k, r), takes a unique nonce n for each message, and derives s = E_k(n). Dr. Bernstein's standalone Poly1305 implementations do use the first half of the key bitstring as r and the second half as s. > 2. In cases where buffers are converted to integers or vice versa, we > used little-endian order. This is different from the way it's done in (for > example) GCM and in many protocols. It's true that some parts of the > ChaCha20 algorithm itself are explicitly little-endian Every multi-byte value in ChaCha and Poly1305 is little-endian. > 3. The lengths encoded in the AEAD construction are in bytes, whereas in > GCM they are in bits. That's a good thing. It rules out bugs like <http://cr.yp.to/talks/2009.02.28-3/slides.pdf>. Section 3 (‘Implementation Advice’) states that the GMP-based Poly1305 implementation given as an alternate form of the specification in the Poly1305-AES paper runs in constant time. As far as I can tell, it does not. There is a constant-time ‘ref’ implementation in NaCl, and I have portable 32-bit and 64-bit integer-multiplication implementations as well. Section 4 (‘Security Considerations’) discusses the risk that the Poly1305 key derived from a ChaCha (key, nonce) pair will collide. This is not a risk at all. Poly1305 keys are supposed to be chosen uniformly at random, and most of the effort of proving Poly1305-AES secure was in bounding the security loss caused by the fact that AES could not produce the same value of s for two different nonces. Robert Ransom
- [Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha20-p… Yoav Nir
- Re: [Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha… Ilari Liusvaara
- Re: [Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha… Robert Ransom
- Re: [Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha… Yoav Nir
- Re: [Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha… Yoav Nir
- Re: [Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha… Robert Ransom
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Yoav Nir
- [Cfrg] I-D Action: draft-nir-cfrg-chacha20-poly13… Yoav Nir
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Stefan Bühler
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Igoe, Kevin M.
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Stefan Bühler
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Ted Krovetz
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Yoav Nir
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Ted Krovetz
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Mike Hamburg
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Alyssa Rowan