[CFRG] Re: Update RFC 8439 on ChaCha20 and Poly1305 to remove clamping?
John Mattsson <john.mattsson@ericsson.com> Sun, 22 December 2024 10:33 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12C3EC14F6AB for <cfrg@ietfa.amsl.com>; Sun, 22 Dec 2024 02:33:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.254
X-Spam-Level:
X-Spam-Status: No, score=-2.254 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hyig0R85A06x for <cfrg@ietfa.amsl.com>; Sun, 22 Dec 2024 02:33:08 -0800 (PST)
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2061e.outbound.protection.outlook.com [IPv6:2a01:111:f403:260d::61e]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51B84C14F682 for <cfrg@irtf.org>; Sun, 22 Dec 2024 02:33:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=DE1olKgbwoKrVYEWbiLATEQ4vsCFxssHMhZworLCzU2UhWHRtbjSCehIeC468v42MXzEg6oPRf4i7ZGQXMvrLJQca0Fwsz0DmYC07r3cWJZpgujYyl9SE8qmsYJr6+Ens1onwY0HfoANg7NGpCWnJSNWc9jYrpVVvKX6Z7rvLxyVNKFA7hq78dP3+aQFpgNA9o5E8XUZ/ENa1KLbVdnorq0dMx5vgABEF+FPVkeVvq3VGVJjnWYiQoljqvLMIe/FbMmNfhF4QeobvOfylS1kAMnTIB3wuMG3twFge76Eng5ZZ76eMiWVNRSlOpidg8uGfqMVoW6l7SytbRTzpYrPXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eg/MoCCr/1XJ+9HMigJifMlTIu1qW46LdM4NtPUkLiA=; b=DyyS/5uZ4yfN4oeFqiDpXxut4p7D6aTyoHHMGAbJSBONjnS8emBFvxgSFxgGKaGpZ9JI8PUm1mk917bRn6XpQJeBDI6bdcnxM1xuQ+hJt3ZGBSQuSVYCGh4c6A5VSIP9yURmtWe3ZPH8EcR1lWkRyuuBAD2e8xdGMC5q/KuqKSw+GWyWZTi+dB4tN6K5BesMeFEN1xp/X90Z1QV0O0lKelNRtM/0xc1QPxoSp7MyuEEymd70ba/DJ6DCBJvQMukeaK4r195xN533VqeSj245XZ4T1e53PaGWNNksP9ugSww4mFJnO5FrJonHioC4yV/xtvbyWJFBbM3qgwV2CdjDMw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eg/MoCCr/1XJ+9HMigJifMlTIu1qW46LdM4NtPUkLiA=; b=nUWba3fLoJdWgf9SDnQ2mp8kpcETUVn4SWudEB7424M4rzw82vFhpHXGLeMoPw1TjAB725xsyNA8UoQRQTmqhEbR/MOLGuh/Q+37H2Ru8Xw8uPfgJsWe6zLMMn7JjSruFXoX022f0ukhZKAZ6orIdm3aB+lWIp4h/DESjKAEbpKfG2tNm6BFYdZ9HsbBs6LB/uijAwk15uhB8mgvC9/Bj3VUVLIVllzWRbK90iQMBmeudUq8+pOePPkWdDNyBzXc4h5ztIUiROnxjJYtdziamTzs/68fXwnj7TsjMcC+q/Jsu7JRdgQvdqU1uWQRYh6k9N+UUxNYkgzpAk+TKUZwTg==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PR3PR07MB6571.eurprd07.prod.outlook.com (2603:10a6:102:6e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8272.19; Sun, 22 Dec 2024 10:33:00 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%5]) with mapi id 15.20.8272.013; Sun, 22 Dec 2024 10:33:00 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Chris Barber <cbarbernash@gmail.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] Re: Update RFC 8439 on ChaCha20 and Poly1305 to remove clamping?
