[Cfrg] ChaCha20
Watson Ladd <watsonbladd@gmail.com> Fri, 08 August 2014 01:23 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A75B1B28AC for <cfrg@ietfa.amsl.com>; Thu, 7 Aug 2014 18:23:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uo_OZobfMNjH for <cfrg@ietfa.amsl.com>; Thu, 7 Aug 2014 18:23:06 -0700 (PDT)
Received: from mail-yh0-x22d.google.com (mail-yh0-x22d.google.com [IPv6:2607:f8b0:4002:c01::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 057AE1A02EB for <cfrg@irtf.org>; Thu, 7 Aug 2014 18:23:05 -0700 (PDT)
Received: by mail-yh0-f45.google.com with SMTP id 29so3577856yhl.18 for <cfrg@irtf.org>; Thu, 07 Aug 2014 18:23:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=rK5H3jeYZZPp9X8gd6NNGZuSRJmd80A9UeUbZa++6zI=; b=tE6OAczi166dmBWLGWYJdIjR+LMcgGdU3rM8grQH80sL/nK/0+Vy0vbhKq8TE9bvyG I6qmsXXOmmoNWduoEaJKpfzaJ+7MCXTCeTonjc176qL8mg6EGh9CL+HcbNlt5xg0+ED/ fAdQ45Truk0HGqyjm1BX2tiMLb2+rM2FJwhJ+QZGK0geTaruwuui4gPb9/yeCN91fm7E nTd+5hgrI1P/063K/evj295F2nHxaUNdyS2xZXVjgh7rjjp+SzQ+AgcvBj3e2fWNMszN buxatfAO7UlIUKeGCsp7NTJtXw+koJ057Oo628p7oUpI562Fvl0Vfsilu+Ims4JRgTBh 9y0w==
MIME-Version: 1.0
X-Received: by 10.236.47.201 with SMTP id t49mr9863234yhb.123.1407460985354; Thu, 07 Aug 2014 18:23:05 -0700 (PDT)
Received: by 10.170.202.8 with HTTP; Thu, 7 Aug 2014 18:23:05 -0700 (PDT)
Date: Thu, 07 Aug 2014 18:23:05 -0700
Message-ID: <CACsn0cmUg1A1wxgOuubfPNg2XJGVq6BNFkARkv_eCSYqvqWRCA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/ZgohKhMJnoOSswNBmWIbtitx5AY
Subject: [Cfrg] ChaCha20
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 01:23:07 -0000
Dear all, In the past 6 years only one cryptanalysis result has been published against ChaCha, and that was against a variant before the final version was announced. While Salsa20 was an eStream finalist, ChaCha wasn't. The ChaCha20+Poly1305 mode we are considering could have been submitted to CAESER, but wasn't. I thought about submitting it instead of McMambo, but ended up winning a durian instead for my troubles. ChaCha was used in BLAKE, so the differential characteristics of the round function should work. Unfortunately BLAKE changed ChaCha just enough to make comparison hard. I'd like to see some more cryptanalytic attention on ChaCha: in particular are the differentials from "Latin Dances" still valid for the published version of ChaCha? What are the best differential characteristics? And can we figure this out quickly? Using Salsa20 instead of ChaCha20 would solve this problem somewhat: at least it won eStream, so we have someone else to blame. However, it comes at a slight performance loss: how much I don't know. There also are concerns about nonce size. However, XSalsa20 solves these, while having the same strength as Salsa20. (Note that this is the only issue: the Poly1305 security reduces to PRF security of ChaCha, at least the last time I took a look) Sincerely, Watson Ladd
- [Cfrg] ChaCha20 Watson Ladd
- Re: [Cfrg] ChaCha20 Ilari Liusvaara
- Re: [Cfrg] ChaCha20 Paterson, Kenny
- Re: [Cfrg] ChaCha20 Yoav Nir