IETF Logo Mail Archive

Re: [Cfrg] RGLC on draft-irtf-cfrg-chacha20-poly1305-01.txt

Yoav Nir <ynir.ietf@gmail.com> Mon, 13 October 2014 12:41 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE9AC1A3B9D for <cfrg@ietfa.amsl.com>; Mon, 13 Oct 2014 05:41:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FemlVo8sb_oM for <cfrg@ietfa.amsl.com>; Mon, 13 Oct 2014 05:41:37 -0700 (PDT)
Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 309BB1A0310 for <cfrg@irtf.org>; Mon, 13 Oct 2014 05:41:37 -0700 (PDT)
Received: by mail-wg0-f41.google.com with SMTP id b13so8588521wgh.12 for <cfrg@irtf.org>; Mon, 13 Oct 2014 05:41:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=2oia2N8MGCF0wAP5FNz0KqQkmtvs9aN0zQCExZ3D5AM=; b=vUbkcTkGt5ceTpEBA0103nLdmGbgc4kM4zUqtG4R9e0tfn3CPCKRbDV8aqK+HOOVPA +RME4hjuV9k8q4Ui3hLxk6X2AYd9Jl4P+5sU5JSgROXsTNswNPtKiHRh5RXc6yz4OxzQ +8bmUTEc9FfJmQ23pHNR/3tqE2YMVGc+2ErneVJEAOY9YhkRCKLFu1yV6hho762E36ZL 7H9nu9A98fN5HkDDehjzQ5ez2Ah8f2nm6Zi8SAqbiZzL/KHC9OUQ5Kia+OuKUt5IPF6f 1RjpDAWd7Gh2lSunp4snsl4f8zo8NSSIrL+eZnLnRaVwf8ck1aR1IpnJPlGG2hOP6znF lbLg==
X-Received: by 10.194.219.193 with SMTP id pq1mr20921447wjc.5.1413204095723; Mon, 13 Oct 2014 05:41:35 -0700 (PDT)
Received: from [172.24.248.64] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id i5sm17753185wjz.0.2014.10.13.05.41.34 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 13 Oct 2014 05:41:35 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_AAD48FA4-371C-4B37-A5DC-59204E140CED"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <20141013122419.GA28433@LK-Perkele-VII>
Date: Mon, 13 Oct 2014 15:41:31 +0300
Message-Id: <8F77D0C2-1C1F-4302-8757-5284BA1236A0@gmail.com>
References: <542D48CD.9060404@isode.com> <55183415-AD02-4BAB-86F4-73C53C5FA616@gmail.com> <20141013122419.GA28433@LK-Perkele-VII>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Jo0N4OFzC-AhVI9NvdXUTtHJZPs
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-chacha20-poly1305-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Oct 2014 12:41:39 -0000

On Oct 13, 2014, at 3:24 PM, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote:

> On Mon, Oct 13, 2014 at 02:32:23PM +0300, Yoav Nir wrote:
>> 
>> Hi.
>> 
>> I haven’t submitted anything yet, but I’ve made a few changes to
>> my local copy:
>> I’ve added the AEAD parameters from RFC 5116.
> 
> - Isn't K_LEN = 32, not 16?

Argh, shouldn’t write drafts after midnight.

> - Isn't A_MAX = 2^64 - 1, not 2^64?

Yes, see above. Fixed in my copy and Google docs.

> - AFAIK, RFC5116 requries returning the ciphertext and tag as single
>  octet string (most likely concatenation).

   An AEAD algorithm MAY structure its ciphertext output in any way; for
   example, the ciphertext can incorporate an authentication tag.

Following that, I calculated C_MAX to be P_MAX + 16.

> - RFC5116 requires specifying relation between plaintext and
>  ciphertext lengths (most likely |C|=|P|+16).

Yes.

> - RFC5116 recomends specifying just how badly things blow up
>  if nonce is reused (AFAIK, XOR of plaintexts is revealed and
>  arbitrary messages with that nonce may be forged).

Same authentication key and same keystream, so at least the XOR of the plaintexts is revealed and the same one-time Poly1305 is used. So if you know the plaintext and can choose the nonce, you will be able to encrypt another arbitrary message, but you will still fail tag calculation. I’ll add something to the security considerations.

> Also, writing IANA consideration to register this
> (AEAD_CHACHA20_POLY1305?) could be useful (as already suggested by
> someone). Apparently the registry is called "AEAD algorithms" (at
> least it is that way on IANA site, even if I can't find that in
> RFC 5116). 

Will do.

Yoav

v2.23.0 | Report a Bug | By Email