Re: [CFRG] XChacha20 counter size
Loup Vaillant-David <loup@loup-vaillant.fr> Sat, 26 December 2020 12:03 UTC
Return-Path: <loup@loup-vaillant.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28B103A102A for <cfrg@ietfa.amsl.com>; Sat, 26 Dec 2020 04:03:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AdAYtInqgvmf for <cfrg@ietfa.amsl.com>; Sat, 26 Dec 2020 04:03:21 -0800 (PST)
Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4350C3A102B for <cfrg@irtf.org>; Sat, 26 Dec 2020 04:03:20 -0800 (PST)
X-Originating-IP: 37.173.247.210
Received: from grey-fade (unknown [37.173.247.210]) (Authenticated sender: loup@loup-vaillant.fr) by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id 31480240002; Sat, 26 Dec 2020 12:03:16 +0000 (UTC)
Message-ID: <245e04ef3f689949b0cf8ac1b5ef40d760334794.camel@loup-vaillant.fr>
From: Loup Vaillant-David <loup@loup-vaillant.fr>
To: Scott Arciszewski <scott@paragonie.com>, Filippo Valsorda <filippo@ml.filippo.io>
Cc: IRTF CFRG <cfrg@irtf.org>
Date: Sat, 26 Dec 2020 13:03:04 +0100
In-Reply-To: <CAKws9z3OnPaYiRTxStwCVQHY=rZoDVP7aXBE+yWPXLkL-cKhVA@mail.gmail.com>
References: <e632e3291ced05b29c55fea0f064258cb3abfc1a.camel@loup-vaillant.fr> <2ad966e9-70f7-4201-884d-6ef0257fe839@www.fastmail.com> <CAKws9z3OnPaYiRTxStwCVQHY=rZoDVP7aXBE+yWPXLkL-cKhVA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/tGTYu9CyvoHV51getEJrvj8TJko>
Subject: Re: [CFRG] XChacha20 counter size
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Dec 2020 12:03:23 -0000
> As the author of the XChaCha RFC draft, I view making XChaCha20-
> Poly1305 incompatible with the IETF's ChaCha20-Poly1305 a non-goal.
Understand that my proposal *is* compatible.
On section 2.3.1 of your draft, you specify the following pseudocode:
xchacha20_encrypt(key, nonce, plaintext, blk_ctr = 0):
subkey = hchacha20(key, nonce[0:15])
chacha20_nonce = "\x00\x00\x00\x00" + nonce[16:23]
return chacha20_encrypt(subkey, chacha20_nonce,
plaintext, blk_ctr)
The only difference between that and Libsodium is what happens when the
message exceeds >256GiB. A use case that as far as I understand RFC
8439 does not define. Implementations have 3 realistic choices when
dealing with such undefined behaviour:
1. Wrap the counter back to zero, and trigger an insecure stream reuse.
This is what happens when we naively implement XChacha20 on top of
RFC 8439. This would disclose the authentication key, one of the
worst vulnerability possible.
2. Panic, crash, or report an error. This is typical of misuse aware
libraries. I have no problem with this behaviour. It's a bit
limiting, but at least it's secure.
3. Increment the next word, currently occupied by the nonce. This is
what naturally happens when we derive XChacha20 from DJB's Chacha20.
As much as we may disapprove of gigantic messages, this one at least
does not break all security, and is a nice alternative for libraries
who cannot (or will not) report an error.
I don't want incompatibility with RFC 8439. All I'm asking here is that
we disallow (1), and allow (3).
Loup.
- [CFRG] XChacha20 counter size Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size Taylor R Campbell
- Re: [CFRG] XChacha20 counter size Filippo Valsorda
- Re: [CFRG] XChacha20 counter size Scott Arciszewski
- Re: [CFRG] XChacha20 counter size Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size Loup Vaillant-David
- [CFRG] Security limits of ChachPoly (was: XChacha… Loup Vaillant-David
- Re: [CFRG] Security limits of ChachPoly (was: XCh… Taylor R Campbell
- Re: [CFRG] Security limits of ChachPoly (was: XCh… Loup Vaillant-David
- Re: [CFRG] XChacha20 counter size D. J. Bernstein