Re: [CFRG] Security limits of ChachPoly (was: XChacha20 counter size)
Taylor R Campbell <campbell+cfrg@mumble.net> Sat, 26 December 2020 21:29 UTC
Return-Path: <campbell@mumble.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61DF23A0FF2 for <cfrg@ietfa.amsl.com>; Sat, 26 Dec 2020 13:29:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EpfUr8z8197b for <cfrg@ietfa.amsl.com>; Sat, 26 Dec 2020 13:29:55 -0800 (PST)
Received: from jupiter.mumble.net (jupiter.mumble.net [74.50.56.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D392C3A0FF0 for <cfrg@irtf.org>; Sat, 26 Dec 2020 13:29:55 -0800 (PST)
Received: by jupiter.mumble.net (Postfix, from userid 1014) id 1A188604FE; Sat, 26 Dec 2020 21:29:53 +0000 (UTC)
From: Taylor R Campbell <campbell+cfrg@mumble.net>
To: Loup Vaillant-David <loup@loup-vaillant.fr>
CC: cfrg@irtf.org
In-reply-to: <a110fef12a184b1d28598a0e52a641fdf84cf9a8.camel@loup-vaillant.fr>
Date: Sat, 26 Dec 2020 21:29:41 +0000
Sender: Taylor R Campbell <campbell@mumble.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <20201226212953.1A188604FE@jupiter.mumble.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/D21uRHcrZbE4WcSAjkkXxAAi7yI>
Subject: Re: [CFRG] Security limits of ChachPoly (was: XChacha20 counter size)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Dec 2020 21:29:57 -0000
> Date: Sat, 26 Dec 2020 20:59:21 +0100 > From: Loup Vaillant-David <loup@loup-vaillant.fr> > > I did some digging, and in the case of Poly1305 as used in RFC 8439, > the number of messages is irrelevant. Only their maximum length > matters. Security does *not* drop as you send more messages. You can > send as many messages as you want. The probability of each forgery attempt's success _independently_ is bounded by 8*floor(L/16)/2^106, where L is the maximum message length. If the adversary makes q forgery attempts, then the probability of succeeding at _any_ forgery is bounded by q*8*floor(L/16)/2^106. Note that both the number of forgery attempts _and_ the maximum message length figure into this bound. References: https://cr.yp.to/highspeed/naclcrypto-20090310.pdf#page=30 https://eprint.iacr.org/2014/613.pdf#page=4 > I speculate (but don't know) that it might be because unlike GCM, the > secret multiplier is not reused across messages. (AES GCM could have > done the same, but it would have meant computing 2 additional blocks > per message instead of just one.) ChaCha/Poly1305 and AES-GCM are no different in this respect: for fixed number of messages and total bytes encrypted, the forgery probability is proportional to q/L for both of them, with a different constant factor arising from differences in Poly1305 and GHASH. Using a message sequence number as the nonce so you can quickly reject outdated message numbers mitigates the issue for ChaCha/Poly1305, for the reason you describe. But that's not as relevant for XChaCha, which is meant for applications where you may not have a reliable message sequence number. They also do scale differently in the number messages and total bytes: AES-GCM is quadratic where ChaCha/Poly1305 is linear, because AES-GCM is held back by AES as a PRP. I attempted to sketch the qualitative differences in this table in the Daence paper: https://eprint.iacr.org/2020/067.pdf#page=5 source code: https://github.com/riastradh/daence/blob/master/adv.py (Daence guarantees the adversary's advantage is below 1/2^32 per key as long as you process at most 2^52 messages of at most 2^38 bytes under each key, even if you manage to attain _both_ limits at the same time for a single key. I chose this so the usage limits wouldn't have to be explained by a complicated series of tables and prose like AES-GCM-SIV's <https://tools.ietf.org/html/rfc8452#page-12>.) > In my opinion, the fact that short messages are better does not > justify breaking all security for long messages. I'd sooner specify > that applications "MUST" crash if the input message is bigger than > some threshold. No objection to making the XChaCha draft clearer about what the hard limit is. I am a big fan of clearly articulated usage limits.
- [CFRG] XChacha20 counter size Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size Taylor R Campbell
- Re: [CFRG] XChacha20 counter size Filippo Valsorda
- Re: [CFRG] XChacha20 counter size Scott Arciszewski
- Re: [CFRG] XChacha20 counter size Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size Loup Vaillant-David
- [CFRG] Security limits of ChachPoly (was: XChacha… Loup Vaillant-David
- Re: [CFRG] Security limits of ChachPoly (was: XCh… Taylor R Campbell
- Re: [CFRG] Security limits of ChachPoly (was: XCh… Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size D. J. Bernstein