Re: [Cfrg] ChaCha20 and Poly1305 for IPsec

David McGrew <mcgrew@cisco.com> Thu, 23 January 2014 15:06 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3311D1A0014 for <cfrg@ietfa.amsl.com>; Thu, 23 Jan 2014 07:06:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.036
X-Spam-Level:
X-Spam-Status: No, score=-10.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wIlmYB601y5E for <cfrg@ietfa.amsl.com>; Thu, 23 Jan 2014 07:06:08 -0800 (PST)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) by ietfa.amsl.com (Postfix) with ESMTP id 23BFB1A0013 for <cfrg@irtf.org>; Thu, 23 Jan 2014 07:06:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1556; q=dns/txt; s=iport; t=1390489567; x=1391699167; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=52vKCthqZbUz1lgcgFNyzXC4koKwNNspX51yPSbtS0c=; b=GkqWGt1/lDuxskHZmc+PEAHNqLYT/0IjAdQEa4e19b5E/ghPwcdI/kBo T0my1bDD1cs0yiN5RQZq/QCtYqSzW5HfsCX2ohI2HbV9CCtKDdHv8rSr1 6TrNImq5ZC9XLxkdd/J+JMndJ3TianjWcgOAIL+zmczQT5uF8myCkWmrm s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgsFAKcu4VKQ/khR/2dsb2JhbABbgww4vEmBEBZ0giUBAQECAQE4QAEQCw4KCRYPCQMCAQIBRQYNAQcCBYd0CA3FXxeOLwEBTweEOAEDiUiOW4EyhRWLUYNLHoE1
X-IronPort-AV: E=Sophos;i="4.95,706,1384300800"; d="scan'208";a="3406971"
Received: from ams-core-1.cisco.com ([144.254.72.81]) by aer-iport-2.cisco.com with ESMTP; 23 Jan 2014 15:06:06 +0000
Received: from [10.0.2.15] ([10.148.144.89]) by ams-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id s0NF66aV017106; Thu, 23 Jan 2014 15:06:06 GMT
Message-ID: <52E12FDE.3090603@cisco.com>
Date: Thu, 23 Jan 2014 10:06:06 -0500
From: David McGrew <mcgrew@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130922 Icedove/17.0.9
MIME-Version: 1.0
To: Yoav Nir <synp71@live.com>
References: <180998C7-B6E5-489E-9C79-80D9CAC0DE68@checkpoint.com> <CAL9PXLy9hrq+i_neP96FbTJRvRLbLEXnMYdBdwSeHunFAwF+jQ@mail.gmail.com> <A867BB8E-4556-44B1-A0AF-16771626BF5C@checkpoint.com> <52CB358D.3050603@cisco.com> <A6BDE08D-1F7D-4813-A9C4-61AF8C14412B@checkpoint.com> <52CB482D.6090807@cisco.com> <09031D92-9A14-4CF0-A000-123E71D4F784@checkpoint.com> <3861F1D4-B412-42BE-AE6C-FF5DE213854C@checkpoint.com> <CAL9PXLzgo5a2dk0JM-kWvawPhO1arpurcYSuqcffTWGdrCGY7A@mail.gmail.com> <301290EC-B31A-4B83-9F29-D00469EC6CB8@checkpoint.com> <CACsn0cmS9yY4+WcJH6o3QMdXhf+wr5dhLvibsRUdFu0aY-dRmg@mail.gmail.com> <BLU0-SMTP1803BBEDFAF18F164D98C0FB1A40@phx.gbl>
In-Reply-To: <BLU0-SMTP1803BBEDFAF18F164D98C0FB1A40@phx.gbl>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: cfrg@irtf.org, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] ChaCha20 and Poly1305 for IPsec
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2014 15:06:11 -0000

Hi Yoav,

On 01/21/2014 04:25 PM, Yoav Nir wrote:
> On 21/1/14 11:05 PM, Watson Ladd wrote:
>>
>> >
>> > I've posted this to ipsec as well. They said that we need a better 
>> normative reference for the functions. DJB's papers discuss security 
>> properties and link to source code, but don't have a good definition.
>> >
>>
>> Are you reading the same paper I am? He defines Salsa and ChaCha in 
>> terms of applying a well defined quarter round function to the rows 
>> and diagonals of a 4x4 matrix.
>>
>
> I'm reading this one:
> http://cr.yp.to/chacha/chacha-20080128.pdf
>
> It's mixing description, comparison with Salsa20, security analysis 
> and performance data. That's fine for a paper. I could probably write 
> an implementation based on that, but I would have very little 
> confidence that it is correct.


The "spec.pdf" file in the "Design, Specification, Security and Speed" 
zipfile submitted to ESTREAM might be useful to you 
http://www.ecrypt.eu.org/stream/e2-salsa20.html

David

>
> For RFCs, we like to have a clear document that is as short as 
> possible, and has a very clear definition, and a few test vectors so 
> an implementer can check their code.
>
> I'm not totally convinced by Yaron's response ([1]), but I'd rather 
> not be forced to repeat much of the algorithm in my draft, as Adam did 
> in sections 3 & 4 of [2].
>
> Yoav
>
> [1] http://www.ietf.org/mail-archive/web/ipsec/current/msg08929.html
> [2] http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04
>