Re: [Cfrg] New Version Notification for draft-nir-cfrg-chacha20-poly1305-05.txt

Yoav Nir <ynir.ietf@gmail.com> Mon, 30 June 2014 14:49 UTC

Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <20140630105340.GA9473@LK-Perkele-VII>
Date: Mon, 30 Jun 2014 17:49:02 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <59E62D41-ACAD-4B3D-8BA9-12E2B1A25E61@gmail.com>
References: <20140619125212.18717.66370.idtracker@ietfa.amsl.com> <65FDFAB8-F3EE-448B-A9B5-882DFC0A9A96@gmail.com> <20140630105340.GA9473@LK-Perkele-VII>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/X48abgiyRunsn8KV1s1sJfjjHS4
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] New Version Notification for draft-nir-cfrg-chacha20-poly1305-05.txt
Precedence: list

On Jun 30, 2014, at 1:53 PM, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote:

> On Thu, Jun 19, 2014 at 03:58:43PM +0300, Yoav Nir wrote:
>> Hi
>> 
>> This is version -05 of the document.  
>> 
>> Changes include:
>>  - Added some crypto papers as references for ChaCha (still looking for some for Poly1305)
>>  - Fixed some typos
>>  - Removed the TBD remarks about big vs little endianness, and lengths expressed in bits vs octets. Nobody seemed too interested in debating the  little+octets choices.
>> 
>> As before, we need reviews, especially for the Poly1305 key generations in section 2.6 ( http://tools.ietf.org/html/draft-nir-cfrg-chacha20-poly1305-05#section-2.6 )
> 
> Editorial:
> 
> Section 2.8.1: The Ciphertext dump is seemingly missing 0x7f byte in
> the ASCII version.
> 
> Section A.1 Test vector #4: Another ASCII 0x7f seems to be missing.
> 
> Section A.2 Test vector #3: Same as above, twice.
> 
> (for some odd reason, there are 0x7f bytes in other places, but those
> properly appear as '.' in the ASCII dump (0x7f is not printable)).
> 

Gah!  I actually fixed my hex dump code, but didn’t run some of the buffers again.  Will fix.

> 
> Other stuff:
> 
> I actually wrote an implementation (I haven't optimized it so it is
> slow).
> 
> 
> The Poly1305 test vectors: All the nontrivial ones test non-mod16
> lengths, which are not needed by the AEAD construction. Thus, if
> using dedicated poly1305 routines, the cases needed for test
> vectors may not be supported.
> 
> For this reason, whereas I run nearly every other test vector as
> self-test in my code, I haven't coded the Poly1305 tests.

I wrote those test vectors before version -04, when Poly1305 was not 16-byte aligned. Poly1305 might still find a use in a NULL_with_Poly1305 ciphersuite or in IPsec AH, so I’ll leave those test vectors in there.

And I will add yours as well in the next iteration.

Thanks!

> Also, I devised few edge cases that could happen in Poly1305 calculation,
> and devised test cases to provoke those. Some of those (#3 and #7) caught
> actual bugs where the two full AEAD test vectors didn't find one.
> 
> 
> 1) If one uses 130-bit partial reduction, does the code handle the
> case where partially reduced final result is not fully reduced?
> 
> R:
> 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> S:
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> data: 
> FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
> tag:
> 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 
> 
> 2) What happens if addition of s overflows modulo 2^128?
> 
> R:
> 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> S:
> FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
> data:
> 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> tag:
> 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 
> 
> 3) What happens if data limb is all ones and there is carry from lower
> limb?
> 
> R:
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> S:
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> data:
> FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
> F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
> 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> tag:
> 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 
> 
> 4) What happens if final result from polynomial part is exactly 2^130-5?
> 
> R:
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> S:
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> data:
> FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
> FB FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE
> 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
> tag:
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 
> 
> 5) What happens if final result from polynomial part is exactly 2^130-6?
> 
> R:
> 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> S:
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> data:
> FD FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
> tag:
> FA FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
> 
> 
> 6) What happens if 5*H+L-type reduction producess 131-bit intermediate
> result?
> 
> R:
> 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00
> S:
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> data:
> E3 35 94 D7 50 5E 43 B9 00 00 00 00 00 00 00 00
> 33 94 D7 50 5E 43 79 CD 01 00 00 00 00 00 00 00 
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> tag:
> 14 00 00 00 00 00 00 00 55 00 00 00 00 00 00 00
> 
> 
> 7) What happens if 5*H+L-type reduction produces 131-bit final result?
> 
> R:
> 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00
> S:
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> data:
> E3 35 94 D7 50 5E 43 B9 00 00 00 00 00 00 00 00
> 33 94 D7 50 5E 43 79 CD 01 00 00 00 00 00 00 00 
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> tag:
> 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 
> 
> 
> -Ilari

[Cfrg] Fwd: New Version Notification for draft-ni… Yoav Nir
Re: [Cfrg] Fwd: New Version Notification for draf… Watson Ladd
Re: [Cfrg] Fwd: New Version Notification for draf… Yoav Nir
Re: [Cfrg] Fwd: New Version Notification for draf… Watson Ladd
Re: [Cfrg] New Version Notification for draft-nir… Yoav Nir
Re: [Cfrg] Fwd: New Version Notification for draf… Ilari Liusvaara
Re: [Cfrg] New Version Notification for draft-nir… Yoav Nir