Thread-Index: AQHbU4srMjc1LT5qu0+UxmlQtHUbVrLwiEaAgAGBDXeAAAaV4g==
Date: Sun, 22 Dec 2024 10:33:00 +0000
Message-ID: <GVXPR07MB96786060ABD1285514F9F6D889012@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <GVXPR07MB96780CE33CB851507B949DAC89002@GVXPR07MB9678.eurprd07.prod.outlook.com> <CAFzKZmwoXg0cypGqBw1-vJuvQkZTt=R0scta5-MGr7P=ea+GJA@mail.gmail.com> <GVXPR07MB967829F8A8B2797FF1C5B61C89012@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB967829F8A8B2797FF1C5B61C89012@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PR3PR07MB6571:EE_
x-ms-office365-filtering-correlation-id: a52953c6-67fa-4b76-b0e5-08dd2274020e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|1800799024|376014|366016|8096899003|7053199007|38070700018;
x-microsoft-antispam-message-info: 9XVWPaJyN0g3bcyzSR80Uv3+13QVu2R8nOhX87Dq4zZpqqVrpz0XBSocxcytRZ1KWv4211A6rGiW1lNFG7U0tOME1yjrqgPCmnxX+EpNBbGfoDAvbP+KlEdLSKqH1bfHr5JZEZtarRpiNOqviVcG2bTUyh0mSHPeBIRjYOJdRroZhE8X3qPzOSqd2zi3fdwsB0fWBtj/aUGSXec8I9hcx3gaFpaqfd7DWYau8Y3WF+dRAP3e/wbH4ZeXOf1622Fy/6qzIxcFDUMT+lga7/DvKWawuZI1TpVr5BlbLBx9evn2AIutvz7+7X10akdt59I/INtQO/BICrF897Es/cHSCHn6qNsviWp7BAXGUKAnJ2lBF99B5ig90OfYor6JdIqNO0qVvNwzBBLBPccCBcGlJjFO9w3eVMYvO7ZC7yz+2MQwcgKQwQLmHbuS4LseTt4Nn997sKqrA5jQN0Se2eqF2LnqQmwl101DTRtyfjt80eP1OiIdMzmPn/VdHi8q0AXrW3/KP4gslJYqook8s9uPCh2VcaiQLkn18qDOBF+mLqd0czUdv7psgBZjn+Ui4iM7aWgT25vIP015y/UJBzs7gAp9H4br3njxOfFkhWtYcG5bcMcsF2aQwCxVq4jEDUNB7jmfVzFdv6rzUNTVhAwY0kE+vF2Of83S35dabu6qLLDXXa+SQANc9KB2cT8U/C283TZZX8GmDPNBuGTK+R+lVVU1d2IEXvKTtlJk169DMHeWrV4jC0jDOnfx2P3kVzI40mAiB7wuc8FIp0EiQ11kdoyppoxHmVrBMfWsoaNxTNlmcZ/xL9GBb1To+DKnZNR0DZNGw66icttW3JAdEUzsGZ0pkysfN7TpjNbGvMbRQWyvgeEpnqYMWdcjL9GFg5R2pgbepmqm0byPca3GOMzY0UVWUoX+SynU8NghTJFCxvm+TDWrebQl1JwhNiP4N4YT24VOnb8sjgP+kKDj2h4k4PbtkwHA4VGpLY5H1N3uWu/+BjKWXrXXjTWNrtnYU+Tbbemfyt5BEvVSoFoAHmtvlWVjT8M0c3Ur6A2cDtmtoR5MSHF7gBQuzDpQXHWGcKlO/MkuhcW77HWVxW5HfFp1INJtzOI3xedU+OaPNHOdMDoTr5yc+ebo8RAOmvc/xYkheoLbplXyL6W5SMM1Df8ukVmB7YNl16YI4QcaoVaK6/ZhuYXfVImuceDjauFdeKGw3zrxIlvZfMlk4c1ymonHna4YgDL5DjmFln4X0dzkgdbEJU/RBblvrm6CRCm2fBbJLVfbfhUdp88HLXFLhSQm2ZEHViK2B7C07qXTF/xf1RcFiAd28SHakkqQzeVAoWbm7L/p6XkuLnN7O5wPypGePobB0maDASPr6nk+7egeRUsNKF2Uvtk/KuB5T4Oq+RM8
