[Cfrg] Comments on draft-irtf-cfrg-xchacha-01

Kyle Den Hartog <kyle.denhartog@mattr.global> Mon, 28 October 2019 22:32 UTC

Return-Path: <kyle.denhartog@mattr.global>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 7F06B120033 for <cfrg@ietfa.amsl.com>; Mon, 28 Oct 2019 15:32:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.637
X-Spam-Status: No, score=-1.637 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mattr-global.20150623.gappssmtp.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id UPSiI8Icyy7Y for <cfrg@ietfa.amsl.com>; Mon, 28 Oct 2019 15:32:28 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AC8D12006B for <cfrg@irtf.org>; Mon, 28 Oct 2019 15:32:28 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id a21so13073473ljh.9 for <cfrg@irtf.org>; Mon, 28 Oct 2019 15:32:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mattr-global.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=1sJskcpyg/NrL8nWBS0JVLcZQQ5EqFZTV+QNr3rPxz4=; b=YUe4CkUGRS2I0z6LQACNyz1KqBtYKf2sJBCsqPdsbEXgMpxvYIP/Q76YfbyRroHWKi Hag3YVKHV4lDG4uILzyLhD40zmVWYU4r3qYF66cwr97Bf7YBqFVXIBzx9yokGB32lJOS /UXrRImI8WvNncGRJe3doQU2eyUMG9SX8J70G33mxqZJsBq3UKWbEOM5+jKtX/t087p1 KtUnHtVx25g039iKHTo1y+okum/bKtrG62gfUGtOk3MWMh3RoliwbZ9HAvPctr9Ob1jX HeSA8D8MVIGK5xGNzTDrT/KFlt/L1ECjlB60Q/buiDVNLoXZSOhmiNZOcKFafC0u/e06 KfXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=1sJskcpyg/NrL8nWBS0JVLcZQQ5EqFZTV+QNr3rPxz4=; b=RtIye4i1+nLnQyaF5v8Zwyigo5AXmmrsyleu9AJ8lE5xTOpC53BaLsfjpH61hndK5T ZbaCulDn4082BxD6lw1C8sA9WOhDUoahmSgOuyy8ItBMRYEHuf3OR9imKiSy6NpaqECP mqPOFs87bH9abHbwD8fpwdMFfXZATByT2LQmAHQIpYJ2IJZ2NNJwLhFsAKftWYXy+7SQ 0u8xxagEKKmEif5+xMTXiA9v5aW9zcH4tA/LGqSNSmYxZpYRLyX/XecaI6Pyf+bw9uZ+ D53e4tfKjECd7Eoi7yERTnHMAvx3XJw3K8nrrlOB/oIdCl90PtksdPgfgpQi+5L46GEE NXFw==
X-Gm-Message-State: APjAAAV54MV0Bkeok8Kt15tHmtXWlECCCi3PHWTfOMLnFpisv05jDrQz 2mQWUpvO54+X5S1/s30YRexMnPYI1DPJqmcw5QdQp0ReO5J8OPeBPZdIfTkWqYhfdiS87MDRFAX 6255M5NspGal7cNMBh7IqK+c=
X-Google-Smtp-Source: APXvYqwWdyJ7hAWUMnQ/eo4t3DAlpd/g/yu1t7cGJUJp36xFMPYhzQTwPyJXMTM0TZ01wis/5c0hR6drq+FQIpa2weg=
X-Received: by 2002:a05:651c:1202:: with SMTP id i2mr121221lja.218.1572301945765; Mon, 28 Oct 2019 15:32:25 -0700 (PDT)
MIME-Version: 1.0
From: Kyle Den Hartog <kyle.denhartog@mattr.global>
Date: Tue, 29 Oct 2019 11:32:14 +1300
Message-ID: <CAPHCqSxj+S9BfT34vbAbHoBWX4U7L0=W6M7B-a7uUJPN2Ya2Zw@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000f5128c059600126f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/SDk3I3Gd2reK3W40VCu0UOumN2o>
Subject: [Cfrg] Comments on draft-irtf-cfrg-xchacha-01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Oct 2019 22:32:30 -0000

I've recently implemented the draft-irtf-cfrg-xchacha-01 in
Stablelib and wanted to provide some feedback on the RFC.

I found that the decryption part of things was rather difficult because it
was under-specified (albeit it's just the reverse of encryption with tag
verification which I was able to reuse) and I was wondering if adding
details into this would be useful? Also, the details around reusing
chacha20poly1305 ran me into some confusion. I wasn't sure how to implement
it using just the HChacha and XChacha parts because the description says to
just call into the implementation of chacha20poly1305 in the description of
AEAD_XChaCha20_Poly1305. Is it common for implementations to make the call
directly into a full AEAD implementation or to combine the XChacha with a
poly1305 authentication tag and reference RFC 8439 for that?

In terms of the security of the cipher, I believe that the method of
deriving a subkey with the hchacha function provides proper security given
the CSPRNG is generating random numbers properly. I was trying to figure
out if the prepending of 4 null bytes to the front end of the nonce would
create problems to comply with RFC 7539 in terms of having a 12-byte nonce.
More details about this can be found in section 2.3 step 2. Could someone
with a greater understanding evaluate this aspect of the RFC and identify
if it's a cause for concern?

In total, I found that this work is on the right track and is worth greater
evaluation. Specifically, I found it useful for long-term key usage in
instances where rotating keys per message is not always possible. It seems
to meet a unique need that Chacha20poly1305 is not necessarily designed to

Kyle Den Hartog

This communication, including any attachments, is confidential. If you are 
not the intended recipient, you should not read it - please contact me 
immediately, destroy it, and do not copy or use any part of this 
communication or disclose anything about it. Thank you. Please note that 
this communication does not designate an information system for the 
purposes of the Electronic Transactions Act 2002.