[Cfrg] ChaCha20

Watson Ladd <watsonbladd@gmail.com> Fri, 08 August 2014 01:23 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A75B1B28AC for <cfrg@ietfa.amsl.com>; Thu, 7 Aug 2014 18:23:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uo_OZobfMNjH for <cfrg@ietfa.amsl.com>; Thu, 7 Aug 2014 18:23:06 -0700 (PDT)
Received: from mail-yh0-x22d.google.com (mail-yh0-x22d.google.com [IPv6:2607:f8b0:4002:c01::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 057AE1A02EB for <cfrg@irtf.org>; Thu, 7 Aug 2014 18:23:05 -0700 (PDT)
Received: by mail-yh0-f45.google.com with SMTP id 29so3577856yhl.18 for <cfrg@irtf.org>; Thu, 07 Aug 2014 18:23:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=rK5H3jeYZZPp9X8gd6NNGZuSRJmd80A9UeUbZa++6zI=; b=tE6OAczi166dmBWLGWYJdIjR+LMcgGdU3rM8grQH80sL/nK/0+Vy0vbhKq8TE9bvyG I6qmsXXOmmoNWduoEaJKpfzaJ+7MCXTCeTonjc176qL8mg6EGh9CL+HcbNlt5xg0+ED/ fAdQ45Truk0HGqyjm1BX2tiMLb2+rM2FJwhJ+QZGK0geTaruwuui4gPb9/yeCN91fm7E nTd+5hgrI1P/063K/evj295F2nHxaUNdyS2xZXVjgh7rjjp+SzQ+AgcvBj3e2fWNMszN buxatfAO7UlIUKeGCsp7NTJtXw+koJ057Oo628p7oUpI562Fvl0Vfsilu+Ims4JRgTBh 9y0w==
MIME-Version: 1.0
X-Received: by 10.236.47.201 with SMTP id t49mr9863234yhb.123.1407460985354; Thu, 07 Aug 2014 18:23:05 -0700 (PDT)
Received: by 10.170.202.8 with HTTP; Thu, 7 Aug 2014 18:23:05 -0700 (PDT)
Date: Thu, 7 Aug 2014 18:23:05 -0700
Message-ID: <CACsn0cmUg1A1wxgOuubfPNg2XJGVq6BNFkARkv_eCSYqvqWRCA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/ZgohKhMJnoOSswNBmWIbtitx5AY
Subject: [Cfrg] ChaCha20
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 01:23:07 -0000

Dear all,
In the past 6 years only one cryptanalysis result has been published
against ChaCha, and that was against a variant before the final
version was announced. While Salsa20 was an eStream finalist, ChaCha
wasn't.

The ChaCha20+Poly1305 mode we are considering could have been
submitted to CAESER, but wasn't. I thought about submitting it instead
of McMambo, but ended up winning a durian instead for my troubles.
ChaCha was used in BLAKE, so the differential characteristics of the
round function should work. Unfortunately BLAKE changed ChaCha just
enough to make comparison hard.

I'd like to see some more cryptanalytic attention on ChaCha: in
particular are the differentials from "Latin Dances" still valid for
the published version of ChaCha? What are the best differential
characteristics? And can we figure this out quickly?

Using Salsa20 instead of ChaCha20 would solve this problem somewhat:
at least it won eStream, so we have someone else to blame. However, it
comes at a slight performance loss: how much I don't know. There also
are concerns about nonce size. However, XSalsa20 solves these, while
having the same strength as Salsa20.

(Note that this is the only issue: the Poly1305 security reduces to
PRF security of ChaCha, at least the last time I took a look)

Sincerely,
Watson Ladd