Re: [Cfrg] ChaCha20 and Poly1305 for IPsec

Watson Ladd <watsonbladd@gmail.com> Tue, 21 January 2014 21:05 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 822111A01CD for <cfrg@ietfa.amsl.com>; Tue, 21 Jan 2014 13:05:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.999
X-Spam-Level:
X-Spam-Status: No, score=-3.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w1p3g1UVsLhb for <cfrg@ietfa.amsl.com>; Tue, 21 Jan 2014 13:05:15 -0800 (PST)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) by ietfa.amsl.com (Postfix) with ESMTP id 6B9621A022A for <cfrg@irtf.org>; Tue, 21 Jan 2014 13:05:14 -0800 (PST)
Received: by mail-wg0-f50.google.com with SMTP id l18so8371942wgh.17 for <cfrg@irtf.org>; Tue, 21 Jan 2014 13:05:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=MqVxd7BLdIXyrpNZ1rpT8De+Nqn6AXoxrOsNWvQYGHg=; b=s8BMmnFMz2KcULZ325boCO4aKQKkZwi7gQ/j8t1XunlCvRShBq+jvlj968w4X8nYiv gMKA9Z9niICh5h1nDPBbyKYSQHN09BG/jAK6403JONQebFvB5KlNYlNq1jMt52VRI/Xt FepEfktpgDzlAdjQUEA77KqsVtSHY4HemH2ZlUFHD9mGC7dW3b5RJFA/1tkOJ7Y32iN5 FZ+09ahyw3bymk5M+Vvg1T0tEAmdxYiWHblJII/4biL0XnKRWk3cBDkKXNpvRD7ytwGH xeWMUk3hxXnRcSY6Sbb5rrBog16KljepXT51bkw9qxjYn4aTzlIA3KKklkkPigtjM9Vv 3yBA==
MIME-Version: 1.0
X-Received: by 10.180.90.243 with SMTP id bz19mr16459130wib.44.1390338313466; Tue, 21 Jan 2014 13:05:13 -0800 (PST)
Received: by 10.194.250.101 with HTTP; Tue, 21 Jan 2014 13:05:13 -0800 (PST)
Received: by 10.194.250.101 with HTTP; Tue, 21 Jan 2014 13:05:13 -0800 (PST)
In-Reply-To: <301290EC-B31A-4B83-9F29-D00469EC6CB8@checkpoint.com>
References: <180998C7-B6E5-489E-9C79-80D9CAC0DE68@checkpoint.com> <CAL9PXLy9hrq+i_neP96FbTJRvRLbLEXnMYdBdwSeHunFAwF+jQ@mail.gmail.com> <A867BB8E-4556-44B1-A0AF-16771626BF5C@checkpoint.com> <52CB358D.3050603@cisco.com> <A6BDE08D-1F7D-4813-A9C4-61AF8C14412B@checkpoint.com> <52CB482D.6090807@cisco.com> <09031D92-9A14-4CF0-A000-123E71D4F784@checkpoint.com> <3861F1D4-B412-42BE-AE6C-FF5DE213854C@checkpoint.com> <CAL9PXLzgo5a2dk0JM-kWvawPhO1arpurcYSuqcffTWGdrCGY7A@mail.gmail.com> <301290EC-B31A-4B83-9F29-D00469EC6CB8@checkpoint.com>
Date: Tue, 21 Jan 2014 13:05:13 -0800
Message-ID: <CACsn0cmS9yY4+WcJH6o3QMdXhf+wr5dhLvibsRUdFu0aY-dRmg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: multipart/alternative; boundary=f46d0402dd6e4aba8804f0815dae
Cc: David McGrew <mcgrew@cisco.com>, cfrg@irtf.org, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] ChaCha20 and Poly1305 for IPsec
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2014 21:05:17 -0000

On Jan 21, 2014 12:59 PM, "Yoav Nir" <ynir@checkpoint.com> wrote:
>
>
> On Jan 21, 2014, at 8:06 PM, Adam Langley <agl@google.com> wrote:
>
> > On Tue, Jan 21, 2014 at 11:47 AM, Yoav Nir <ynir@checkpoint.com> wrote:
> >> Reviews and comments would be greatly appreciated, as well as anyone
checking my examples.
> >
> > In the introduction: I think ChaCha20+Poly1305 are useful for software
> > implementations, beyond their use as a backup to AES. AES in not
> > suitable for pure, software implementations and they tend to be be
> > slow and have side-channels. (AES-GCM even more so.)
>
> I agree that a pure C-language implementation of AES is slower than
either ChaCha20 or RC4, although it is still much faster than 3DES.
Processor vendors have been adding hardware implementation of common tasks
to so-called general purpose processors for years. So we got floating point
in the late 80s, and "multi-media extension" 128-bit registers in the 90s,
then vector processors, and now encryption functions. Is software that uses
the AESENC opcode software or hardware? I think by now the line is blurred.
For IPsec, AES has been the fastest algorithm even in pure C
implementations.  I'll add something about being fast in software
implementation to the next iteration.
>
> > "The ChaCha20 block function"...
> >
> > I asked DJB and he said that ChaCha is the name of the cipher and
> > ChaCha20 is the specific variant with 20 rounds.
>
> Yeah, that's how I used it.
>
> >
> > "The 14th word is the least significant 32 bits of the input nonce
> > (nonce | 0xffffffff)"
> >
> > AND not OR, I think.
>
> Oops. You're right, of course.
>
> > You've changed the AEAD by switching the length values from uint64le
> > to uint32be. Seems unnecessary.
>
> I'll change it back. For some reason I thought AES-GCM for IPsec was like
that, but looking again, I see that it isn't.
>
> >
> > "for a particular key. counters"
> >
> > nit: missing capital letter.
>
> Will fix. Thanks.
>
> > I'm not suitable to evaluate the higher-level integration into IPSec.
> >
>
> I've posted this to ipsec as well. They said that we need a better
normative reference for the functions. DJB's papers discuss security
properties and link to source code, but don't have a good definition.
>

Are you reading the same paper I am? He defines Salsa and ChaCha in terms
of applying a well defined quarter round function to the rows and diagonals
of a 4x4 matrix.

> Yoav
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg