Re: [Cfrg] ChaCha20 and Poly1305 for IPsec

David McGrew <> Thu, 23 January 2014 15:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0C6EF1A0006 for <>; Thu, 23 Jan 2014 07:01:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.036
X-Spam-Status: No, score=-10.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tukObeMv1Ny4 for <>; Thu, 23 Jan 2014 07:01:45 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 69DFC1A0005 for <>; Thu, 23 Jan 2014 07:01:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=1679; q=dns/txt; s=iport; t=1390489305; x=1391698905; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=H+30UrHYQAMy9gBeFkv87iBhqWYh4PonG0Ef7uleVR4=; b=eWg7R6qrI3OamAO6MvrLy5JUp8207P6AESXGzFgSCm9ovPO1CUj1+bTR /3s5WGSKqCTYsGRDnMZZX5puKq6vsUuD13qjbBHFvYp1GK4wjQse/2Kdp 0UqZHTvT7rNC7ex0wR8av3eCiw/Ho0jVxWvxuqgNsZE58/aajaYQH2cr/ 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="4.95,706,1384300800"; d="scan'208";a="3406711"
Received: from ([]) by with ESMTP; 23 Jan 2014 15:01:43 +0000
Received: from [] ([]) by (8.14.5/8.14.5) with ESMTP id s0NF1h7d007377; Thu, 23 Jan 2014 15:01:43 GMT
Message-ID: <>
Date: Thu, 23 Jan 2014 10:01:43 -0500
From: David McGrew <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130922 Icedove/17.0.9
MIME-Version: 1.0
To: Adam Langley <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "" <>
Subject: Re: [Cfrg] ChaCha20 and Poly1305 for IPsec
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 23 Jan 2014 15:01:47 -0000

On 01/21/2014 05:08 PM, Adam Langley wrote:
> On Tue, Jan 21, 2014 at 4:53 PM, Yoav Nir <> wrote:
>> Looking into GCM, I see two other things:
>>   1. The lengths there are big-endian ("...a 64-bit string containing the nonnegative integer describing the number of bits in its argument, with the least significant bit on the right.")
>>   2. The lengths there are the number of bits, not bytes.
>> Big-endian always seemed to me to be more "natural" because most binary protocols transmit numbers that way, but I don't think there's any reason to count bits, is there?
> There might be an implementation of GCM that supports bit lengths that
> are not a multiple of 8, but I'm not aware of it.

I'm not aware of it either, if it exists.

With GCM, we took this strategy: make the inputs and outputs octet 
strings, since that is what really matters in the real world, but then 
use the number of bits in the computation of the authentication tag 
rather than the number of bytes, so that it would be possible for 
someone else to define a bit-oriented version of the algorithm if they 
really need to.

> I think little-endian makes more sense in a ChaCha20-Poly1305 AEAD
> because everything else in the AEAD (ChaCha and Poly1305) is handled
> as little-endian.
> (I've also done enough implementations of the arithmetic that I find
> little-endian to be preferable in general, but that might just be
> brain damage.)

For what it is worth, little endian has a legitimate advantage in that 
enables better pipelining of multiplications.   But I think this is a 
six-or-half-dozen issue.


> Cheers