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(1800799024)(376014)(366016)(8096899003)(7053199007)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: kL+HHb8ykuAtLO2JyAIbjkUfLPkMrHbQ+XkhkUkhTZM9VV3sbWbAVjyZ1kyFYs9nByaVBTaN+Qn2vC/LYEeMPh6nkoDZcdtn9rYJPKQOeGvxY7cjBveGWhF4Bf3f7nVRcxAG22cF1DBTulCa6usRykxbVWqwU99n69KmkgDp3rw3Pb43u02E36kVoBJwXscRJfG9gTUH+VUScqAJ+EgYw3x4L75KoTyHEuFSyG6da0O1OfXVgKkI5Fjd+1FIwBdf8P58nl44Uiw712qr2UWspHR81FBsvm6kPhS9WbO9KG9P5P1UmmEPG2X1Ixl6UBJuYAd/JkahIALtzHtZYt9oKP90dRJhpcpvicCxFidi++FYw+EmYFRdM9ehTqmcwnqfpJlrRL7SxUUGck/ZSnvJbC1hHT0RS5/todzH3ayd91VaQ+gd+1fBQwZmRueD5dUJIaTS9URiH2jHWdkZ7NifHFGkynF3ZOKrsr4mwCB4W2hQSGZ7O5821VBiyo5x+UzFrBEUlw1E8oNFdhznyz96IqQKMt8mfd4hA8uJl4/Yy7DYDnRmyBIxgYm59gDE6i1YMZHwBy+Y1mxHjWAluh1+J4SII1BsInTLk1T5NiKyX6AFFI2LUY4FhPy/lucgOCl7mIpZ0PVdiQqJlc+d96Fus5zp+J28ydOLBBVLRfUpnplUDXB7raXNO3eFPIU2GnwYzhlMOD366XqTUw4Y05E9jFu8itiqeEL+ekKFaFWFKS7yIjBQU/e4Ys2SXZvifDVp9jmDnyK36WEPSgNZmey1P6NL1OTfd00HfHXvKJajtHvm+CdVRV1OqSQj65ctMQOU6wQsdc0PyQ1zfq66WZ+hnHiBCbjEXsnXSomOzbCd4IguGiI/fm1bWnCr2euctU4PqIwRW0A7fAVfUPcdTx181OEAcPRt5tYzp/5tfULHwkF4K+9WcHfZWsnnrA1PZgTWl8KsnY7Ze7LOmhDrncszF8ioKATs4309mPUlcpa00r/l2+KF4PjmJppzU0EWF/4aY/tRr46JrsFUttHjTRBQqXeNQSSNazn1OnCMu2vt8T2Smp3KazqJPabWSYL85NdFWgO2v16waRsyXFtLzS90mo5/5z+EI5VzJuPA8rm1NPFIgKs0CJwvgExrKSWbyZUuIwbpY30mTPEc8UD86mdw1kOSilCabRaRnbFmgz+0xmhBsixy3QqB74kYnox4Pvd14p96YNVwg8J3oOen3sGsf4biapHtQA0+TVi+DkgqAlF7aH/7dCNLGuiSa0ARpwk1HGskkyncGICTFBPMH07anSJnLxuZK5nRJkSOZGXuggEgMhThlBw59riNDursIHvy+AOfoNRIJTrvq7a7mKCDU0UKEv/S2zKz7+BDzLkNJqwbqw7dk7SsLr2E+CvPIzEJ6WlWv7CDkBmqBWF6BuFCJ1JrvHMq5VfaMvETfLlnf0zSS8jSy3cPtMNedIBGR8Nd5vSFwnhJSoO0c21A3I8Apa9xvNa200btzsDLAlSdzer7KO5vwUE6e7Wf1TMu5hSenQoGR4lcsZ4hdUyempErYTlMq9tJlZCNBt34jWQGY4cz4GH2U3h/bALP5em6JYTMZUwEVBg2b0rHE6wCf/oShaOcgXxmiLIkTd38ZZomFaI=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB96786060ABD1285514F9F6D889012GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a52953c6-67fa-4b76-b0e5-08dd2274020e
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Dec 2024 10:33:00.2113 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: buU6sDaS8J8YeYKaCZF0qJ4AQOALcs1QFwSY5QPhZhUAIXaMcebPouNSla3sJkUS3VIbW7xLCMQIkSaNuH7NVBLXJ0IvQoaqk6AAHByCrw8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR07MB6571
Message-ID-Hash: OQRJZP7MZC6AUT5PULDS6MY6UIADSIHX
X-Message-ID-Hash: OQRJZP7MZC6AUT5PULDS6MY6UIADSIHX
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: Update RFC 8439 on ChaCha20 and Poly1305 to remove clamping?
