[Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha20-poly1305-00.txt

Yoav Nir <ynir@checkpoint.com> Mon, 27 January 2014 22:15 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id D1D301A0093 for <cfrg@ietfa.amsl.com>; Mon, 27 Jan 2014 14:15:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.435
X-Spam-Status: No, score=-7.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id UGvjBDsbvZRY for <cfrg@ietfa.amsl.com>; Mon, 27 Jan 2014 14:15:32 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com []) by ietfa.amsl.com (Postfix) with ESMTP id 9BC591A0068 for <cfrg@irtf.org>; Mon, 27 Jan 2014 14:15:31 -0800 (PST)
Received: from IL-EX10.ad.checkpoint.com ([]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id s0RMFRRb002631 for <cfrg@irtf.org>; Tue, 28 Jan 2014 00:15:27 +0200
X-CheckPoint: {52E6D41F-2-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([]) by IL-EX10.ad.checkpoint.com ([]) with mapi id 14.03.0123.003; Tue, 28 Jan 2014 00:15:27 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: I-D Action: draft-nir-cfrg-chacha20-poly1305-00.txt
Thread-Index: AQHPG1VayupJctYi2UaBYTEolzC7Jw==
Date: Mon, 27 Jan 2014 22:15:26 +0000
Message-ID: <2DD6FE86-A5C6-4144-8778-2DFFCA8AD5F8@checkpoint.com>
References: <20140127114546.8921.73181.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: multipart/alternative; boundary="_000_2DD6FE86A5C6414487782DFFCA8AD5F8checkpointcom_"
MIME-Version: 1.0
Subject: [Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha20-poly1305-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jan 2014 22:15:35 -0000


I've submitted the below draft about ChaCha20 and Poly1305. This document aims to describe the algorithms (and AGL's AEAD based on them) in such a way that an implementer will be able to write code that implements these functions with only this document as a reference. The intention is for this document to serve as a reference for future documents entitled "ChaCha20, Poly1305 and their use in XXX". I personally intend to use it for an IPsec document.

This version -00 is quite drafty, and I'm not sure of my calculations, especially in Poly1305 (I used "bc" for all of them). So this document needs review. IMO it could also make a good undergraduate project that will also help to verify the examples and test vectors interspersed throughout.  More test vectors is another thing this document needs.

This document

  *   does not introduce any new crypto - it's all from DJB and AGL.
  *   does not provide security proofs - there's plenty of that in academic papers, although I would be happy to link to those as informative references.
  *   does not have any timing data or performance numbers. Those are very platform-dependent, so I don't know if they're appropriate. If they are, I'll be happy to include them.

There are a few open issues I'd like to address:

  1.  When converting a 256-bit buffer into a pair of numbers, k & r, Adam's draft takes "r" from the first 128 bits, and "k" from the following bits. DJB's sample code seems to go the other way. I went with Adam's way.
  2.  In cases where buffers are converted to integers or vice versa, we used little-endian order. This is different from the way it's done in (for example) GCM and in many protocols. It's true that some parts of the ChaCha20 algorithm itself are explicitly little-endian
  3.  The lengths encoded in the AEAD construction are in bytes, whereas in GCM they are in bits.



Begin forwarded message:

From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Subject: I-D Action: draft-nir-cfrg-chacha20-poly1305-00.txt
Date: January 27, 2014 1:45:46 PM GMT+02:00
To: <i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>>
Reply-To: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>

A New Internet-Draft is available from the on-line Internet-Drafts directories.

       Title           : ChaCha20 and Poly1305 for IETF protocols
       Author          : Yoav Nir
Filename        : draft-nir-cfrg-chacha20-poly1305-00.txt
Pages           : 20
Date            : 2014-01-27

  This document defines the ChaCha20 stream cipher, as well as the use
  of the Poly1305 authenticator, both as stand-alone algorithms, and as
  a :"combined mode", or Authenticated Encryption with Additional Data
  (AEAD) algorithm.

  This document does not introduce any new crypto, but is meant to
  serve as a stable reference and an implementation guide.

The IETF datatracker status page for this draft is:

There's also a htmlized version available at:

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:

I-D-Announce mailing list
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

Email secured by Check Point