Re: [Cfrg] Fwd: New Version Notification for draft-nir-cfrg-chacha20-poly1305-05.txt

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Mon, 30 June 2014 10:53 UTC

Date: Mon, 30 Jun 2014 13:53:40 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Yoav Nir <ynir.ietf@gmail.com>
Message-ID: <20140630105340.GA9473@LK-Perkele-VII>
References: <20140619125212.18717.66370.idtracker@ietfa.amsl.com> <65FDFAB8-F3EE-448B-A9B5-882DFC0A9A96@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <65FDFAB8-F3EE-448B-A9B5-882DFC0A9A96@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/OtOZtMArcJMbxkJmP3UuSC2tVB4
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Fwd: New Version Notification for draft-nir-cfrg-chacha20-poly1305-05.txt
Precedence: list

On Thu, Jun 19, 2014 at 03:58:43PM +0300, Yoav Nir wrote:
> Hi
> 
> This is version -05 of the document.  
> 
> Changes include:
>   - Added some crypto papers as references for ChaCha (still looking for some for Poly1305)
>   - Fixed some typos
>   - Removed the TBD remarks about big vs little endianness, and lengths expressed in bits vs octets. Nobody seemed too interested in debating the  little+octets choices.
> 
> As before, we need reviews, especially for the Poly1305 key generations in section 2.6 ( http://tools.ietf.org/html/draft-nir-cfrg-chacha20-poly1305-05#section-2.6 )

Editorial:

Section 2.8.1: The Ciphertext dump is seemingly missing 0x7f byte in
the ASCII version.

Section A.1 Test vector #4: Another ASCII 0x7f seems to be missing.

Section A.2 Test vector #3: Same as above, twice.

(for some odd reason, there are 0x7f bytes in other places, but those
properly appear as '.' in the ASCII dump (0x7f is not printable)).

Other stuff:

I actually wrote an implementation (I haven't optimized it so it is
slow).

The Poly1305 test vectors: All the nontrivial ones test non-mod16
lengths, which are not needed by the AEAD construction. Thus, if
using dedicated poly1305 routines, the cases needed for test
vectors may not be supported.

For this reason, whereas I run nearly every other test vector as
self-test in my code, I haven't coded the Poly1305 tests.

Also, I devised few edge cases that could happen in Poly1305 calculation,
and devised test cases to provoke those. Some of those (#3 and #7) caught
actual bugs where the two full AEAD test vectors didn't find one.

1) If one uses 130-bit partial reduction, does the code handle the
case where partially reduced final result is not fully reduced?

R:
02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
S:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data: 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
tag:
03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

2) What happens if addition of s overflows modulo 2^128?

R:
02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
S:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
data:
02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
tag:
03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

3) What happens if data limb is all ones and there is carry from lower
limb?

R:
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
S:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
tag:
05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

4) What happens if final result from polynomial part is exactly 2^130-5?

R:
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
S:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FB FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
tag:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

5) What happens if final result from polynomial part is exactly 2^130-6?

R:
02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
S:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:
FD FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
tag:
FA FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

6) What happens if 5*H+L-type reduction producess 131-bit intermediate
result?

R:
01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00
S:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:
E3 35 94 D7 50 5E 43 B9 00 00 00 00 00 00 00 00
33 94 D7 50 5E 43 79 CD 01 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
tag:
14 00 00 00 00 00 00 00 55 00 00 00 00 00 00 00

7) What happens if 5*H+L-type reduction produces 131-bit final result?

R:
01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00
S:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:
E3 35 94 D7 50 5E 43 B9 00 00 00 00 00 00 00 00
33 94 D7 50 5E 43 79 CD 01 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
tag:
13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

-Ilari

[Cfrg] Fwd: New Version Notification for draft-ni… Yoav Nir
Re: [Cfrg] Fwd: New Version Notification for draf… Watson Ladd
Re: [Cfrg] Fwd: New Version Notification for draf… Yoav Nir
Re: [Cfrg] Fwd: New Version Notification for draf… Watson Ladd
Re: [Cfrg] New Version Notification for draft-nir… Yoav Nir
Re: [Cfrg] Fwd: New Version Notification for draf… Ilari Liusvaara
Re: [Cfrg] New Version Notification for draft-nir… Yoav Nir