[Cfrg] Task for the CFRG

"Igoe, Kevin M." <kmigoe@nsa.gov> Thu, 08 August 2013 19:45 UTC

Return-Path: <kmigoe@nsa.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 0AB1011E821C for <cfrg@ietfa.amsl.com>; Thu, 8 Aug 2013 12:45:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id xhr5YCziBWUL for <cfrg@ietfa.amsl.com>; Thu, 8 Aug 2013 12:45:44 -0700 (PDT)
Received: from nsa.gov (emvm-gh1-uea08.nsa.gov []) by ietfa.amsl.com (Postfix) with ESMTP id 3DAC311E820D for <cfrg@irtf.org>; Thu, 8 Aug 2013 12:45:43 -0700 (PDT)
X-TM-IMSS-Message-ID: <343f8b02000a1822@nsa.gov>
Received: from MSHT-GH1-UEA01.corp.nsa.gov ([]) by nsa.gov ([]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 343f8b02000a1822 ; Thu, 8 Aug 2013 15:45:13 -0400
Received: from MSMR-GH1-UEA03.corp.nsa.gov ([]) by MSHT-GH1-UEA01.corp.nsa.gov ([]) with mapi id 14.02.0342.003; Thu, 8 Aug 2013 15:45:41 -0400
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Task for the CFRG
Thread-Index: Ac6Ub9vopigPuZ74Q3i+O+WDV9xpLQ==
Date: Thu, 8 Aug 2013 19:45:40 +0000
Message-ID: <3C4AAD4B5304AB44A6BA85173B4675CAB247161D@MSMR-GH1-UEA03.corp.nsa.gov>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_3C4AAD4B5304AB44A6BA85173B4675CAB247161DMSMRGH1UEA03cor_"
MIME-Version: 1.0
Subject: [Cfrg] Task for the CFRG
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 19:45:48 -0000

The TLS WG has asked the CFRG for their opinion for a stream cipher, eSTREAM-SALSA20,
and two MAC algorithms, UMAC and POLY1305, that have been suggested for use in TLS
(draft-josefsson-salsa20-tls-02).  This was presented to the TLS WG at IETF-87, slides can
be found at http://www.ietf.org/proceedings/87/slides/slides-87-tls-2.pdf.
The SALSA family works on blocks of 512 bits, and forms a key stream in 512-bit blocks by
applying a fixed map V^{512}->V^{512} to an input consisting of the key (either 16 octets or
32 octets), an 8-octet block counter, an 8-octet IV,  and 16 constant octets.

SALSA20 was one of the five finalists for a software stream cipher in the eSTREAM
contest run by ECRYPTII (see http://www.ecrypt.eu.org/stream/).

UMAC has been around since 1999 and is described in RFC 4418.

POLY1305 first showed up as POLY1305-AES, but all it needs from AES is a 16 byte block
of output. Adapting this to SALSA is straightforward.  The 1305 in the name reflects the
fact that it uses arithmetic modulo 2^{130} - 5.  See http://cr.yp.to/mac/poly1305-20050329.pdf
for a description of poly1305-AES.

Off the top of my head, the only objection I can see is that SALSA may be difficult to
implement efficiently in hardware.  Hardware TLS acceleration can be useful at heavily
utilized servers.

The most current attempt to attack SALSA that I could find is a 2012 paper on the IACR
e-print server.

Kevin M. Igoe   | "We can't solve problems by using the same kind
kmigoe@nsa.gov  | of thinking we used when we created them."
                |              - Albert Einstein -