IETF Logo Mail Archive

Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and AEAD_XChaCha20-Poly1305 (updated)

"D. J. Bernstein" <djb@cr.yp.to> Fri, 12 October 2018 01:29 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDC4F130D7A for <cfrg@ietfa.amsl.com>; Thu, 11 Oct 2018 18:29:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnBf3STAnV0U for <cfrg@ietfa.amsl.com>; Thu, 11 Oct 2018 18:29:41 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 45AB212958B for <cfrg@irtf.org>; Thu, 11 Oct 2018 18:29:40 -0700 (PDT)
Received: (qmail 30294 invoked by uid 1010); 12 Oct 2018 01:29:37 -0000
Received: from unknown (unknown) by unknown with QMTP; 12 Oct 2018 01:29:37 -0000
Received: (qmail 30100 invoked by uid 1000); 12 Oct 2018 01:30:21 -0000
Date: Fri, 12 Oct 2018 01:30:21 -0000
Message-ID: <20181012013021.30099.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <20181011204158.GC24185@io.lakedaemon.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/s7UzoUFG2QCrto3Fw7VD1eQfji0>
Subject: Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and AEAD_XChaCha20-Poly1305 (updated)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2018 01:29:43 -0000

Jason Cooper writes:
> So, my question is: Why is this ok?

Alice has hired Bob to build a box that computes HSalsa20 using Alice's
secret key. She isn't giving Bob her secret key, but she's giving Bob a
box that computes Salsa20 using her secret key.

Can Bob still do his job? Yes! Bob builds his HSalsa20 box around
Alice's Salsa20 box. Whatever input comes into Bob's HSalsa20 box, Bob
passes the same input to the Salsa20 box. Bob then extracts certain
words from the Salsa20 output, and subtracts the corresponding input
words, to obtain the HSalsa20 output.

Salsa20 is designed so that an attacker given access to Alice's Salsa20
box can't detect any patterns in the outputs produced by the box. Is it
possible that HSalsa20 is weaker---that an attacker can detect patterns
in the outputs of the HSalsa20 box that Bob built?

The answer is no. Show me an attacker who can see patterns in the
outputs of Bob's HSalsa20 box, and I'll show you an attacker who can see
patterns in the outputs of Alice's Salsa20 box. The second attacker
simply builds the same box that Bob did, and hires the first attacker!

---Dan

v2.23.0 | Report a Bug | By Email