Re: [Cfrg] ChaCha20 and Poly1305 for IPsec

[Yoav Nir <ynir@checkpoint.com>]

Thanks. Proposing this seems so obvious, that I thought I must be missing something that makes it unsuitable.

On Jan 6, 2014, at 8:05 PM, Adam Langley <agl@google.com> wrote:

> On Sun, Jan 5, 2014 at 11:18 AM, Yoav Nir <ynir@checkpoint.com> wrote:
>> Unlike RC4, ChaCha20 has a 64-bit nonce, so different packets could use different keystreams, much like block ciphers in counter mode. Unlike 3DES, ChaCha20 has performance that is close to that of AES.
>> 
>> So my question is whether there is any reason not to use ChaCha20 (with or without the AEAD construction from Adam's draft) for IKE and/or IPsec. Could this be the standby algorithm that we have been looking for?
> 
> I don't know of any problems with this. If IPsec has the concept of a
> counter than can be used as an nonce then I think the AEAD
> construction would be fine, as is.

IPsec has a 32- or 64-bit packet counter, but for some reason it has never been used as a nonce. Both AES-CTR and AES-GCM have explicit 64-bit IVs in IPsec, so I think a ChaCha implementation should do the same - have an explicit IV that's used as a nonce, with a MUST requirement for uniqueness of IV/key combination.

> If one needs to pick the nonces
> randomly, however, then a 64-bit space is too small and XChaCha (which
> has a 192-bit nonce) would be more suitable.

It would work, but IPsec requires re-keying when the 32-bit or 64-bit counter reaches 2^n-1, so that seems like overkill.

Thanks again

Yoav