Re: [Cfrg] I-D Action: draft-irtf-cfrg-chacha20-poly1305-06.txt

Yoav Nir <ynir.ietf@gmail.com> Wed, 14 January 2015 16:06 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7439A1A1ABF for <cfrg@ietfa.amsl.com>; Wed, 14 Jan 2015 08:06:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B-LZQhLB9r-M for <cfrg@ietfa.amsl.com>; Wed, 14 Jan 2015 08:06:35 -0800 (PST)
Received: from mail-we0-x235.google.com (mail-we0-x235.google.com [IPv6:2a00:1450:400c:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7CEE1A8AAA for <cfrg@irtf.org>; Wed, 14 Jan 2015 08:06:34 -0800 (PST)
Received: by mail-we0-f181.google.com with SMTP id q58so9649987wes.12 for <cfrg@irtf.org>; Wed, 14 Jan 2015 08:06:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=LTEMg9KvMdcVO4Q1Axp79G1BsvW/8w6v7pLJr6baBtM=; b=xf+a1O876Fq68fM8yQlwGrDz7v4LGLmuj7KHxI3baxqa2kTmYHzyi4xWwdUeHJkxho Gl21afZA0I3BKwbgwfbv9LPJYDHTXEBvbtTTt6vZivbgEvX1crsvCmGGIj8gLOlvwSjk COHPr3pzWSB1waYmf2xJpaOnzxFYOfdCxDSP9W4u+wuSKvJbPLGZFGmphCFPg/MBtMlf os6TfPmo7tjmpzPu1poA4brbC5mXuADPlLt2H871zxXn8FJjagxfG2+DRR5VGYCbNpgj +0WUMsWc/12qu2v8jfgZZUq/84DmnCwr8BWXJvI3eKokNEgL5XSlzqdyb+j6DRAXH1TX JAjA==
MIME-Version: 1.0
X-Received: by 10.180.105.68 with SMTP id gk4mr9891379wib.30.1421251593251; Wed, 14 Jan 2015 08:06:33 -0800 (PST)
Received: by 10.194.32.195 with HTTP; Wed, 14 Jan 2015 08:06:33 -0800 (PST)
In-Reply-To: <7FB23519-5635-46AA-AFB7-C4D8A4210AF1@gmail.com>
References: <20150114143413.12276.29693.idtracker@ietfa.amsl.com> <0ED4D299-2CCC-4427-A52C-2F7BDD4634EE@akr.io> <7FB23519-5635-46AA-AFB7-C4D8A4210AF1@gmail.com>
Date: Wed, 14 Jan 2015 18:06:33 +0200
Message-ID: <CAGvU-a7x6SaeCiqX5DtKeDhLTTmc8fF9j56V+5J6UOVYEE5LZg@mail.gmail.com>
From: Yoav Nir <ynir.ietf@gmail.com>
To: Alyssa Rowan <akr@akr.io>
Content-Type: multipart/alternative; boundary=f46d04426a605a33d0050c9eec8b
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/4tGOtZBuM_jG2lsEd64x9a5oGLo>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-chacha20-poly1305-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jan 2015 16:06:39 -0000

OK. Submitted

On Wed, Jan 14, 2015 at 5:09 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:

> Does it matter?
>
> memcmp works word-by-word, so on a 32-bit system the attacker would need
> to send 4 * 2^32 / 2 copies of a message with different tags to guess the
> correct tag without valid traffic invalidating the AAD. And that assumes
> that memcmp on 16 bytes can even be measured when it stops prematurely.
>
> OK, I’ll add a line to the security considerations.
>
> Yoav
>
>
> > On Jan 14, 2015, at 4:50 PM, Alyssa Rowan <akr@akr.io> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > On 14 January 2015 14:34:13 GMT+00:00, internet-drafts@ietf.org wrote:
> >
> >>       Title           : ChaCha20 and Poly1305 for IETF protocols
> >>       Authors         : Yoav Nir
> >>                         Adam Langley
> >>      Filename        : draft-irtf-cfrg-chacha20-poly1305-06.txt
> >>      Pages           : 43
> >>      Date            : 2015-01-14
> >
> > Quick nit:
> >
> >> The calculated tag is bitwise compared to the received tag.
> >
> > ..."in constant time", perhaps we should add there, in case someone gets
> some bright ideas with plain vanilla memcmp() from that paragraph?
> >
> > Just a thought.
> >
> > - --
> > /akr
> > -----BEGIN PGP SIGNATURE-----
> > Version: APG v1.1.1
> >
> > iQI3BAEBCgAhBQJUtoI9GhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE
> > jtkWi2t61tkP/0quTyB88CG1IF5l5xDDDTuzKqIIGn9rMgX4glRCj2x38q4cDfUY
> > 1mB7nPjd+c4zFZj2XqeT3ZBVeLmkOAua8MnJhVlfHvmHnyaYWOf5iYBAk1mEXcV5
> > fMN1dnJdqs3mLFgqSq8SaEHcF6r5GgS6z/gb0Cvu4+iO6JkM1BPabDtBQtu7Zh64
> > bzlqpMqOqpLkflpBkjBiLNR6jU4WXSmvLYiPqhCL8qdwaioFMV0s3PYRq+9AMbvI
> > /yIhGLGnbH7nYMvE4lu5kIVb6XN4+/wDZ3+3MiwyKzfWhVoBK3v0bOGMSUjoDVNt
> > zuP/BLcU5tvJvKPZl2Ok0XDh5+ZUMZNTNzi1tHfRjnItjtPkRoB6QVyE23if8aBe
> > +59JRUSAnIs4/jdnvig85BLhnnXQ9A8ac/SShfEoVNCfPhxGp5espwS+5Nbsv8VV
> > VCa8CP2zw1mPc3qphoEb8y+loCgq3wAVAZAnBpWs8nIzzPKYr/4DKArQT6BTUqhQ
> > fqx5Rc99HgXB7GMA9HULrAoaDkB9AttCZkbS16FDJ9kbeacHLINfMnJY2vhzS1CM
> > 1T3UJ3bdahnIpH5mAvB2fG7wtK2CISJ7qIMATgsgQFvl4dr+8JRrpecma+PvV/ms
> > yclTFAbnV9Pjk7IALd7aLHjtxW7wxSNVYlx5/fmY9zWFc1HiuIorJS7e
> > =h6PU
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > http://www.irtf.org/mailman/listinfo/cfrg
>
>