Re: [CFRG] XChacha20 counter size

Loup Vaillant-David <loup@loup-vaillant.fr> Sat, 26 December 2020 01:55 UTC

Return-Path: <loup@loup-vaillant.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8B393A0F02 for <cfrg@ietfa.amsl.com>; Fri, 25 Dec 2020 17:55:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EDeS0TPnpfa6 for <cfrg@ietfa.amsl.com>; Fri, 25 Dec 2020 17:55:46 -0800 (PST)
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DEEC3A08BE for <cfrg@irtf.org>; Fri, 25 Dec 2020 17:55:44 -0800 (PST)
X-Originating-IP: 37.164.53.193
Received: from grey-fade (unknown [37.164.53.193]) (Authenticated sender: loup@loup-vaillant.fr) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 70D691C0003; Sat, 26 Dec 2020 01:55:41 +0000 (UTC)
Message-ID: <daeb064e13c47815eb38e384575258ca045587c8.camel@loup-vaillant.fr>
From: Loup Vaillant-David <loup@loup-vaillant.fr>
To: Filippo Valsorda <filippo@ml.filippo.io>, cfrg@irtf.org
Date: Sat, 26 Dec 2020 02:55:39 +0100
In-Reply-To: <2ad966e9-70f7-4201-884d-6ef0257fe839@www.fastmail.com>
References: <e632e3291ced05b29c55fea0f064258cb3abfc1a.camel@loup-vaillant.fr> <2ad966e9-70f7-4201-884d-6ef0257fe839@www.fastmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/RX3DuIsy5IY6zdXUljlwywsNaow>
Subject: Re: [CFRG] XChacha20 counter size
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Dec 2020 01:55:48 -0000

> I don't know about XSalsa20, but DJB's Salsa20 code as distributed
> with NaCl and from the Salsa20 homepage wraps shortly after
> overflowing a 32-bit counter, even if it's defined to have a 64-bit
> counter, so the originalism argument is not that strong.

Oh. I had no idea the implementation deviated from the paper like that.
The paper explicitly says the maximum length of Salsa20 is 2^70 bytes,
and I naively assumed the author would respect his own specs.

TweetNaCl at least seems to have a proper 64-bit counter.


> The Go XChaCha20 implementation will panic if the counter reaches 32
> bits, per the draft.

A nice thing to do. C however tends not to be as fortunate (no standard
way to panic, especially in embedded environments).


> > Would it be possible to add an note to RFC 8439, that explicitly
> > allows implementations to increment the least significant word of
> > the nonce when the counter wraps back to zero?
> 
> Please don't. Overlapping ranges make bounds analysis way harder, and
> most importantly generating the same keystream for (key, nonce, large
> message) and (key, nonce + 1, message) is unexpected, contradicts the
> definition of the cipher, and can leak plaintext when sequential
> nonces are in use.

There is only 2 ways this can happen.

- The user exceeds 2^32 blocks. If you don't spill over the next word,
  the stream will still be repeated.

- The user starts the counter at a non-zero value, and expect overflow
  to wrap around. In this case, yes, you could have a collision with
  the next nonce, if the next message starts its own counter at zero.
  While theoretically possible, I don't see who would come up with
such 
  a peculiar design. It's not like someone who fails to notice that
  messages lengths should be limited, it's' actively asking for
  trouble.


> In fact, if a library implements this behavior in plain ChaCha20, I
> would report it as a security issue.

I thought Libsodium implemented this behaviour, but further tests
showed me that it actually detects the overflow and panics.

Monocypher definitely implements this behaviour, but since I have no
portable way to panic (Monocypher sticks to strictly conformant C99
with no dependency), the best thing I can do is make sure the manual
tell users not to overload that counter.

I could possibly have a proper 32-bit counter, but it wouldn't be any
better: it would wrap around instead of spilling over the next word,
and still trigger an insecure stream reuse.


> Either applications never generate messages longer than 256GiB, in
> which case failing after the overflow would make no difference, or
> they are insecure if they use sequential nonces in little endian.

Are you asserting that the only correct behaviour upon 32-bit overflow
is to panic? I wouldn't disagree, but alas, not everyone can afford it.


> If you offer a short-nonce long-counter variant, that's different
> since 32-bit counter overflow will not increase the application-
> provided nonce.

By default, I do. But that's only a default. I *also* offer an IETF
interface, and pray my users won't overflow my not-exactly-32-bit
counter.

Loup.