Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and AEAD_XChaCha20-Poly1305 (updated)
Scott Arciszewski <scott@paragonie.com> Fri, 12 October 2018 15:10 UTC
Return-Path: <scott@paragonie.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D24FA130E2A for <cfrg@ietfa.amsl.com>; Fri, 12 Oct 2018 08:10:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=paragonie-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iJC_2QypNRwU for <cfrg@ietfa.amsl.com>; Fri, 12 Oct 2018 08:10:38 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 905BE130E23 for <cfrg@ietf.org>; Fri, 12 Oct 2018 08:10:37 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id m18-v6so9563288lfl.11 for <cfrg@ietf.org>; Fri, 12 Oct 2018 08:10:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sOCg49GdTbsELfxv4jpRcn1C5bxhzt+XsfwjlXalt0E=; b=lmkdhT2f8BKAsnUVqIU1Pr5nTUGJ6Tj+RdsTriRTlBJxOACzxi+wjgTyQSxhf3clsN 0KTksSKCugjXzRz7pLmvw/Ei1xs8nu/4L0fk9kAuphAbSLINB5gWYaN3J+GBdLL1kZVV dxAJL6IlBw2+6ZdoX/1KUL1G63BSVx1JuEIu+ORtTLym2orh0Jn5g6h55AkiCgbGoc5j LY/0pWVmytXKxaa9GLegE4GwvkI65kqZnTkwliY4793Qz2GK+ppBuU/RjDspBPXKrixr nNCdIpO4vUC9XTuJDzSt30zWmxEXnaCnWmmta0HqytoPtCPjsxNL5+AOV5osOJ4+/E09 YUcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sOCg49GdTbsELfxv4jpRcn1C5bxhzt+XsfwjlXalt0E=; b=NxQZieshVDzR55g8SojTHCCjkvSC0oQFL8vLUn8dGsYYs8Xn7SWK5p75udFMnMpqRU PwMfkwFUDmtDZ+JqzTrhoROdxuffhoXaggCqmpHx5kCGRZaGL6QOmGHvCRbSGN0IBcty 7Kx2wkVE9vUxgufPoQcnQWUDwmhXWKc+PbAtLqBh90581nQDZ8mC8uVk4rpCjALoXns1 xCBDWROXB0vqoM7/cu1jk6aQYqey4NSOB/MICrkq/Xh2Bn4si1Pl+xzvAqw1/HJ6zc0U wXjlOvpalizpvJG0zdL8SfE+jI4MRvOyL6mXmEB3q/bZ5nTtlxPmDzD9zbTyE993di5E fUqg==
X-Gm-Message-State: ABuFfohtUFA78XVTBaEZgjf4N69NGvkgXAwvJvRs9O7zxHAwAstUeMp9 mtp4BuZn2S6eGtplIIRhFSWW2wa+inUcAn2bgGhh1Q==
X-Google-Smtp-Source: ACcGV63K6FzsFdN9LTlKOZgddIKLGVQFzty/LuKZELnegkgNugQBL77ApxP+9aPIwccYVGoMI/FxQSeBhUcSatY3qJM=
X-Received: by 2002:a19:3855:: with SMTP id d21-v6mr3999279lfj.148.1539357035388; Fri, 12 Oct 2018 08:10:35 -0700 (PDT)
MIME-Version: 1.0
References: <CAKws9z3+4DftG5Ov=C3w-u=toaUj6_xOC1s_f5t+dx0fWObTxw@mail.gmail.com> <F56AC368-D83F-4ED6-8AB1-565E983A73AC@cisco.com>
In-Reply-To: <F56AC368-D83F-4ED6-8AB1-565E983A73AC@cisco.com>
From: Scott Arciszewski <scott@paragonie.com>
Date: Fri, 12 Oct 2018 11:10:22 -0400
Message-ID: <CAKws9z3HRyyseBaLYq8pe7hcLHXopXnMvW0KFcaGrpQYJo1LVw@mail.gmail.com>
To: mcgrew@cisco.com
Cc: cfrg@ietf.org
Content-Type: multipart/alternative; boundary="00000000000046f7310578097de7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/EuLG09KE8DAHZh3M_xvyJqnb5Yw>
Subject: Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and AEAD_XChaCha20-Poly1305 (updated)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2018 15:10:42 -0000
Hi David, Why not define it as a randomized AEAD algorithm, so that the nonce is > dispensed with entirely? I actually do precisely that in my high-level abstractions that wrap libsodium's crypto_aead_xchacha20poly1305_*(). See the PASETO draft for example. However, the API provided by the incumbent implementations do not force developers to use random nonces. It wouldn't be good form for me to add this requirement. This RFC draft captures what existing implementations have already been doing for years. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com> On Fri, Oct 12, 2018 at 9:26 AM David McGrew (mcgrew) <mcgrew@cisco.com> wrote: > Hi Scott, > > it’s nice to see work that creates alternatives to deterministic nonces. > > As I understand it, the motivation for this draft is to enable the use of > random nonces. Why not define it as a randomized AEAD algorithm, so that > the nonce is dispensed with entirely? (In RFC 5116 terms, a randomized > algorithm can have a maximum nonce length of zero). That way, the > security of the algorithm does not depend on the user’s ability to provide > random nonces, there is no need to document the security requirements (or > any other requirements) around that input, and the nonce generation can be > tested along with the algorithm. > > A couple of other comments: there needs to be a security considerations > section (especially if guidance on nonce generation is needed) and there > should be an IANA section that creates registry entries for this algorithm. > > > If nonces are pseudorandomly generated, either inside or outside of the > algorithm, then users need to be careful about things like fork() and VM > cloning that can undermine security by causing unintentional nonce reuse. > > best > > David > > From: Cfrg <cfrg-bounces@irtf.org> on behalf of Paragon Initiative > Enterprises Security Team <security@paragonie.com> > Date: Friday, October 5, 2018 at 1:36 PM > To: "cfrg@ietf.org" <cfrg@ietf.org> > Subject: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and > AEAD_XChaCha20-Poly1305 (updated) > > Good afternoon, > > I've uploaded draft01, which contains some typo fixes and an additional > test vector for XChaCha20 directly. > > https://datatracker.ietf.org/doc/draft-arciszewski-xchacha/ > > If anyone would like to contribute to this document directly, its > development is being facilitated on GitHub: > https://github.com/bikeshedders/xchacha-rfc > > Of course, I'm also open to feedback/criticism via email as well. > > Scott Arciszewski > Chief Development Officer > Paragon Initiative Enterprises <https://paragonie.com> > >
- [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and AE… Paragon Initiative Enterprises Security Team
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… Scott Arciszewski
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… Tony Arcieri
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… Jason Cooper
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… Scott Arciszewski
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… D. J. Bernstein
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… David McGrew (mcgrew)
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… Scott Arciszewski