Re: [CFRG] XChacha20 counter size
Loup Vaillant-David <loup@loup-vaillant.fr> Sat, 26 December 2020 01:55 UTC
Return-Path: <loup@loup-vaillant.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8B393A0F02 for <cfrg@ietfa.amsl.com>; Fri, 25 Dec 2020 17:55:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EDeS0TPnpfa6 for <cfrg@ietfa.amsl.com>; Fri, 25 Dec 2020 17:55:46 -0800 (PST)
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DEEC3A08BE for <cfrg@irtf.org>; Fri, 25 Dec 2020 17:55:44 -0800 (PST)
X-Originating-IP: 37.164.53.193
Received: from grey-fade (unknown [37.164.53.193]) (Authenticated sender: loup@loup-vaillant.fr) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 70D691C0003; Sat, 26 Dec 2020 01:55:41 +0000 (UTC)
Message-ID: <daeb064e13c47815eb38e384575258ca045587c8.camel@loup-vaillant.fr>
From: Loup Vaillant-David <loup@loup-vaillant.fr>
To: Filippo Valsorda <filippo@ml.filippo.io>, cfrg@irtf.org
Date: Sat, 26 Dec 2020 02:55:39 +0100
In-Reply-To: <2ad966e9-70f7-4201-884d-6ef0257fe839@www.fastmail.com>
References: <e632e3291ced05b29c55fea0f064258cb3abfc1a.camel@loup-vaillant.fr> <2ad966e9-70f7-4201-884d-6ef0257fe839@www.fastmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/RX3DuIsy5IY6zdXUljlwywsNaow>
Subject: Re: [CFRG] XChacha20 counter size
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Dec 2020 01:55:48 -0000
> I don't know about XSalsa20, but DJB's Salsa20 code as distributed > with NaCl and from the Salsa20 homepage wraps shortly after > overflowing a 32-bit counter, even if it's defined to have a 64-bit > counter, so the originalism argument is not that strong. Oh. I had no idea the implementation deviated from the paper like that. The paper explicitly says the maximum length of Salsa20 is 2^70 bytes, and I naively assumed the author would respect his own specs. TweetNaCl at least seems to have a proper 64-bit counter. > The Go XChaCha20 implementation will panic if the counter reaches 32 > bits, per the draft. A nice thing to do. C however tends not to be as fortunate (no standard way to panic, especially in embedded environments). > > Would it be possible to add an note to RFC 8439, that explicitly > > allows implementations to increment the least significant word of > > the nonce when the counter wraps back to zero? > > Please don't. Overlapping ranges make bounds analysis way harder, and > most importantly generating the same keystream for (key, nonce, large > message) and (key, nonce + 1, message) is unexpected, contradicts the > definition of the cipher, and can leak plaintext when sequential > nonces are in use. There is only 2 ways this can happen. - The user exceeds 2^32 blocks. If you don't spill over the next word, the stream will still be repeated. - The user starts the counter at a non-zero value, and expect overflow to wrap around. In this case, yes, you could have a collision with the next nonce, if the next message starts its own counter at zero. While theoretically possible, I don't see who would come up with such a peculiar design. It's not like someone who fails to notice that messages lengths should be limited, it's' actively asking for trouble. > In fact, if a library implements this behavior in plain ChaCha20, I > would report it as a security issue. I thought Libsodium implemented this behaviour, but further tests showed me that it actually detects the overflow and panics. Monocypher definitely implements this behaviour, but since I have no portable way to panic (Monocypher sticks to strictly conformant C99 with no dependency), the best thing I can do is make sure the manual tell users not to overload that counter. I could possibly have a proper 32-bit counter, but it wouldn't be any better: it would wrap around instead of spilling over the next word, and still trigger an insecure stream reuse. > Either applications never generate messages longer than 256GiB, in > which case failing after the overflow would make no difference, or > they are insecure if they use sequential nonces in little endian. Are you asserting that the only correct behaviour upon 32-bit overflow is to panic? I wouldn't disagree, but alas, not everyone can afford it. > If you offer a short-nonce long-counter variant, that's different > since 32-bit counter overflow will not increase the application- > provided nonce. By default, I do. But that's only a default. I *also* offer an IETF interface, and pray my users won't overflow my not-exactly-32-bit counter. Loup.
- [CFRG] XChacha20 counter size Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size Taylor R Campbell
- Re: [CFRG] XChacha20 counter size Filippo Valsorda
- Re: [CFRG] XChacha20 counter size Scott Arciszewski
- Re: [CFRG] XChacha20 counter size Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size Loup Vaillant-David
- [CFRG] Security limits of ChachPoly (was: XChacha… Loup Vaillant-David
- Re: [CFRG] Security limits of ChachPoly (was: XCh… Taylor R Campbell
- Re: [CFRG] Security limits of ChachPoly (was: XCh… Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size D. J. Bernstein