[Cfrg] ChaCha20 and Poly1305 for IPsec

Yoav Nir <ynir@checkpoint.com> Sun, 05 January 2014 16:18 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 8D9801AEDE8 for <cfrg@ietfa.amsl.com>; Sun, 5 Jan 2014 08:18:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.54
X-Spam-Status: No, score=-5.54 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 1j1czthoaZLa for <cfrg@ietfa.amsl.com>; Sun, 5 Jan 2014 08:18:55 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com []) by ietfa.amsl.com (Postfix) with ESMTP id 826D81AEDE7 for <cfrg@irtf.org>; Sun, 5 Jan 2014 08:18:55 -0800 (PST)
Received: from DAG-EX10.ad.checkpoint.com ([]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id s05GIS6d020609; Sun, 5 Jan 2014 18:18:44 +0200
X-CheckPoint: {52C980C9-4-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([]) by DAG-EX10.ad.checkpoint.com ([]) with mapi id 14.03.0123.003; Sun, 5 Jan 2014 18:18:28 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: ChaCha20 and Poly1305 for IPsec
Thread-Index: AQHPCjHEk17DdD0mQkqxUhltboUzxw==
Date: Sun, 5 Jan 2014 16:18:28 +0000
Message-ID: <180998C7-B6E5-489E-9C79-80D9CAC0DE68@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-ID: <68FB5C8BE9AE064FA35C3FDFDDA0BB1E@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Adam Langley <agl@google.com>
Subject: [Cfrg] ChaCha20 and Poly1305 for IPsec
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Jan 2014 16:18:57 -0000


Recently there has been some activity in trying to find alternative ciphers. In TLS the issue was RC4, which is now deemed insecure. Adam's draft ([1]) proposes to use another stream cipher, ChaCha20, in its place. Poly1305 is used in that draft as a faster (when compared with HMAC-SHA1) message authentication algorithm. 

For IPsec, RC4 was never used because it always produces the same keystream, so we cannot produce per-packet streams. What we have today is that the only widely-deployed algorithm other than AES is 3DES, and on modern hardware AES is 4x to 10x as fast as 3DES. That means that if ever an issue is found in AES, users will not be able to switch to 3DES - the performance is not even close, so much of the deployed hardware will not be able to handle the load. This sorry state is described in [2].

Unlike RC4, ChaCha20 has a 64-bit nonce, so different packets could use different keystreams, much like block ciphers in counter mode. Unlike 3DES, ChaCha20 has performance that is close to that of AES.

So my question is whether there is any reason not to use ChaCha20 (with or without the AEAD construction from Adam's draft) for IKE and/or IPsec. Could this be the standby algorithm that we have been looking for?


[1] http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04
[2] http://tools.ietf.org/html/draft-mcgrew-standby-cipher-00