[CFRG] XChacha20 counter size
Loup Vaillant-David <loup@loup-vaillant.fr> Fri, 25 December 2020 22:32 UTC
Return-Path: <loup@loup-vaillant.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F287C3A0B5B for <cfrg@ietfa.amsl.com>; Fri, 25 Dec 2020 14:32:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rIG9tM9FHvfM for <cfrg@ietfa.amsl.com>; Fri, 25 Dec 2020 14:32:32 -0800 (PST)
Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net [217.70.183.201]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 573F63A0B5A for <cfrg@irtf.org>; Fri, 25 Dec 2020 14:32:31 -0800 (PST)
X-Originating-IP: 109.11.14.233
Received: from grey-fade (233.14.11.109.rev.sfr.net [109.11.14.233]) (Authenticated sender: loup@loup-vaillant.fr) by relay8-d.mail.gandi.net (Postfix) with ESMTPSA id A34EC1BF205 for <cfrg@irtf.org>; Fri, 25 Dec 2020 22:32:28 +0000 (UTC)
Message-ID: <e632e3291ced05b29c55fea0f064258cb3abfc1a.camel@loup-vaillant.fr>
From: Loup Vaillant-David <loup@loup-vaillant.fr>
To: cfrg <cfrg@irtf.org>
Date: Fri, 25 Dec 2020 23:32:27 +0100
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/gjUrRYLw7DLzZQgxFbU5w0B7EIE>
Subject: [CFRG] XChacha20 counter size
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Dec 2020 22:32:34 -0000
Hi, Merry Christmas, I've just learned that draft-irtf-cfrg-xchacha-03 specifies a 32-bit counter. From what I can see, this is because it leans on the Chacha20 variant described in RFC 8439. This is problematic on two levels: - This is a departure from existing implementations. XSalsa20 from NaCl uses a 64-bit counter. XChacha20 in Libsodium also uses a 64-bit counter. In general, all XChacha20 implementations I know of use a 64-bit counter. - A 32-bit counter limits the length of the messages to realistically attainable lengths (256 GiB), thus introducing a new (and avoidable) way to shoot ourselves in the foot. If this draft is adopted as is, users could end up vulnerable when they switch to a pedantically conformant implementation. I believe we don't want that. XChacha20 has 256 bits available for the nonce and counter, we should use them all. Shrinking the counter down to 32 bits put end users at risk, without giving them any benefit in return. My suggestion is the following: instead of leaning on the Chacha20 variant described in RFC 8439, we should stick to the original Chacha20, as designed by DJB. --- While we're at it, I note that RFC 8439 is slightly at odds with existing implementations as well (I know of Libsodium and my own Monocypher). Instead of using a genuine 32-bit counter, we initialise the Chacha block just like the RFC say we should, then we pretend we had a 64-bit counter all along. That way we can use the same core loop for all variants: original DJB, IETF, and XChacha20. The only difference is what happens when we overflow the 32-bit counter. This can happen in two cases: - We use RFC 8439, and the message is too long (>256 GiB). This is arguably an error, and the user must make sure it never happens. - We use XChacha20, and the message exceed 256 GiB. This should be allowed, to eliminate a dangerous edge case. Would it be possible to add an note to RFC 8439, that explicitly allows implementations to increment the least significant word of the nonce when the counter wraps back to zero? That's a detail, though. My most important request remains that XChacha20 use all 64 bits for its counter. Thank you for your time, Loup.
- [CFRG] XChacha20 counter size Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size Taylor R Campbell
- Re: [CFRG] XChacha20 counter size Filippo Valsorda
- Re: [CFRG] XChacha20 counter size Scott Arciszewski
- Re: [CFRG] XChacha20 counter size Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size Loup Vaillant-David
- [CFRG] Security limits of ChachPoly (was: XChacha… Loup Vaillant-David
- Re: [CFRG] Security limits of ChachPoly (was: XCh… Taylor R Campbell
- Re: [CFRG] Security limits of ChachPoly (was: XCh… Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size D. J. Bernstein