Re: [Cfrg] A little room for AES-192 in TLS?

Ted Krovetz <ted@krovetz.net> Tue, 17 January 2017 16:20 UTC

Return-Path: <ted@krovetz.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7642B129565 for <cfrg@ietfa.amsl.com>; Tue, 17 Jan 2017 08:20:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.821
X-Spam-Level:
X-Spam-Status: No, score=-1.821 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=krovetz-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KVeVxkfjHvGe for <cfrg@ietfa.amsl.com>; Tue, 17 Jan 2017 08:20:41 -0800 (PST)
Received: from mail-pf0-x236.google.com (mail-pf0-x236.google.com [IPv6:2607:f8b0:400e:c00::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5573129553 for <cfrg@irtf.org>; Tue, 17 Jan 2017 08:20:41 -0800 (PST)
Received: by mail-pf0-x236.google.com with SMTP id e4so24703571pfg.1 for <cfrg@irtf.org>; Tue, 17 Jan 2017 08:20:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krovetz-net.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=0HaAypCLQfbwk8y5HwWIqNVKzAJFz8+yxleJzZBwdXw=; b=kRH6cdipuYNEFjC2tf1OIOmP68XJeI05MS6e9i+SoT/VVjxrlK+R9rQfTDZ0Yd00hm WK6eOGuT2f4S5+jL5GBivTMqfv6wDkUNr7OzHeoBfaZB4QmKq4fQjwJG6WrfEv5udjmG tcV6kuTFGaJFOTcj/xcUtDvhH3IHobzQu2uUhEH/OQCLTAWeACKRFWrEsPm2yB6hFhQm jzveVN4vLL/+6DSQKlbVA3l0APILNd/fomry8dKQTouLY8YCcC4wE0VV7+iQ4s2d2JXJ KFT4RRFM2hpBknU3OTfu0yNfusJaIBK6XJumz0ZFB4glWtKeqW8KUjNl7OIz+lMaPfbp TlpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=0HaAypCLQfbwk8y5HwWIqNVKzAJFz8+yxleJzZBwdXw=; b=L0gycPL47FCohk8/F/KG9PtRw4jm/ZLTh9RDhLRePJV4GGUCznjkBc070kyRMw0EXo JZgua2fMnRTBPyn4FuqMt+Gjrk9YSD/ZACl98x2oSLJtjHvU1ZZnFcAJ42dYH8gLxVgI hMpCsqnucEOPdRa8scUM3hkcEgOsqB8bgc6+QoYMNHS8vRar9H8aKFlfGqI2lOY90iI7 vFCN3Ij4RdY+4f2zit1pDE13n6AdiyECzroim+oji0M4A/LApw2lx/XvGVNvvDLYfnb2 +wp4/D+6iiMpU4btrjDNBkRY+wBaSyr2vMA5PY/Uj07F37nQdw8VNranh7XBhgAMuU10 qsrg==
X-Gm-Message-State: AIkVDXJiPlle80ZFCLIa8aZ/ty1ApO4Enj0J56uVYeO7qIMmzVf/j27BdP0fLU46fB+7PQ==
X-Received: by 10.84.241.129 with SMTP id b1mr59828695pll.135.1484670041208; Tue, 17 Jan 2017 08:20:41 -0800 (PST)
Received: from [192.168.1.100] (c-73-90-200-227.hsd1.ca.comcast.net. [73.90.200.227]) by smtp.gmail.com with ESMTPSA id e127sm56842340pfh.89.2017.01.17.08.20.40 for <cfrg@irtf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Jan 2017 08:20:40 -0800 (PST)
From: Ted Krovetz <ted@krovetz.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Tue, 17 Jan 2017 08:20:39 -0800
References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <D4A2A7CE.57FDF%john.mattsson@ericsson.com> <CABcZeBPGxT=9iiChy4PxD_zMHWcHU=AhCLoe7wEHHtryw2rfwg@mail.gmail.com> <D4A2B50D.7E040%kenny.paterson@rhul.ac.uk> <CAHOTMVJrHBn4AR7PCJ14xKYCVjdxF7SiswiOABX_g6A5gsQGDg@mail.gmail.com> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> <CACz1E9rZrso0184wiiK04UJnv4sBWZwtM2yYumha08Z-4n0=KQ@mail.gmail.com> <CAHOTMVLGoj7RPFQBTRu_d+kOoBfrKmi+CG+ityyW=x3G4t_AaQ@mail.gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
In-Reply-To: <CAHOTMVLGoj7RPFQBTRu_d+kOoBfrKmi+CG+ityyW=x3G4t_AaQ@mail.gmail.com>
Message-Id: <DB29B0B0-AB36-43B4-B2D8-193CE3C03AA4@krovetz.net>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ICGRZ_fHk7GORt8jJ_-tGxye8nU>
Subject: Re: [Cfrg] A little room for AES-192 in TLS?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2017 16:20:43 -0000

> ChaCha20 uses a 256-bit key:
> 
> https://tools.ietf.org/html/rfc7539 

If you model Chacha's internal hash function as a 48-byte-to-64-byte PRF, then it is secure against related keys too.

Chacha works by supplying 48 byte (Key || Nonce || Counter) to Chacha's internal hash function repeatedly, each time with a counter increment. If Chacha's internal hash function is a PRF, then clearly *any* change in the key produces independent output.