Re: [Cfrg] questions on performance and side channel resistance for ChaCha20 and Poly1305 for IPsec and TLS

Yoav Nir <synp71@live.com> Fri, 24 January 2014 23:19 UTC

Return-Path: <synp71@live.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A530C1A0215 for <cfrg@ietfa.amsl.com>; Fri, 24 Jan 2014 15:19:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R4BMhKGh8ViD for <cfrg@ietfa.amsl.com>; Fri, 24 Jan 2014 15:19:31 -0800 (PST)
Received: from blu0-omc1-s36.blu0.hotmail.com (blu0-omc1-s36.blu0.hotmail.com [65.55.116.47]) by ietfa.amsl.com (Postfix) with ESMTP id 14A701A01F0 for <cfrg@irtf.org>; Fri, 24 Jan 2014 15:19:31 -0800 (PST)
Received: from BLU0-SMTP92 ([65.55.116.9]) by blu0-omc1-s36.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 24 Jan 2014 15:19:29 -0800
X-TMN: [gKz3P9EgU9d7iN+N+fMBA3l74hX778hG]
X-Originating-Email: [synp71@live.com]
Message-ID: <BLU0-SMTP92A11DADA9DBB985D2E743B1A10@phx.gbl>
Received: from ynir-MBA.local ([84.109.50.18]) by BLU0-SMTP92.phx.gbl over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Fri, 24 Jan 2014 15:19:28 -0800
Date: Sat, 25 Jan 2014 01:19:23 +0200
From: Yoav Nir <synp71@live.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: David McGrew <mcgrew@cisco.com>, Adam Langley <agl@google.com>
References: <180998C7-B6E5-489E-9C79-80D9CAC0DE68@checkpoint.com> <CAL9PXLy9hrq+i_neP96FbTJRvRLbLEXnMYdBdwSeHunFAwF+jQ@mail.gmail.com> <A867BB8E-4556-44B1-A0AF-16771626BF5C@checkpoint.com> <52CB358D.3050603@cisco.com> <A6BDE08D-1F7D-4813-A9C4-61AF8C14412B@checkpoint.com> <52CB482D.6090807@cisco.com> <09031D92-9A14-4CF0-A000-123E71D4F784@checkpoint.com> <3861F1D4-B412-42BE-AE6C-FF5DE213854C@checkpoint.com> <CAL9PXLzgo5a2dk0JM-kWvawPhO1arpurcYSuqcffTWGdrCGY7A@mail.gmail.com> <52E12D1F.80701@cisco.com> <CAL9PXLzurJbXL1nY5YCQ7ZotscQZ6F-Uj4duH_QyA=Z4zXP7tw@mail.gmail.com> <52E26E81.4080204@cisco.com>
In-Reply-To: <52E26E81.4080204@cisco.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms010607000608060602010406"
X-OriginalArrivalTime: 24 Jan 2014 23:19:28.0634 (UTC) FILETIME=[BAA7BDA0:01CF195A]
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] questions on performance and side channel resistance for ChaCha20 and Poly1305 for IPsec and TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2014 23:19:32 -0000

On 24/1/14 3:45 PM, David McGrew wrote:
> Hi Adam,
>
> On 01/23/2014 11:51 AM, Adam Langley wrote:
>> On Thu, Jan 23, 2014 at 9:54 AM, David McGrew <mcgrew@cisco.com> wrote:
>>> Hi Adam and Yoav,
>>>
>>> I have some questions and comments on these crypto algorithms and 
>>> their use
>>> in TLS and IPsec.
>>>
>>> On 01/21/2014 01:06 PM, Adam Langley wrote:
>>>> On Tue, Jan 21, 2014 at 11:47 AM, Yoav Nir <ynir@checkpoint.com> 
>>>> wrote:
>>>>> Reviews and comments would be greatly appreciated, as well as anyone
>>>>> checking my examples.
>>>> In the introduction: I think ChaCha20+Poly1305 are useful for software
>>>> implementations, beyond their use as a backup to AES. AES in not
>>>> suitable for pure, software implementations and they tend to be be
>>>> slow and have side-channels. (AES-GCM even more so.)
>>>
>>> The claims that ChaCha20+Poly1305 are faster than AES GCM in pure 
>>> software
>>> environments should be quantified in (at least one of) the drafts.
>> I have no problem with that, but it's not something that I typically
>> see in IETF drafts and so I didn't do any actual numbers for it.
>
> Agreed that it is not something one would expect to see in a TLS 
> draft, but if the definitive algorithm specification is going to be an 
> RFC, it should be there.   Watson suggested having a separate RFC that 
> defines this algorithm combination, which makes sense to me.

Hi David.

I'm trying to throw together a separate document describing ChaCha20, 
Poly1305, and Adam's AEAD, every step with test vectors. I hope to have 
it ready by Monday.

Yoav