Re: [Cfrg] questions on performance and side channel resistance for ChaCha20 and Poly1305 for IPsec and TLS

David McGrew <mcgrew@cisco.com> Sun, 26 January 2014 09:22 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B19571A0118 for <cfrg@ietfa.amsl.com>; Sun, 26 Jan 2014 01:22:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.036
X-Spam-Level:
X-Spam-Status: No, score=-15.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id npc4Pb6FO4LB for <cfrg@ietfa.amsl.com>; Sun, 26 Jan 2014 01:22:12 -0800 (PST)
Received: from mtv-iport-4.cisco.com (mtv-iport-4.cisco.com [173.36.130.15]) by ietfa.amsl.com (Postfix) with ESMTP id 450981A0115 for <cfrg@irtf.org>; Sun, 26 Jan 2014 01:22:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1970; q=dns/txt; s=iport; t=1390728130; x=1391937730; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=A0ajs2izwN1GurYnUX+jA99H5KuMP3vQ5rxFY+820U4=; b=kJDDFn6lb7Lw3vvyHs+2Pjk6zb2INMEKtaTc3cUoCpjAEy86Po4VRThA hq9/4uaqBlaMZfs/HAoLw7AC7NZ+E9wEl9XhI6FteM8xE610liG5Dlit+ RLgE9cLjqg5DBpg/9ZyTMCtp27dNzLXUzxI0AmHAVK6tX2a9TCnVgYzSU g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AisFAE7T5FKrRDoJ/2dsb2JhbABagwy9YYEFFnSCJQEBAQQ4QAEQCw4KCRYECwkDAgECAUUGAQwBBQICiADIDBeOImsHhDgBA4lIjl+GR4tXgW+BXB4
X-IronPort-AV: E=Sophos;i="4.95,723,1384300800"; d="scan'208";a="103970760"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by mtv-iport-4.cisco.com with ESMTP; 26 Jan 2014 09:22:10 +0000
Received: from [10.0.2.15] (sjc-vpn7-1844.cisco.com [10.21.151.52]) by mtv-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id s0Q9M5i0030136; Sun, 26 Jan 2014 09:22:08 GMT
Message-ID: <52E4D3BC.9090508@cisco.com>
Date: Sun, 26 Jan 2014 04:22:04 -0500
From: David McGrew <mcgrew@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130922 Icedove/17.0.9
MIME-Version: 1.0
To: Yoav Nir <synp71@live.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <180998C7-B6E5-489E-9C79-80D9CAC0DE68@checkpoint.com> <CAL9PXLy9hrq+i_neP96FbTJRvRLbLEXnMYdBdwSeHunFAwF+jQ@mail.gmail.com> <A867BB8E-4556-44B1-A0AF-16771626BF5C@checkpoint.com> <52CB358D.3050603@cisco.com> <A6BDE08D-1F7D-4813-A9C4-61AF8C14412B@checkpoint.com> <52CB482D.6090807@cisco.com> <09031D92-9A14-4CF0-A000-123E71D4F784@checkpoint.com> <3861F1D4-B412-42BE-AE6C-FF5DE213854C@checkpoint.com> <CAL9PXLzgo5a2dk0JM-kWvawPhO1arpurcYSuqcffTWGdrCGY7A@mail.gmail.com> <52E12D1F.80701@cisco.com> <CAL9PXLzurJbXL1nY5YCQ7ZotscQZ6F-Uj4duH_QyA=Z4zXP7tw@mail.gmail.com> <52E26E81.4080204@cisco.com> <BLU0-SMTP92A11DADA9DBB985D2E743B1A10@phx.gbl>
In-Reply-To: <BLU0-SMTP92A11DADA9DBB985D2E743B1A10@phx.gbl>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Adam Langley <agl@google.com>
Subject: Re: [Cfrg] questions on performance and side channel resistance for ChaCha20 and Poly1305 for IPsec and TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jan 2014 09:22:13 -0000

On 01/24/2014 06:19 PM, Yoav Nir wrote:
> On 24/1/14 3:45 PM, David McGrew wrote:
>> Hi Adam,
>>
>> On 01/23/2014 11:51 AM, Adam Langley wrote:
>>> On Thu, Jan 23, 2014 at 9:54 AM, David McGrew <mcgrew@cisco.com> wrote:
>>>> Hi Adam and Yoav,
>>>>
>>>> I have some questions and comments on these crypto algorithms and 
>>>> their use
>>>> in TLS and IPsec.
>>>>
>>>> On 01/21/2014 01:06 PM, Adam Langley wrote:
>>>>> On Tue, Jan 21, 2014 at 11:47 AM, Yoav Nir <ynir@checkpoint.com> 
>>>>> wrote:
>>>>>> Reviews and comments would be greatly appreciated, as well as anyone
>>>>>> checking my examples.
>>>>> In the introduction: I think ChaCha20+Poly1305 are useful for 
>>>>> software
>>>>> implementations, beyond their use as a backup to AES. AES in not
>>>>> suitable for pure, software implementations and they tend to be be
>>>>> slow and have side-channels. (AES-GCM even more so.)
>>>>
>>>> The claims that ChaCha20+Poly1305 are faster than AES GCM in pure 
>>>> software
>>>> environments should be quantified in (at least one of) the drafts.
>>> I have no problem with that, but it's not something that I typically
>>> see in IETF drafts and so I didn't do any actual numbers for it.
>>
>> Agreed that it is not something one would expect to see in a TLS 
>> draft, but if the definitive algorithm specification is going to be 
>> an RFC, it should be there.   Watson suggested having a separate RFC 
>> that defines this algorithm combination, which makes sense to me.
>
> Hi David.
>
> I'm trying to throw together a separate document describing ChaCha20, 
> Poly1305, and Adam's AEAD, every step with test vectors. I hope to 
> have it ready by Monday.
>
> Yoav
>
>

Thanks Yoav, I offer to provide some detailed comments.   Can I ask for 
some other volunteers in the group to do the same?    It would be good 
to make sure that the review gets done in a timely way, considering the 
IETF interest.

David