Re: [Cfrg] ChaCha20 and Poly1305 for IPsec

Yoav Nir <> Tue, 21 January 2014 20:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D36E11A035F for <>; Tue, 21 Jan 2014 12:58:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.436
X-Spam-Status: No, score=-9.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4UrNhKiXEjyJ for <>; Tue, 21 Jan 2014 12:58:58 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 0AEF81A0352 for <>; Tue, 21 Jan 2014 12:58:50 -0800 (PST)
Received: from ([]) by (8.13.8/8.13.8) with ESMTP id s0LKwgM4015723; Tue, 21 Jan 2014 22:58:42 +0200
X-CheckPoint: {52DED97E-2-1B221DC2-1FFFF}
Received: from ([]) by ([]) with mapi id 14.03.0123.003; Tue, 21 Jan 2014 22:58:42 +0200
From: Yoav Nir <>
To: Adam Langley <>
Thread-Topic: [Cfrg] ChaCha20 and Poly1305 for IPsec
Thread-Index: AQHPCjHEk17DdD0mQkqxUhltboUzx5p33c2AgABIH4CAAApZgIAADBaAgAAKHoCAA5kvAIATe2+AgAAV8gCAADAqgA==
Date: Tue, 21 Jan 2014 20:58:41 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: David McGrew <>, "" <>
Subject: Re: [Cfrg] ChaCha20 and Poly1305 for IPsec
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Jan 2014 20:59:00 -0000

On Jan 21, 2014, at 8:06 PM, Adam Langley <> wrote:

> On Tue, Jan 21, 2014 at 11:47 AM, Yoav Nir <> wrote:
>> Reviews and comments would be greatly appreciated, as well as anyone checking my examples.
> In the introduction: I think ChaCha20+Poly1305 are useful for software
> implementations, beyond their use as a backup to AES. AES in not
> suitable for pure, software implementations and they tend to be be
> slow and have side-channels. (AES-GCM even more so.)

I agree that a pure C-language implementation of AES is slower than either ChaCha20 or RC4, although it is still much faster than 3DES. Processor vendors have been adding hardware implementation of common tasks to so-called general purpose processors for years. So we got floating point in the late 80s, and "multi-media extension" 128-bit registers in the 90s, then vector processors, and now encryption functions. Is software that uses the AESENC opcode software or hardware? I think by now the line is blurred. For IPsec, AES has been the fastest algorithm even in pure C implementations.  I'll add something about being fast in software implementation to the next iteration.

> "The ChaCha20 block function"...
> I asked DJB and he said that ChaCha is the name of the cipher and
> ChaCha20 is the specific variant with 20 rounds.

Yeah, that's how I used it.

> "The 14th word is the least significant 32 bits of the input nonce
> (nonce | 0xffffffff)"
> AND not OR, I think.

Oops. You're right, of course.

> You've changed the AEAD by switching the length values from uint64le
> to uint32be. Seems unnecessary.

I'll change it back. For some reason I thought AES-GCM for IPsec was like that, but looking again, I see that it isn't.

> "for a particular key. counters"
> nit: missing capital letter.

Will fix. Thanks.

> I'm not suitable to evaluate the higher-level integration into IPSec.

I've posted this to ipsec as well. They said that we need a better normative reference for the functions. DJB's papers discuss security properties and link to source code, but don't have a good definition.