IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-poly1305-01.txt

"Igoe, Kevin M." <kmigoe@nsa.gov> Fri, 28 February 2014 14:26 UTC

Return-Path: <kmigoe@nsa.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DBAC1A02C1 for <cfrg@ietfa.amsl.com>; Fri, 28 Feb 2014 06:26:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.147
X-Spam-Level:
X-Spam-Status: No, score=-7.147 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k7JNK07mV1qv for <cfrg@ietfa.amsl.com>; Fri, 28 Feb 2014 06:26:23 -0800 (PST)
Received: from nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9]) by ietfa.amsl.com (Postfix) with ESMTP id 373E81A02A8 for <cfrg@irtf.org>; Fri, 28 Feb 2014 06:26:23 -0800 (PST)
X-TM-IMSS-Message-ID: <f4f8fd2a00117e32@nsa.gov>
Received: from MSHT-GH1-UEA02.corp.nsa.gov ([10.215.227.181]) by nsa.gov ([63.239.67.9]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id f4f8fd2a00117e32 ; Fri, 28 Feb 2014 09:24:51 -0500
Received: from MSMR-GH1-UEA08.corp.nsa.gov (10.215.225.3) by MSHT-GH1-UEA02.corp.nsa.gov (10.215.227.181) with Microsoft SMTP Server (TLS) id 14.2.342.3; Fri, 28 Feb 2014 09:26:08 -0500
Received: from MSMR-GH1-UEA03.corp.nsa.gov ([10.215.224.3]) by MSMR-GH1-UEA08.corp.nsa.gov ([10.215.225.3]) with mapi id 14.01.0289.001; Fri, 28 Feb 2014 09:26:08 -0500
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: 'Stefan Bühler' <source@stbuehler.de>, Yoav Nir <ynir@checkpoint.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-poly1305-01.txt
Thread-Index: AQHPHs1AWv814//7zEWJHH3DY96uQ5rLAswA///YpQA=
Date: Fri, 28 Feb 2014 14:26:07 +0000
Message-ID: <3C4AAD4B5304AB44A6BA85173B4675CABA9DC49B@MSMR-GH1-UEA03.corp.nsa.gov>
References: <16BFC02D-480F-472E-B781-56D1A8EF0EE5@checkpoint.com> <20140228121448.1c123bab@chromobil.localdomain>
In-Reply-To: <20140228121448.1c123bab@chromobil.localdomain>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.215.227.232]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/5Yq19IcojE1byJ9KFuuWNyJO-GE
Subject: Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-poly1305-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2014 14:26:25 -0000

Stefan:

  Will you be at Monday's meeting in London?  We could discuss this in
more depth after Yoav's presentation.

> -----Original Message-----
> From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Stefan Bühler
> Sent: Friday, February 28, 2014 6:15 AM
> To: Yoav Nir; cfrg@irtf.org
> Subject: Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-poly1305-01.txt
> 
> Hi,
> 
> I propose using "HChaCha20" (analog to HSalsa20) to compress larger
> nonces:
> * supports nonce lengths of 8 and 24 bytes, and everything between by
>   prefixing with zeros.
>   (I can't claim to have understood the paper on XSalsa20/HSalsa20
>   completely, so I'm not sure whether more than one HSalsa20 step would
>   still be covered by the proof; but I guess it should work.
>   This means one could support almost any nonce length >= 8 bytes)
> * uses the original ChaCha20 algorithm (some implementations might not
>   allow changing the length of nonce/counter; these implementations
>   are still compatible with a nonce length of 8 bytes)
> * compatible with draft-agl-tls-chacha20poly1305-04 (using nonce length
>   of 8 bytes, plain ChaCha20)
> 
> Define P: extract 256-bit from 512-bit
> P(z0, z1, z2, z3) := (z0, z3)  # z_i are 128-bit
> 
> Define HChaCha20: takes 256-bit key, 128-bit nonce
> HChaCha20_k(n) := P(doublerounds^10(x))
>     where
>     x := (salsaconst, k, n)
> 
> Define Q: calculates HChaCha from 64-bit nonce and 512-bit ChaCha Q(n,
> x) := P(x) - (salsaconst, n)  # subtraction on 32-bit words
> 
> HChaCha20_k(n) = Q(n, ChaCha20_k(n))
> (Q is used in the proof: it is a public computation (salsaconst and
> nonce are public) of HChaCha20_k(n) from ChaCha_k(n), and maps uniform
> random strings to uniform random strings)
> 
> Define XChaCha20: takes 256-bit key, 192-bit nonce and a little-endian
> 64-bit counter XChaCha20_k(n, i) = ChaCha20_k1(n2, i)
>     where
>     (n1, n2) := n # n1 is 128-bit, n2 64-bit
>     k1 := HChaCha20_k(n1)
> 
> The proof for XSalsa20/HSalsa20 should work for XChaCha20/HChaCha20 too
> afaics. (http://cr.yp.to/snuffle/xsalsa-20110204.pdf
> on http://cr.yp.to/snuffle.html)
> 
> Now depending on the length of the nonce either use ChaCha20 (8 byte
> nonce) or XChaCha20 (24 byte nonce).
> 
> I suggest the zero padding should be prefixed to the nonce, so the last
> 8 bytes of the AEAD nonce are always the 8 bytes used in the ChaCha20
> stream. If only those are changed (typical nonce increment) the
> key/nonce compression "k1" can be cached.
> 
> Padding nonces should be safe: if the input nonces were unique, the
> padded nonces are unique too. As nonces are often counters anyway, they
> already are almost 0 - adding more zeros shouldn't hurt.
> 
> regards,
> Stefan
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email