Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and AEAD_XChaCha20-Poly1305 (updated)
Scott Arciszewski <scott@paragonie.com> Thu, 11 October 2018 21:43 UTC
Return-Path: <scott@paragonie.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1D991277BB for <cfrg@ietfa.amsl.com>; Thu, 11 Oct 2018 14:43:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=paragonie-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Io1JAntyAvW9 for <cfrg@ietfa.amsl.com>; Thu, 11 Oct 2018 14:43:12 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63A23127598 for <cfrg@ietf.org>; Thu, 11 Oct 2018 14:43:11 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id s10-v6so7834917lfc.9 for <cfrg@ietf.org>; Thu, 11 Oct 2018 14:43:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=R92ZAPy8l87dOx+pEUe9FZP5qpobXQAr8U5tQIx4seQ=; b=VWqC9JG8r4XpPcmKw9zjd7eRhwKpO9U/B+2f6gawbGBMh2DSJXuBNGRKS6LvT40cUo Ei703v89TeesB+Ur9mP5TXeIcExgRc+9VLlkdUiiut+sK2renmawIxbKYBEauCQcArNk 8orniVI/yj9Reva3I3NicxhoFruzHquLFzNFSSgPre8J4U6YHYsnl5/OVDEHASGRcvFB lccgVFnnD6HlmTely1lJ7GlCholGsWEUSYl6CPCyozqNlQVikJlKFjnVSyBRvhAaBG5k iOCvmogdvpH6W2Pe33WrcD7TQxje8u0NigXAg+dEXa31NkTHLuHU+vTWCfK7B7E+IgNB LwNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=R92ZAPy8l87dOx+pEUe9FZP5qpobXQAr8U5tQIx4seQ=; b=kxmQSMKKq0VTnMWZFKgXeARFG5I09jt19yn6RKjPreyKM4wdlgIa5hpfDjKvVyYJ/q K4SKnvhpbeYFGmaqUneW935ZlNjvLhZaaEbxZTOqxYy8mYVRMdyQd3tYHkkCc/Vgm2UM 0A4+RK4+KJnzntNQY3vySNEY64med+DCD/CLJlLgtHr9aOAZl1VIWiLU1wxjEUo5j8O/ B2rpPMCkYusSH1UOLm+Pc8sb1EZjJSC58g9R7lXHGb8FDWhFoxrGVLuHKNMwTHPWiBNI 4O1CzQf/WHrFe/9yUR8YIJYgyP6qeLHaJevuKIJzPCc2ZtS87ljRoERKeBGGCNy7NBIg gOMg==
X-Gm-Message-State: ABuFfohttXgGV8f/zBz/k8SK1fQRpttuU1/fnOtZTWhYtcPmaEm83rCX 2i4/zQX1+tR4UdI4/nRV3SRUcjJ3uQRjIDZMg/BNLFiZCSc=
X-Google-Smtp-Source: ACcGV60nSco1aZEERb3AhBtDCkpAu56+VbGTtNxWrjXBQvkpEHdw8ta6Rig5auO34JSEtIZxah9nMokiQUBLrv3xOks=
X-Received: by 2002:a19:9a0e:: with SMTP id c14-v6mr2352147lfe.11.1539294189433; Thu, 11 Oct 2018 14:43:09 -0700 (PDT)
MIME-Version: 1.0
References: <CAKws9z3+4DftG5Ov=C3w-u=toaUj6_xOC1s_f5t+dx0fWObTxw@mail.gmail.com> <20181011204158.GC24185@io.lakedaemon.net>
In-Reply-To: <20181011204158.GC24185@io.lakedaemon.net>
From: Scott Arciszewski <scott@paragonie.com>
Date: Thu, 11 Oct 2018 17:42:57 -0400
Message-ID: <CAKws9z3sNynXbZMPoWW2o96V6Hd9Gi+i1QRW=raZ9ZDMXnWvpA@mail.gmail.com>
To: cfrg@lakedaemon.net
Cc: cfrg@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005dc8140577fadbfe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/grZ6mz2VbQJisuxyjxFAgvVoTLc>
Subject: Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and AEAD_XChaCha20-Poly1305 (updated)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Oct 2018 21:43:15 -0000
Hi Jason, I strongly agree that this is an important question to tackle. I've taken my first swing at addressing it here: https://github.com/bikeshedders/xchacha-rfc/pull/9 The construction seems "obvious", and it's easy to extend the same arguments in the XSalsa20 paper (in particular regarding the design of HSalsa20) to ChaCha. The logic is quite straightforward between the two designs. However, I similarly cannot find any papers formalizing this argument. Note: Lacking any university affiliations, I don't have any means of getting a formal peer-reviewed paper published (that I'm aware of, anyway). If anyone else would like to take the initiative on this, it would be greatly welcomed and appreciated. Aside from that, if anyone can sanity-check the argument being made here, please feel free to do so. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com> On Thu, Oct 11, 2018 at 4:42 PM Jason Cooper <cfrg@lakedaemon.net> wrote: > Hi Scott, > > On Fri, Oct 05, 2018 at 01:36:47PM -0400, Paragon Initiative Enterprises > Security Team wrote: > > I've uploaded draft01, which contains some typo fixes and an additional > > test vector for XChaCha20 directly. > > > > https://datatracker.ietf.org/doc/draft-arciszewski-xchacha/ > > > > If anyone would like to contribute to this document directly, its > > development is being facilitated on GitHub: > > https://github.com/bikeshedders/xchacha-rfc > > > > Of course, I'm also open to feedback/criticism via email as well. > > This has been a long-sought low-hanging goal of mine, and I'm glad to > see someone picking it up! > > I've asked this question before[1], and it seems now is the proper time > to bring it up again. When DJB wrote "Extending the Salsa20 nonce"[2], > he included a security analysis of the construction. To date, I've not > seen a similar proof for extending the Chacha20 nonce. > > It seems as though care was taken to select the 256 bits (Section 2.2 of > your current version) which were not nibbles originally containing the > key. Similar selection was done in XSalsa20. > > So, my question is: Why is this ok? I freely admit I've neither the > experience nor the mathematical prowess to understand DJB's XSalsa20 > proof. And it certainly *seems* correct to follow the pattern for > XChaCha20. > > However, I'd really like to see this addressed in the RFC. Either by > providing a similar proof to XSalsa20, or by referencing it and > justifying the extension. > > > Thanks, > > Jason. > > [1] > http://www.metzdowd.com/pipermail/cryptography/2017-December/033256.html > [2] https://cr.yp.to/snuffle/xsalsa-20110204.pdf (referenced in RFC) > https://cr.yp.to/snuffle/xsalsa-20081128.pdf (referenced in my email) >
- [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and AE… Paragon Initiative Enterprises Security Team
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… Scott Arciszewski
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… Tony Arcieri
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… Jason Cooper
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… Scott Arciszewski
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… D. J. Bernstein
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… David McGrew (mcgrew)
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… Scott Arciszewski