Re: [Cfrg] I-D Action: draft-irtf-cfrg-chacha20-poly1305-06.txt
Yoav Nir <ynir.ietf@gmail.com> Wed, 14 January 2015 15:09 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76D0C1A897A for <cfrg@ietfa.amsl.com>; Wed, 14 Jan 2015 07:09:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IWBG43R2Dgv3 for <cfrg@ietfa.amsl.com>; Wed, 14 Jan 2015 07:09:17 -0800 (PST)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DE371A8958 for <cfrg@irtf.org>; Wed, 14 Jan 2015 07:09:17 -0800 (PST)
Received: by mail-wg0-f51.google.com with SMTP id x12so9430334wgg.10 for <cfrg@irtf.org>; Wed, 14 Jan 2015 07:09:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=K/10OviiewFEK64cptpKL5WGUoOgiK70yZFw77Q1K7M=; b=dUZNXD/vgWE9+x3UhnOjufbcBqYxDhRVHIbshOtBdu18RV1Yp18dYthEfoJDRShmx8 ncs2/zkYKe+yhmlAKRB5KPBiWVTPSxRjyvfRxjquY2nXXkFAMtZwDmdzC0N41xW8UDXT gf+GGYzLXDB1p4XsU5qqnIH4ZuxJ23P78UBKsCRJS55rWb8uTYe/apg0KEqwZT/Mx5qg slr7qUaWdAYgZEXOy541mSmh07bRWtUF3e5UlxKDoO1OLaI8+pWuhpAnILIA9lDCRBY6 uawYH+Yi+kAAOpRnXLF6sqdeExTmvkgP4LcC9GXv7CD0DZ7vcvnTyv3yF2S/ycC5QEuQ /pCA==
X-Received: by 10.194.187.235 with SMTP id fv11mr8358943wjc.16.1421248154543; Wed, 14 Jan 2015 07:09:14 -0800 (PST)
Received: from [172.24.251.208] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id dp8sm18999709wib.20.2015.01.14.07.09.13 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 14 Jan 2015 07:09:13 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <0ED4D299-2CCC-4427-A52C-2F7BDD4634EE@akr.io>
Date: Wed, 14 Jan 2015 17:09:10 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <7FB23519-5635-46AA-AFB7-C4D8A4210AF1@gmail.com>
References: <20150114143413.12276.29693.idtracker@ietfa.amsl.com> <0ED4D299-2CCC-4427-A52C-2F7BDD4634EE@akr.io>
To: Alyssa Rowan <akr@akr.io>
X-Mailer: Apple Mail (2.1993)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/YYSWehw4X7NUclUoLXpgW8fHV1Q>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-chacha20-poly1305-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jan 2015 15:09:27 -0000
Does it matter? memcmp works word-by-word, so on a 32-bit system the attacker would need to send 4 * 2^32 / 2 copies of a message with different tags to guess the correct tag without valid traffic invalidating the AAD. And that assumes that memcmp on 16 bytes can even be measured when it stops prematurely. OK, I’ll add a line to the security considerations. Yoav > On Jan 14, 2015, at 4:50 PM, Alyssa Rowan <akr@akr.io> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 14 January 2015 14:34:13 GMT+00:00, internet-drafts@ietf.org wrote: > >> Title : ChaCha20 and Poly1305 for IETF protocols >> Authors : Yoav Nir >> Adam Langley >> Filename : draft-irtf-cfrg-chacha20-poly1305-06.txt >> Pages : 43 >> Date : 2015-01-14 > > Quick nit: > >> The calculated tag is bitwise compared to the received tag. > > ..."in constant time", perhaps we should add there, in case someone gets some bright ideas with plain vanilla memcmp() from that paragraph? > > Just a thought. > > - -- > /akr > -----BEGIN PGP SIGNATURE----- > Version: APG v1.1.1 > > iQI3BAEBCgAhBQJUtoI9GhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE > jtkWi2t61tkP/0quTyB88CG1IF5l5xDDDTuzKqIIGn9rMgX4glRCj2x38q4cDfUY > 1mB7nPjd+c4zFZj2XqeT3ZBVeLmkOAua8MnJhVlfHvmHnyaYWOf5iYBAk1mEXcV5 > fMN1dnJdqs3mLFgqSq8SaEHcF6r5GgS6z/gb0Cvu4+iO6JkM1BPabDtBQtu7Zh64 > bzlqpMqOqpLkflpBkjBiLNR6jU4WXSmvLYiPqhCL8qdwaioFMV0s3PYRq+9AMbvI > /yIhGLGnbH7nYMvE4lu5kIVb6XN4+/wDZ3+3MiwyKzfWhVoBK3v0bOGMSUjoDVNt > zuP/BLcU5tvJvKPZl2Ok0XDh5+ZUMZNTNzi1tHfRjnItjtPkRoB6QVyE23if8aBe > +59JRUSAnIs4/jdnvig85BLhnnXQ9A8ac/SShfEoVNCfPhxGp5espwS+5Nbsv8VV > VCa8CP2zw1mPc3qphoEb8y+loCgq3wAVAZAnBpWs8nIzzPKYr/4DKArQT6BTUqhQ > fqx5Rc99HgXB7GMA9HULrAoaDkB9AttCZkbS16FDJ9kbeacHLINfMnJY2vhzS1CM > 1T3UJ3bdahnIpH5mAvB2fG7wtK2CISJ7qIMATgsgQFvl4dr+8JRrpecma+PvV/ms > yclTFAbnV9Pjk7IALd7aLHjtxW7wxSNVYlx5/fmY9zWFc1HiuIorJS7e > =h6PU > -----END PGP SIGNATURE----- > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-chacha20-p… Alyssa Rowan
- [Cfrg] I-D Action: draft-irtf-cfrg-chacha20-poly1… internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-chacha20-p… Yoav Nir
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-chacha20-p… Yoav Nir
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-chacha20-p… Alyssa Rowan
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-chacha20-p… Yoav Nir