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/uTqtQ7u5WWKNv7vBQCBHC178_AQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
>The table only includes the maximum tag length in bytes that behaves like an ideal MAC in unicast QUIC. That was not completely true, GCM_SST_12 was included as an example of truncation and POLY1743-SST has quite a bit of security margin. An 18-byte POLY1743-SST_18 would behave like an ideal MAC in unicast QUIC (POLY1743-SST_16 would also behave as an ideal MAC in TLS with 2^32 bytes records). https://www.ietf.org/archive/id/draft-ietf-tls-super-jumbo-record-limit-00.html John From: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> Date: Sunday, 22 December 2024 at 11:08 To: Chris Barber <cbarbernash@gmail.com>, cfrg@irtf.org <cfrg@irtf.org> Subject: [CFRG] Re: Update RFC 8439 on ChaCha20 and Poly1305 to remove clamping? Hi Chris, That is a good idea. Using the security level numbers in [1] POLY1743 161 POLY1503 137 GHASH/POLYVAL 128 POLY1305-NC 125 POLY1164 107 POLY1305 103 Where NC is No Clamping, and using the ideas of Nyberg, Gilbert, and Robshaw [2], that are used in GCM-SST [3] and all other universal hash functions in mobile networks, my understanding is that you can get algorithms that work like ideal MACs in security protocols with replay protection as long as tag_length < security_level - log2(ℓ). Expanding Table 3 in [3], which is comparing security in unicast QUIC (ℓ ≈ 2^12). +====================+=========+==============+=============+=================+ | Name | Tag | Forgery | Forgery | Expected number | | | length | probability | probability | of forgeries | | | (bytes) | before | after first | | | | | first | forgery | | | | | forgery | | | +====================+=========+==============+=============+=================+ | POLY1743-SST_16 | 16 | 1 / 2^128 | 1 / 2^128 | v / 2^128 | +--------------------+---------+--------------+-------------+-----------------+ | POLY1503-SST_15 | 15 | 1 / 2^120 | 1 / 2^120 | v / 2^120 | +--------------------+---------+--------------+-------------+-----------------+ | GCM_SST_14 | 14 | 1 / 2^112 | 1 / 2^112 | v / 2^112 | +--------------------+---------+--------------+-------------+-----------------+ | POLY1305-NC-SST_13 | 13 | 1 / 2^104 | 1 / 2^104 | v / 2^104 | +--------------------+---------+--------------+-------------+-----------------+ | GCM_SST_12 | 12 | 1 / 2^96 | 1 / 2^96 | v / 2^96 | +--------------------+---------+--------------+-------------+-----------------+ | POLY1164-SST_11 | 11 | 1 / 2^88 | 1 / 2^88 | v / 2^88 | +====================+=========+==============+=============+=================+ | POLY1305 | 16 | 1 / 2^91 | 1 / 2^91 | v / 2^91 | +--------------------+---------+--------------+-------------+-----------------+ | GCM | 16 | 1 / 2^116 | 1 | δ ⋅ v^2 / 2^117 | +--------------------+---------+--------------+-------------+-----------------+ The table only includes the maximum tag length in bytes that behaves like an ideal MAC in unicast QUIC. The SST variant can be truncated to any lenght and still behave like ideal MACs. I think it is important to strive for MACs that behaves like ideal MACs. Users and implementors of cryptography expect algorithms to behave like ideal MACs. Universal hash functions can be designed to behave like ideal MACs in unicast security protocols with replay protection. Using 12 byte tags with better security than the current 16 byte tags would also be a significant performance improvement. Cheers, John [1] https://csrc.nist.gov/csrc/media/Presentations/2024/universal-hash-designs-for-an-accordion-mode/images-media/sess-7-degabriele-acm-workshop-2024.pdf [2] https://csrc.nist.gov/CSRC/media/Projects/Block-Cipher-Techniques/documents/BCM/Comments/general-comments/papers/Nyberg_Gilbert_and_Robshaw.pdf [3] https://www.ietf.org/archive/id/draft-mattsson-cfrg-aes-gcm-sst-13.html From: Chris Barber <cbarbernash@gmail.com> Date: Saturday, 21 December 2024 at 12:02 To: cfrg@irtf.org <cfrg@irtf.org> Subject: [CFRG] Re: Update RFC 8439 on ChaCha20 and Poly1305 to remove clamping? Since the resulting construction would be incompatible with ChaCha20-Poly1305, it provides an opportunity to use Poly1503 and