[CFRG] XChacha20 counter size

Loup Vaillant-David <loup@loup-vaillant.fr> Fri, 25 December 2020 22:32 UTC

Return-Path: <loup@loup-vaillant.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id F287C3A0B5B for <cfrg@ietfa.amsl.com>; Fri, 25 Dec 2020 14:32:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id rIG9tM9FHvfM for <cfrg@ietfa.amsl.com>; Fri, 25 Dec 2020 14:32:32 -0800 (PST)
Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 573F63A0B5A for <cfrg@irtf.org>; Fri, 25 Dec 2020 14:32:31 -0800 (PST)
Received: from grey-fade ( []) (Authenticated sender: loup@loup-vaillant.fr) by relay8-d.mail.gandi.net (Postfix) with ESMTPSA id A34EC1BF205 for <cfrg@irtf.org>; Fri, 25 Dec 2020 22:32:28 +0000 (UTC)
Message-ID: <e632e3291ced05b29c55fea0f064258cb3abfc1a.camel@loup-vaillant.fr>
From: Loup Vaillant-David <loup@loup-vaillant.fr>
To: cfrg <cfrg@irtf.org>
Date: Fri, 25 Dec 2020 23:32:27 +0100
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/gjUrRYLw7DLzZQgxFbU5w0B7EIE>
Subject: [CFRG] XChacha20 counter size
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Dec 2020 22:32:34 -0000

Hi, Merry Christmas,

I've just learned that draft-irtf-cfrg-xchacha-03 specifies a 32-bit
counter. From what I can see, this is because it leans on the Chacha20
variant described in RFC 8439.

This is problematic on two levels:

- This is a departure from existing implementations. XSalsa20 from
  NaCl uses a 64-bit counter. XChacha20 in Libsodium also uses a 64-bit
  counter. In general, all XChacha20 implementations I know of use a
  64-bit counter.

- A 32-bit counter limits the length of the messages to realistically
  attainable lengths (256 GiB), thus introducing a new (and avoidable)
  way to shoot ourselves in the foot.

If this draft is adopted as is, users could end up vulnerable when they
switch to a pedantically conformant implementation. I believe we don't
want that. XChacha20 has 256 bits available for the nonce and counter,
we should use them all. Shrinking the counter down to 32 bits put end
users at risk, without giving them any benefit in return.

My suggestion is the following: instead of leaning on the Chacha20
variant described in RFC 8439, we should stick to the original
Chacha20, as designed by DJB.


While we're at it, I note that RFC 8439 is slightly at odds with
existing implementations as well (I know of Libsodium and my own
Monocypher). Instead of using a genuine 32-bit counter, we initialise
the Chacha block just like the RFC say we should, then we pretend we
had a 64-bit counter all along. That way we can use the same core loop
for all variants: original DJB, IETF, and XChacha20.

The only difference is what happens when we overflow the 32-bit
counter. This can happen in two cases:

- We use RFC 8439, and the message is too long (>256 GiB). This is
  arguably an error, and the user must make sure it never happens.
- We use XChacha20, and the message exceed 256 GiB. This should be
  allowed, to eliminate a dangerous edge case.

Would it be possible to add an note to RFC 8439, that explicitly allows
implementations to increment the least significant word of the nonce
when the counter wraps back to zero? That's a detail, though. My most
important request remains that XChacha20 use all 64 bits for its

Thank you for your time,