Re: [Cfrg] RGLC on draft-irtf-cfrg-chacha20-poly1305-01.txt

James Cloos <cloos@jhcloos.com> Tue, 07 October 2014 14:23 UTC

Return-Path: <cloos@jhcloos.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F17E51ACDB6 for <cfrg@ietfa.amsl.com>; Tue, 7 Oct 2014 07:23:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.487
X-Spam-Level:
X-Spam-Status: No, score=-2.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VOroKYuphNrM for <cfrg@ietfa.amsl.com>; Tue, 7 Oct 2014 07:23:41 -0700 (PDT)
Received: from ore.jhcloos.com (ore.jhcloos.com [IPv6:2604:2880::b24d:a297]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 483B11ACDB1 for <cfrg@irtf.org>; Tue, 7 Oct 2014 07:23:41 -0700 (PDT)
Received: by ore.jhcloos.com (Postfix, from userid 10) id AFA131E273; Tue, 7 Oct 2014 14:23:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=ore14; t=1412691820; bh=vD98s6bU1pV8GD7EOIGppDGU1bpqMc74YHXzYoW5kJE=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=dN+yPhSc0S1Ktlr6pEJpNiwo8swpON0IKB5WL9kT+wbFJGNx6gWOSAnWTZJvrq+Z4 OS2v+7L1aRL6awU1WTseBGNE/S+fXcm9lJ8TiMpJYz76vI/KlUF4JBFYGryWApO4iD kjhHSiYGpVRb4zODBSxsZ8b/3xvG9RrN7mtMvNfI=
Received: by carbon.jhcloos.org (Postfix, from userid 500) id D79C960024; Tue, 7 Oct 2014 14:22:23 +0000 (UTC)
From: James Cloos <cloos@jhcloos.com>
To: Manuel =?iso-8859-1?Q?P=E9gouri=E9-Gonnard?= <mpg@elzevir.fr>
In-Reply-To: <5433F28C.9060501@elzevir.fr> ("Manuel =?iso-8859-1?Q?P=E9gou?= =?iso-8859-1?Q?ri=E9-Gonnard=22's?= message of "Tue, 07 Oct 2014 16:02:52 +0200")
References: <542D48CD.9060404@isode.com> <m3k34clwkt.fsf@carbon.jhcloos.org> <CAJU7za+itdW8Orc5PiFvBq3k2fziewu=QpZL7aag69fZn5L_Xg@mail.gmail.com> <m37g0ckodk.fsf@carbon.jhcloos.org> <5433F28C.9060501@elzevir.fr>
User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/24.4.50 (gnu/linux)
Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC
Copyright: Copyright 2014 James Cloos
OpenPGP: 0x997A9F17ED7DAEA6; url=https://jhcloos.com/public_key/0x997A9F17ED7DAEA6.asc
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Tue, 07 Oct 2014 10:22:23 -0400
Message-ID: <m31tqkkli8.fsf@carbon.jhcloos.org>
Lines: 35
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Hashcash: 1:28:141007:mpg@elzevir.fr::Sy//49ul4jAFTntK:00NwW3P
X-Hashcash: 1:28:141007:n.mavrogiannopoulos@gmail.com::OMKud7hUxmVGOq0e:00000000000000000000000000000000dWmB
X-Hashcash: 1:28:141007:"cfrg\@irtf.org"::ZAPqV8jiSTgEip3H:0vxwd
X-Hashcash: 1:28:141007:cfrg@irtf.org::YCtAGzwTkR3yimq5:0000nwnh
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/82bpv_FNdHgA3J2GSxS3jDXTgVc
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-chacha20-poly1305-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Oct 2014 14:23:43 -0000

>>>>> "MP" == Manuel Pégourié-Gonnard <mpg@elzevir.fr> writes:

MP> ... if each block is treated separately, then why do you need a
MP> counter larger than 32 bits?

The counter increments for each 256bit block.

I'd expect two block sizes; the 256-bit chacha block and some arbitrary,
potentially larger poly1305 block, perhaps covering somewhere between 4
and 256 chacha blocks.

Each 256bit block gets its own counter value.

Each poly1305 block is vulnerable to loss due to corruption.  Although
even then it can be analyzed to attempt to recover as many bits as
possible --- since it is not on-the-fly, time is available to let people
make judgement calls.

Which reminds me of something I forgot to mention in this thread.

I'd also prefer to see three RFCs.  One covering chacha itself
(including each of two, three or five quad-rounds[sic]), one for
poly1305 (including with chacha and aes (it's original spec)),
and the combination, referecing the first two.

Chacha on its own has value, too.

Dan's paper on aes/poly1305 makes it look like a better choice than gcm,
at least.  Maybe also better than ccm, et alia.

And then the third can be specific to on-the-fly.

-JimC
-- 
James Cloos <cloos@jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6