Re: [Cfrg] questions on performance and side channel resistance for ChaCha20 and Poly1305 for IPsec and TLS
David McGrew <mcgrew@cisco.com> Sun, 26 January 2014 09:22 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B19571A0118 for <cfrg@ietfa.amsl.com>; Sun, 26 Jan 2014 01:22:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.036
X-Spam-Level:
X-Spam-Status: No, score=-15.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id npc4Pb6FO4LB for <cfrg@ietfa.amsl.com>; Sun, 26 Jan 2014 01:22:12 -0800 (PST)
Received: from mtv-iport-4.cisco.com (mtv-iport-4.cisco.com [173.36.130.15]) by ietfa.amsl.com (Postfix) with ESMTP id 450981A0115 for <cfrg@irtf.org>; Sun, 26 Jan 2014 01:22:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1970; q=dns/txt; s=iport; t=1390728130; x=1391937730; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=A0ajs2izwN1GurYnUX+jA99H5KuMP3vQ5rxFY+820U4=; b=kJDDFn6lb7Lw3vvyHs+2Pjk6zb2INMEKtaTc3cUoCpjAEy86Po4VRThA hq9/4uaqBlaMZfs/HAoLw7AC7NZ+E9wEl9XhI6FteM8xE610liG5Dlit+ RLgE9cLjqg5DBpg/9ZyTMCtp27dNzLXUzxI0AmHAVK6tX2a9TCnVgYzSU g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AisFAE7T5FKrRDoJ/2dsb2JhbABagwy9YYEFFnSCJQEBAQQ4QAEQCw4KCRYECwkDAgECAUUGAQwBBQICiADIDBeOImsHhDgBA4lIjl+GR4tXgW+BXB4
X-IronPort-AV: E=Sophos;i="4.95,723,1384300800"; d="scan'208";a="103970760"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by mtv-iport-4.cisco.com with ESMTP; 26 Jan 2014 09:22:10 +0000
Received: from [10.0.2.15] (sjc-vpn7-1844.cisco.com [10.21.151.52]) by mtv-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id s0Q9M5i0030136; Sun, 26 Jan 2014 09:22:08 GMT
Message-ID: <52E4D3BC.9090508@cisco.com>
Date: Sun, 26 Jan 2014 04:22:04 -0500
From: David McGrew <mcgrew@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130922 Icedove/17.0.9
MIME-Version: 1.0
To: Yoav Nir <synp71@live.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <180998C7-B6E5-489E-9C79-80D9CAC0DE68@checkpoint.com> <CAL9PXLy9hrq+i_neP96FbTJRvRLbLEXnMYdBdwSeHunFAwF+jQ@mail.gmail.com> <A867BB8E-4556-44B1-A0AF-16771626BF5C@checkpoint.com> <52CB358D.3050603@cisco.com> <A6BDE08D-1F7D-4813-A9C4-61AF8C14412B@checkpoint.com> <52CB482D.6090807@cisco.com> <09031D92-9A14-4CF0-A000-123E71D4F784@checkpoint.com> <3861F1D4-B412-42BE-AE6C-FF5DE213854C@checkpoint.com> <CAL9PXLzgo5a2dk0JM-kWvawPhO1arpurcYSuqcffTWGdrCGY7A@mail.gmail.com> <52E12D1F.80701@cisco.com> <CAL9PXLzurJbXL1nY5YCQ7ZotscQZ6F-Uj4duH_QyA=Z4zXP7tw@mail.gmail.com> <52E26E81.4080204@cisco.com> <BLU0-SMTP92A11DADA9DBB985D2E743B1A10@phx.gbl>
In-Reply-To: <BLU0-SMTP92A11DADA9DBB985D2E743B1A10@phx.gbl>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Adam Langley <agl@google.com>
Subject: Re: [Cfrg] questions on performance and side channel resistance for ChaCha20 and Poly1305 for IPsec and TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jan 2014 09:22:13 -0000
