IETF Logo Mail Archive

Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and AEAD_XChaCha20-Poly1305 (updated)

Jason Cooper <cfrg@lakedaemon.net> Thu, 11 October 2018 20:42 UTC

Return-Path: <cfrg@lakedaemon.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E639C12785F for <cfrg@ietfa.amsl.com>; Thu, 11 Oct 2018 13:42:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.79
X-Spam-Level:
X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: invalid data)" header.d=lakedaemon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kHChpZRbuegX for <cfrg@ietfa.amsl.com>; Thu, 11 Oct 2018 13:42:08 -0700 (PDT)
Received: from outbound1.eu.mailhop.org (outbound1.eu.mailhop.org [52.28.251.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5350B1274D0 for <cfrg@ietf.org>; Thu, 11 Oct 2018 13:42:08 -0700 (PDT)
X-MHO-RoutePath: amFjMjk5NzkyNDU4
X-MHO-User: 19d3ae2f-cd96-11e8-af31-edadc92cdc1a
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 108.39.81.162
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from io (unknown [108.39.81.162]) by outbound1.eu.mailhop.org (Halon) with ESMTPSA id 19d3ae2f-cd96-11e8-af31-edadc92cdc1a; Thu, 11 Oct 2018 20:42:03 +0000 (UTC)
Received: from io.lakedaemon.net (localhost [127.0.0.1]) by io (Postfix) with ESMTP id EC44B80085; Thu, 11 Oct 2018 20:41:58 +0000 (UTC)
X-DKIM: OpenDKIM Filter v2.6.8 io EC44B80085
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lakedaemon.net; s=mail; t=1539290519; bh=FjWPBWbnT6m2O47QnmgKZYrfbWv/nOM9+fvQE3qrNNg=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=Zb+sritbIRQm0p5k+QqdyKB341SCOLS1y5pNAQGOlR+2oMjGO82h8wY7Ag+UylXnM C/GHqKAJTwtVg7lxnLq7TY78+v37ks9GdGNSFy5VQMsaqKlr7fx9CrVg1M4tWi/U6s UMT5zzZxiXdwpBav2lTpRLQ10esVFUVISft83jLhoa5iH2SjHTBVZpiglIGej4BC7q KrBrvenO6HDhb2gYM/hGy1R2n9svAOL1M1IZEwSC77OQ0XjJAxAKItK0Ati1N6vErf mbP1FHa0UKiurvYGSay11aT9lnrrFYGdXAoOxNCOaqoaDvc5++4Ync5Or8zLgv1SQu g3MzNRi05V3Cw==
Date: Thu, 11 Oct 2018 20:41:58 +0000
From: Jason Cooper <cfrg@lakedaemon.net>
To: Paragon Initiative Enterprises Security Team <security@paragonie.com>
Cc: cfrg@ietf.org
Message-ID: <20181011204158.GC24185@io.lakedaemon.net>
References: <CAKws9z3+4DftG5Ov=C3w-u=toaUj6_xOC1s_f5t+dx0fWObTxw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAKws9z3+4DftG5Ov=C3w-u=toaUj6_xOC1s_f5t+dx0fWObTxw@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/a7ZAsyS9T4SXHDtOa0d4vLweNmc>
Subject: Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and AEAD_XChaCha20-Poly1305 (updated)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Oct 2018 20:42:11 -0000

Hi Scott,

On Fri, Oct 05, 2018 at 01:36:47PM -0400, Paragon Initiative Enterprises Security Team wrote:
> I've uploaded draft01, which contains some typo fixes and an additional
> test vector for XChaCha20 directly.
> 
> https://datatracker.ietf.org/doc/draft-arciszewski-xchacha/
> 
> If anyone would like to contribute to this document directly, its
> development is being facilitated on GitHub:
> https://github.com/bikeshedders/xchacha-rfc
> 
> Of course, I'm also open to feedback/criticism via email as well.

This has been a long-sought low-hanging goal of mine, and I'm glad to
see someone picking it up!

I've asked this question before[1], and it seems now is the proper time
to bring it up again.  When DJB wrote "Extending the Salsa20 nonce"[2],
he included a security analysis of the construction.  To date, I've not
seen a similar proof for extending the Chacha20 nonce.

It seems as though care was taken to select the 256 bits (Section 2.2 of
your current version) which were not nibbles originally containing the
key.  Similar selection was done in XSalsa20.

So, my question is: Why is this ok?  I freely admit I've neither the
experience nor the mathematical prowess to understand DJB's XSalsa20
proof.  And it certainly *seems* correct to follow the pattern for
XChaCha20.

However, I'd really like to see this addressed in the RFC.  Either by
providing a similar proof to XSalsa20, or by referencing it and
justifying the extension.


Thanks,

Jason.

[1] http://www.metzdowd.com/pipermail/cryptography/2017-December/033256.html
[2] https://cr.yp.to/snuffle/xsalsa-20110204.pdf (referenced in RFC)
    https://cr.yp.to/snuffle/xsalsa-20081128.pdf (referenced in my email)

v2.23.0 | Report a Bug | By Email