Re: [Cfrg] AEAD outputs and RFC 7539 (ChaCha20-Poly1305)
Adam Langley <agl@imperialviolet.org> Mon, 23 May 2016 23:36 UTC
Return-Path: <alangley@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D497A12B078 for <cfrg@ietfa.amsl.com>; Mon, 23 May 2016 16:36:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.401
X-Spam-Level:
X-Spam-Status: No, score=-2.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.198, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6N75cLiFCIN for <cfrg@ietfa.amsl.com>; Mon, 23 May 2016 16:36:44 -0700 (PDT)
Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E42E012B061 for <cfrg@ietf.org>; Mon, 23 May 2016 16:36:43 -0700 (PDT)
Received: by mail-qg0-x229.google.com with SMTP id f92so283023qgf.0 for <cfrg@ietf.org>; Mon, 23 May 2016 16:36:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=sYuQuu251JuOP6N7x3MgDna9+3vGYBplLa7nCQ+XXE4=; b=Mrx8DUKwW/ahtI8gYk7CH1G1t19CCXUtYxHnKrKELSOl0Q3BOvtysTJdXy8iOTBfbm i9okTB6g11I70wIrHpS+LPk4zkOfvs0IyFSdxLI+/tDPAxkQy20bjX0hzVVUCNLohRO8 HodTicXOjojUlBWeabzwL17bSCa0ps9Ff43Dxz07JSZRS94uoktHJ9nPsU8sybhwrYi1 6zdQPqm+55W/2JWnsdI6yroMm62Rr5Nr/vz3kzDnRzzZRdUeKyx8YRZT/XFxVfVt7lD1 gvl+B4Ep6c9X0gtqtkMB0SoRsrQa/m7wPH7b92mvEFdszHlk0Xzdc3mUdUlS4CYHJ1bS yA2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=sYuQuu251JuOP6N7x3MgDna9+3vGYBplLa7nCQ+XXE4=; b=D+fZcdiydw1+8PdqbaQiMlrvQ8lzVvZmxGuxM2X+AEXukinr4BmzWErts6q7bnG0sr /z+WcklEhKvZT7Pefto/531iS8SRQhDCPJayVeQIqZzH6Bj6cgXPJrtVU//ahuYnE5zM vZTplrlVBLFw6R+GPZrdGKmKFf/ujL2ajRKp2vSuhfaXqKoKYDMJMRNcV8QzH9bi6a/P fNzvjoAGjIRbvTC1i4AcEpa2m5F4GCo+AI4GE5R23evdLj1yKcGRkdl6gEfHUW3t1RZo WfIDlAnCXJgafJ7YIv7ylMEe+9X7xg14429PX43BKYb8ABBYCrUQQ/JFHfS3m31gH0Ek MO5Q==
X-Gm-Message-State: ALyK8tI6rLC4a0YfP1ZnqI5kQdLEoaDcEI0my2IAOP9fOynbpjIUbULksxwmq1xlZyZQ66cSTwTjC9d6MuW61g==
MIME-Version: 1.0
X-Received: by 10.140.18.242 with SMTP id 105mr740818qgf.0.1464046602953; Mon, 23 May 2016 16:36:42 -0700 (PDT)
Sender: alangley@gmail.com
Received: by 10.237.48.49 with HTTP; Mon, 23 May 2016 16:36:42 -0700 (PDT)
In-Reply-To: <CABkgnnVJJFUFY6OWL0tu=qBQ6G--NJ8ywzPPOGQY6+dHjbenfQ@mail.gmail.com>
References: <CABkgnnVJJFUFY6OWL0tu=qBQ6G--NJ8ywzPPOGQY6+dHjbenfQ@mail.gmail.com>
Date: Mon, 23 May 2016 16:36:42 -0700
X-Google-Sender-Auth: loyKIv2kabxLfIP2L8FOKA4RC-E
Message-ID: <CAMfhd9URPSYCBmqoN1Qh5ivDP-zD_6rgoKozLZk9XOczzt14hg@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/o2Y4PTEAmfz2hbydJh8qWVrBEvA>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: cfrg@ietf.org
Subject: Re: [Cfrg] AEAD outputs and RFC 7539 (ChaCha20-Poly1305)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 May 2016 23:36:46 -0000
On Mon, May 23, 2016 at 2:45 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > https://tools.ietf.org/html/rfc7539#section-2.8 says: > > The output from the AEAD is twofold: > > o A ciphertext of the same length as the plaintext. > o A 128-bit tag, which is the output of the Poly1305 function. > > However, https://tools.ietf.org/html/rfc5116#section-2.1, which > defines the interface says this: > > There is a single output: > > A ciphertext C, which is at least as long as the plaintext, or > > an indication that the requested encryption operation could not be > performed. > > And later makes it clear that C includes the authentication tag by noting that: > > An AEAD_AES_128_GCM ciphertext is exactly 16 octets longer than its > corresponding plaintext. > > This suggests to me that there is an erratum to be raised. amirite? I favour the model of RFC5116, but it's not universal. There are certainly cases where the separate parts are used, for example when encrypting in place and storing tags out of band. Cheers AGL -- Adam Langley agl@imperialviolet.org https://www.imperialviolet.org
- [Cfrg] AEAD outputs and RFC 7539 (ChaCha20-Poly13… Martin Thomson
- Re: [Cfrg] AEAD outputs and RFC 7539 (ChaCha20-Po… Adam Langley
- Re: [Cfrg] AEAD outputs and RFC 7539 (ChaCha20-Po… Martin Thomson
- Re: [Cfrg] AEAD outputs and RFC 7539 (ChaCha20-Po… Yoav Nir
- Re: [Cfrg] AEAD outputs and RFC 7539 (ChaCha20-Po… Russ Housley