On 01/24/2014 06:19 PM, Yoav Nir wrote: > On 24/1/14 3:45 PM, David McGrew wrote: >> Hi Adam, >> >> On 01/23/2014 11:51 AM, Adam Langley wrote: >>> On Thu, Jan 23, 2014 at 9:54 AM, David McGrew <mcgrew@cisco.com> wrote: >>>> Hi Adam and Yoav, >>>> >>>> I have some questions and comments on these crypto algorithms and >>>> their use >>>> in TLS and IPsec. >>>> >>>> On 01/21/2014 01:06 PM, Adam Langley wrote: >>>>> On Tue, Jan 21, 2014 at 11:47 AM, Yoav Nir <ynir@checkpoint.com> >>>>> wrote: >>>>>> Reviews and comments would be greatly appreciated, as well as anyone >>>>>> checking my examples. >>>>> In the introduction: I think ChaCha20+Poly1305 are useful for >>>>> software >>>>> implementations, beyond their use as a backup to AES. AES in not >>>>> suitable for pure, software implementations and they tend to be be >>>>> slow and have side-channels. (AES-GCM even more so.) >>>> >>>> The claims that ChaCha20+Poly1305 are faster than AES GCM in pure >>>> software >>>> environments should be quantified in (at least one of) the drafts. >>> I have no problem with that, but it's not something that I typically >>> see in IETF drafts and so I didn't do any actual numbers for it. >> >> Agreed that it is not something one would expect to see in a TLS >> draft, but if the definitive algorithm specification is going to be >> an RFC, it should be there. Watson suggested having a separate RFC >> that defines this algorithm combination, which makes sense to me. > > Hi David. > > I'm trying to throw together a separate document describing ChaCha20, > Poly1305, and Adam's AEAD, every step with test vectors. I hope to > have it ready by Monday. > > Yoav > > Thanks Yoav, I offer to provide some detailed comments. Can I ask for some other volunteers in the group to do the same? It would be good to make sure that the review gets done in a timely way, considering the IETF interest. David
- [Cfrg] ChaCha20 and Poly1305 for IPsec Yoav Nir
- Re: [Cfrg] ChaCha20 and Poly1305 for IPsec Yoav Nir
- Re: [Cfrg] ChaCha20 and Poly1305 for IPsec David McGrew
- Re: [Cfrg] ChaCha20 and Poly1305 for IPsec Yoav Nir
- Re: [Cfrg] ChaCha20 and Poly1305 for IPsec Ted Krovetz
- Re: [Cfrg] ChaCha20 and Poly1305 for IPsec David McGrew
- Re: [Cfrg] ChaCha20 and Poly1305 for IPsec Watson Ladd
- Re: [Cfrg] ChaCha20 and Poly1305 for IPsec CodesInChaos
- Re: [Cfrg] ChaCha20 and Poly1305 for IPsec Yoav Nir
- Re: [Cfrg] ChaCha20 and Poly1305 for IPsec Yoav Nir
- Re: [Cfrg] ChaCha20 and Poly1305 for IPsec Watson Ladd
- Re: [Cfrg] ChaCha20 and Poly1305 for IPsec Yoav Nir
- Re: [Cfrg] ChaCha20 and Poly1305 for IPsec Yoav Nir
- Re: [Cfrg] ChaCha20 and Poly1305 for IPsec Yoav Nir
- [Cfrg] questions on performance and side channel … David McGrew
- Re: [Cfrg] ChaCha20 and Poly1305 for IPsec David McGrew
- Re: [Cfrg] ChaCha20 and Poly1305 for IPsec David McGrew
- Re: [Cfrg] questions on performance and side chan… Robert Ransom
- Re: [Cfrg] questions on performance and side chan… David McGrew
- Re: [Cfrg] questions on performance and side chan… David McGrew
- Re: [Cfrg] questions on performance and side chan… Yoav Nir
- Re: [Cfrg] questions on performance and side chan… David McGrew