Poly1163 instead of simply removing the clamping step. It would also avoid collisions in algorithm names. On Sat, Dec 21, 2024 at 10:54 AM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote: At the NIST Accordion workshop 2024 [1], Degabriele, Gilcher, Govinden, and Paterson had a presentation on Poly1305 [2]: “It is known to outperform GCM on CPUs which do not support AES and Carry-Less-Multiplication instructions” "To enable FPU implementations, 22 bits in the key are ‘clamped’ to zero, resulting in a loss of 22 bits of security (without a performance benefit)." "However, all modern implementations employ integer arithmetic instead" While ChaCha20 provides much better confidentiality than e.g., AES-256-CTR, which is vulnerable to distinguishing attack with a complexity of approximately 2^129 / q, where q is the number of invocations of the AES-256 encryption function, Poly1305 is not as strong as one would expect. Based on that all modern implementations employ integer arithmetic instead, I think CFRG should update RFC 8439 and register a version of ChaCha20-Poly1305 without clamping. In addition, I think the update should use the ideas in GCM-SST [3], which improves the integrity advantage from vl / 2^t to (vl / 2^128 + v / 2^t) [4]. The easiest way to improve security is to make smaller improvements to already deployed algorithms. But note that even with clamping ChaCha20-Poly1305 provides better integrity that AES-GCM in e.g., unicast QUIC. While ChaCha20-Poly1305 always behaves like an ideal MAC of length 91 bits, AES-GCM can be as weak as an ideal MAC of length 64.4 bits. BSI states that an ideal MAC with a 96-bit tag length is considered acceptable for most applications [5]. Cheers, John [1] https://csrc.nist.gov/events/2024/accordion-cipher-mode-workshop-2024 [2] https://csrc.nist.gov/csrc/media/Presentations/2024/universal-hash-designs-for-an-accordion-mode/images-media/sess-7-degabriele-acm-workshop-2024.pdf [3] https://www.ietf.org/archive/id/draft-mattsson-cfrg-aes-gcm-sst-13.html [4] https://eprint.iacr.org/2024/1928.pdf [5] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.html On 2018-06-19, 08:12, "rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>" <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>> wrote: A new Request for Comments is now available in online RFC libraries. RFC 8439 Title: ChaCha20 and Poly1305 for IETF Protocols Author: Y. Nir, A. Langley Status: Informational Stream: IRTF Date: June 2018 Mailbox: ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>, agl@google.com<mailto:agl@google.com> Pages: 46 Characters: 88847 Obsoletes: RFC 7539 I-D Tag: draft-nir-cfrg-rfc7539bis-04.txt URL: https://www.rfc-editor.org/info/rfc8439 DOI: 10.17487/RFC8439 This document defines the ChaCha20 stream cipher as well as the use of the Poly1305 authenticator, both as stand-alone algorithms and as a "combined mode", or Authenticated Encryption with Associated Data (AEAD) algorithm. RFC 7539, the predecessor of this document, was meant to serve as a stable reference and an implementation guide. It was a product of the Crypto Forum Research Group (CFRG). This document merges the errata filed against RFC 7539 and adds a little text to the Security Considerations section. This document is a product of the Crypto Forum Research Group of the IRTF. INFORMATIONAL: This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce, rfc-dist and IRTF-Announce lists.To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist https://www.irtf.org/mailman/listinfo/irtf-announce For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC _______________________________________________ CFRG mailing list -- cfrg@irtf.org<mailto:cfrg@irtf.org> To unsubscribe send an email to cfrg-leave@irtf.org<mailto:cfrg-leave@irtf.org>
- [CFRG] Re: Update RFC 8439 on ChaCha20 and Poly13… John Mattsson
- [CFRG] Re: Update RFC 8439 on ChaCha20 and Poly13… John Mattsson
- [CFRG] Update RFC 8439 on ChaCha20 and Poly1305 t… John Mattsson
- [CFRG] Re: Update RFC 8439 on ChaCha20 and Poly13… Chris Barber
- [CFRG] Re: Update RFC 8439 on ChaCha20 and Poly13… John Mattsson
- [CFRG] Re: Update RFC 8439 on ChaCha20 and Poly13… Paterson Kenneth