Re: [Cfrg] RGLC on draft-irtf-cfrg-chacha20-poly1305-01.txt

Ted Krovetz <ted@krovetz.net> Tue, 07 October 2014 15:47 UTC

Return-Path: <ted@krovetz.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F8691ACE1C for <cfrg@ietfa.amsl.com>; Tue, 7 Oct 2014 08:47:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.821
X-Spam-Level:
X-Spam-Status: No, score=-1.821 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gWuTkcCS0NOR for <cfrg@ietfa.amsl.com>; Tue, 7 Oct 2014 08:47:06 -0700 (PDT)
Received: from mail-pd0-f182.google.com (mail-pd0-f182.google.com [209.85.192.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F6BE1A6FC0 for <cfrg@irtf.org>; Tue, 7 Oct 2014 08:47:06 -0700 (PDT)
Received: by mail-pd0-f182.google.com with SMTP id y10so5195636pdj.41 for <cfrg@irtf.org>; Tue, 07 Oct 2014 08:47:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=vjGesYgPKAyRUA/CR5Jy2bLXOem5cuti06vihDIYFyE=; b=dJ1Q8XoBNltfDP9uWvrNetkJ0m09XRTuPy34/iC3kUKv0O6hfWZaGE5L+X8XSTY0j/ mhHLTLByu2RoLDxnnhUOPWc6Py0ZxuL79/3BTYtFcKh8xn9CbSU9jlPSwFihVBYXsOGO 09LFXXREF1E+ZmaqMZRwvMl0MwRRt98l3ZEW4uniifh0aYtJZHAcbNdbdvnmZY6DHeuE T8cXKCaN4+qw4sYJ5xpneG4KIi78CIRFm9m7g0GUWR5Ztt4vknrq0/fkx4nUJA6T7+0n gMFO2JlK18RbH7ughkQPXg8uVD5DZmC84CTmcbsXgrFlpeDPsnqHYuBRkIOgyZ+5+tIn 4g5g==
X-Gm-Message-State: ALoCoQnyVMFJ9XE7fH2vMK3DhoVg2sf/8CtFVRqiRviizgHhH9cACeYfZ5z1BcaQEB5UnyARBVFq
X-Received: by 10.68.129.9 with SMTP id ns9mr4478436pbb.25.1412696825761; Tue, 07 Oct 2014 08:47:05 -0700 (PDT)
Received: from [192.168.1.100] (c-76-20-47-101.hsd1.ca.comcast.net. [76.20.47.101]) by mx.google.com with ESMTPSA id p1sm14240446pdr.15.2014.10.07.08.47.02 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 07 Oct 2014 08:47:04 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Ted Krovetz <ted@krovetz.net>
In-Reply-To: <CAA7UWsUTt2ug2JGdvLfGKfoq1mFjvF40mgK-jPF569uo6CpkRA@mail.gmail.com>
Date: Tue, 7 Oct 2014 08:47:01 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <5571619C-3D05-4E2F-A3A0-22C0A6FC1DD4@krovetz.net>
References: <542D48CD.9060404@isode.com> <CAGvU-a7zd9jB_0vwipe4ALO5u5F0tk5BrfQ-0B5sLNjNRjZiPQ@mail.gmail.com> <CAA7UWsUTt2ug2JGdvLfGKfoq1mFjvF40mgK-jPF569uo6CpkRA@mail.gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/WHkfCbH6cTn-ziaXrmSxGQH1eG8
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-chacha20-poly1305-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Oct 2014 15:47:08 -0000

> [*] I too think 2^32 blocks is not a large amount of data.

If one views the chacha core as a PRF from 384 bits to 512 bits, then there are all sorts of ways to increase the lengths of the internal counter and/or external nonce. Here are a couple different data layouts for chacha core input that would allow longer counters.

You could shorten the key:

  224 bits of key ||
  96 bits of nonce ||
  64 bits of counter

Or, you could mix the key and nonce (allowing 16 byte nonces):

  first 192 bits of key ||
  ((last 64 bits of key) xor (first 64 bits of nonce)) ||
  last 64 bits of nonce ||
  64 bits of counter

If one uses only the "last 64 bits of nonce", this second suggestion becomes chacha as originally specified.

-Ted