Re: [Cfrg] questions on performance and side channel resistance for ChaCha20 and Poly1305 for IPsec and TLS

Robert Ransom <rransom.8774@gmail.com> Thu, 23 January 2014 18:27 UTC

Return-Path: <rransom.8774@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FE501A01F7 for <cfrg@ietfa.amsl.com>; Thu, 23 Jan 2014 10:27:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S_TAQ-nLyMFY for <cfrg@ietfa.amsl.com>; Thu, 23 Jan 2014 10:27:06 -0800 (PST)
Received: from mail-qc0-x233.google.com (mail-qc0-x233.google.com [IPv6:2607:f8b0:400d:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id 6B74C1A01EE for <cfrg@irtf.org>; Thu, 23 Jan 2014 10:26:55 -0800 (PST)
Received: by mail-qc0-f179.google.com with SMTP id e16so2959492qcx.24 for <cfrg@irtf.org>; Thu, 23 Jan 2014 10:26:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=H6IVGW8qDfeWN5P3fOvXdzlhjFeHtwlynXw0mtXh5F4=; b=ezCg3Zv7E1+lmbgUsWE0U4gATFoDjDOeCNSQaATzwOpI+mDOTOrfWNjspMU42zktpf ZKT20RAU3wpbsY6sKVYTRM8ZzdQf468qK34LsQ6HYJYgVyIMB0U6IYzO2YE7ai4L8qDt SZz2X1e45HnngaG0Wcwtob73cOI31k5sF1x+mnfBmqjxoA7I7qfwqmKesmuBqzslNeMS HXFd+7HXY07zMCPqVdpeqvi4VhKRSNKdM6RbLNNw+7Qsq9MSBDeH7dS1v5AUYc1F1kb4 8JIO1HK0A7u7Hl7u4C587shb0F4fdEQsP5abMv6oAEjk8g7aWM9TB82OGqzB+2J9VFYK kBiw==
MIME-Version: 1.0
X-Received: by 10.224.53.71 with SMTP id l7mr13941109qag.33.1390501614242; Thu, 23 Jan 2014 10:26:54 -0800 (PST)
Received: by 10.229.181.132 with HTTP; Thu, 23 Jan 2014 10:26:54 -0800 (PST)
In-Reply-To: <52E12D1F.80701@cisco.com>
References: <180998C7-B6E5-489E-9C79-80D9CAC0DE68@checkpoint.com> <CAL9PXLy9hrq+i_neP96FbTJRvRLbLEXnMYdBdwSeHunFAwF+jQ@mail.gmail.com> <A867BB8E-4556-44B1-A0AF-16771626BF5C@checkpoint.com> <52CB358D.3050603@cisco.com> <A6BDE08D-1F7D-4813-A9C4-61AF8C14412B@checkpoint.com> <52CB482D.6090807@cisco.com> <09031D92-9A14-4CF0-A000-123E71D4F784@checkpoint.com> <3861F1D4-B412-42BE-AE6C-FF5DE213854C@checkpoint.com> <CAL9PXLzgo5a2dk0JM-kWvawPhO1arpurcYSuqcffTWGdrCGY7A@mail.gmail.com> <52E12D1F.80701@cisco.com>
Date: Thu, 23 Jan 2014 10:26:54 -0800
Message-ID: <CABqy+sqbOBcezgBiKE7ZyWjVVPf84XyU=ktk0DtKq=EHkqjN0w@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: David McGrew <mcgrew@cisco.com>
Content-Type: text/plain; charset=UTF-8
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] questions on performance and side channel resistance for ChaCha20 and Poly1305 for IPsec and TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2014 18:27:10 -0000

On 1/23/14, David McGrew <mcgrew@cisco.com> wrote:

> Another goal for this ciphersuite is to avoid side channel attacks,
> though it is not directly mentioned in the draft.    The design
> rationale for Salsa describes how timing channels are avoided by not
> using multiplication in that function.   However, Poly1305 uses *lots*
> of multiplication operations, by a fixed constant.  Unless I am missing
> something, this is an inconsistency with the motivation for the
> ciphersuite.  In any case, if Poly1305 requires implementation
> techniques to avoid side channels, they should be documented in the
> draft that specifies that function.

Dr. Bernstein's original implementation of Poly1305 used the IA-32
floating-point unit to avoid timing leaks on the processors available
in 2005.  My understanding is that essentially all modern processors
have constant-time integer multipliers, so special implementation
techniques are no longer required.


Robert Ransom