Re: [Cfrg] problems with draft-josefsson-salsa20-tls-02

Nikos Mavrogiannopoulos <> Wed, 28 August 2013 14:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id ECF3A11E81B6 for <>; Wed, 28 Aug 2013 07:45:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4V31k3WEWySl for <>; Wed, 28 Aug 2013 07:45:23 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c04::22d]) by (Postfix) with ESMTP id C967D21F9FCA for <>; Wed, 28 Aug 2013 07:45:17 -0700 (PDT)
Received: by with SMTP id r11so3859294lbi.18 for <>; Wed, 28 Aug 2013 07:45:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=WeZLN6wq9Oy/zF7/qW8chtMng/5sAnmt1X5WPagrTUk=; b=ogr4tr7iajgJD2qVjDGGq0AgKN1mmwbDw/VDyS+YTLzXU9IipUH6CObRpr5R6Hv1B/ bIjnEihjPWllt6AnBfks4EjYUVDOcMyYAbdcJECjFNiJf79aizjvNfvPHSX1v7mTFtF4 8ACH7Q+GGVm2z4kmob5biDF1t4DCIk+mE3cxTHKDrqZBWaIFGW5+ACngFsWSDf8CfZ1M 9pcmXXEeoR4Rzj+wuthglHeF7GsCX30wwyhuDziImabk+xvbOuf8mpgzlLMmbR34tkT5 xtF4ftLbWQYHj/VF5Ql3qseF4xOft/M7mL8ROBt4gj9u326yAmxqOXGSSLdT40pkuBIW LPUQ==
MIME-Version: 1.0
X-Received: by with SMTP id d10mr66765laa.49.1377701115336; Wed, 28 Aug 2013 07:45:15 -0700 (PDT)
Received: by with HTTP; Wed, 28 Aug 2013 07:45:15 -0700 (PDT)
In-Reply-To: <1377532182.4027.103.camel@darkstar>
References: <> <1376512356.16950.360.camel@darkstar> <> <1377532182.4027.103.camel@darkstar>
Date: Wed, 28 Aug 2013 17:45:15 +0300
Message-ID: <>
From: Nikos Mavrogiannopoulos <>
To: David McGrew <>
Content-Type: multipart/alternative; boundary=089e01419b1c961cd104e503093b
Cc: "" <>
Subject: Re: [Cfrg] problems with draft-josefsson-salsa20-tls-02
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Aug 2013 14:45:25 -0000

On Mon, Aug 26, 2013 at 6:49 PM, David McGrew <> wrote:

> Hi Nikos,
If there is a compelling benefit to using these ciphersuites, it
> deserves to be quantified.
> > There are benchmarks in the estream framework we can link to [0] if it
> > is deemed necessary.
> >
> > [0].
> It definitely would be good to reference the ESTREAM performance
> comparisons, but the draft should also explain what platform(s) are the
> performance targets.   Is the goal of the draft to minimize CPU
> utilization, and thus power usage, on mobile clients, without regard to
> servers?   Or perhaps there is another goal; I'm speculating here.

Hello David,
 I don't think that this is the purpose of this draft. This draft merely
defines how to use salsa20 in TLS. There is a lot of controversy on whether
a cipher is fast/slow or whatever on a particular platform (depending on
the implementation, power usage), and personal taste :) If we'd try to
quantify those things in this draft it would take more effort and heat than
needed. If as you imply salsa20 is not as fast in some platforms, then
things are simple, it will not be used in those platforms. The intention is
to define salsa20 to be used in the platforms that is faster than AES.

> > I don't quite understand that. Could you elaborate on the particulars?
> > Why do you think that the TLS GenericStreamCipher is vulnerable to
> > side-channel attacks (and the GenericAEADCipher is not?). I believe
> > your comment is towards the general constructions (and more precisely
> > you mean the GenericBlockCipher) rather than this particular
> > ciphersuite.
> >
> One of the important properties of a sound authenticated encryption
> scheme is that the decryption operation does not release any
> (potentially invalid) plaintext data until the authentication check is
> complete.  The GenericStreamCipher does not require an implementation to
> have this property.

I believe that you have misunderstood how the GenericStreamCipher operates
in TLS. No TLS implementation releases plaintext data that have not been
authenticated in GenericStreamCipher or any other mode. This was one of the
initial goals in TLS, and that is the reason that (unlike IPSec) there
aren't any ciphersuites that do not provide authentication.

> Only if you can work in clean slate. Unfortunately that doesn't happen
> in practice. In practice one would add the ciphersuite in an existing
> implementation that may not support TLS 1.2.

The point that I wanted to make is: instead of re-defining the
> GenericStreamCipher and MAC algorithms for TLS v 1.0 and 1.1,
> GenericAEADCipher can be added to those versions of the protocol.   That
> would enable a TLS implementation that supports the current version of
> the protocol to use its GenericAEADCipher for all three versions, and
> relieve that implementation of the need to support an updated definition
> for GenericStreamCipher and MAC.

That is a nice idea, and we can consider this option when this is done.
However, as you previously argued it would be good to have a
GenericAEADCipher that uses the TLS sequence numbers instead of another
explicit nonce to save bytes.

> >         The draft has no mechanism to allow multiple encrypters to
> >         work in
> >         parallel, such as is provided in Section 6.2 of RFC5288.
> > Actually RFC5288 needs this section because it uses a random nonce.
> No, RFC5288 uses a deterministic nonce.

As far as I understand RFC5288 doesn't use a deterministic nonce. It allows
the implementer to use any nonce he likes. It merely suggests (with a MAY)
to copy the TLS sequence number as nonce.

>  Since the salsa draft doesn't use a random nonce it doesn't require
> such a special provision for parallel encryptors. Parallel encryptors
> come for free in the salsa20 draft.

> No, each Salsa20 nonce MUST be distinct, and the draft makes no
> provision to ensure that they can be distinct when multiple encrypters
> are in use.  Rather than being "for free", the draft provides no way to
> allow for an implementation to use parallel encryptors and to maintain
> security.

I don't quite understand your objection. Since each TLS record has a
distinct and unique sequence number (and thus nonce), it is pretty
straightforward to map each record on a different CPUs for encryption.
There is nothing non-obvious needed to clarify there (unless I don't
understand your point).