Re: [Cfrg] Review of draft-arciszewski-xchacha-02

Scott Arciszewski <scott@paragonie.com> Tue, 18 December 2018 16:28 UTC

Return-Path: <scott@paragonie.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 662E91310DA for <cfrg@ietfa.amsl.com>; Tue, 18 Dec 2018 08:28:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=paragonie-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tK5R8ZlmIF-R for <cfrg@ietfa.amsl.com>; Tue, 18 Dec 2018 08:28:39 -0800 (PST)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1D7D130F4F for <cfrg@ietf.org>; Tue, 18 Dec 2018 08:28:33 -0800 (PST)
Received: by mail-lj1-x22c.google.com with SMTP id k15-v6so14738910ljc.8 for <cfrg@ietf.org>; Tue, 18 Dec 2018 08:28:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=C54LgJvc8j9QWQh55V77iFu64QS8ufNlVnJlhbXt27c=; b=lB4cS3NZPJrYU77Ooi559y8nsL8r7MAP7rJpbiAQpu/G+ekLuKUbVBavUQ4TP8c0Kf +mxdgxsjIG5F9S6oTCyZhHj4KBrh8YDLKH0HGlsFtjvYPIEfisgRdA0avHGGtxyXvABV koP+q9qxU/rQm6rYoCEp3ENTxN1zoazQkwLCamkCD3WLN9YjOPT99gT7dd5nZOrQSBZV umVO50+FUfaejKVwn+Wx0r5hpatDjNEsJ33vHPp6tiIm4agFfW6UQ9w6nagt7w9UCnxt no6gReaD1HWoxXw05AoiLC/wiJYVVL78NMabPZeypi1y2BOhWK0HCdcavC75xQop+EWQ plVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=C54LgJvc8j9QWQh55V77iFu64QS8ufNlVnJlhbXt27c=; b=DZ9gsYu/WhJPn38iFw93V5cu48qDraE3OpTTEz2jQSXWyry4m1NaTIvjfJJzqsSLwe fvTPcig453U/epzkNXXPWlmuHRXz/c4ODP46oO3pLj37vb7+ybLMP7wknXEMP3Bd7w2J Td4Li5j50bU+9k2IMgkgne7VhJfKzU6WQUfeFnorenkc2/Nb7wKj4SzjHLvdRNJsfedZ XVo5wGl6zxsRm7N0yQeHvEeQranFjX+RsGbEEElIfCvi3q3f+CuoGHS3te1/jUHkE6Md HijHCBbb8FVbw9DxNlzzkk5JKPIcQkR3ymTMo0fd6aKbZXH0EwZeMK2VYykRyGJAWcOh kyZg==
X-Gm-Message-State: AA+aEWbFp0lH+4Nxex2E6PIvuKN1yQSbvYaStFJ7lsPrKZVT/BnxzMM/ 50RP4cii074YRTMGRh0Dg0/HHJtaIBlzUtQiaLtpHg==
X-Google-Smtp-Source: AFSGD/WiyoZhG1RBszWgjDTqZ152K9bwtvRWW0rSOLzE9QAehMzjhCkbYEUY0ZTl1iS2B8KgBYftwSG9UnjTvyCvT3c=
X-Received: by 2002:a2e:9e95:: with SMTP id f21-v6mr10539589ljk.128.1545150511983; Tue, 18 Dec 2018 08:28:31 -0800 (PST)
MIME-Version: 1.0
References: <99CCB4A1-9CC1-4611-95C5-CEEA985024F8@gmail.com>
In-Reply-To: <99CCB4A1-9CC1-4611-95C5-CEEA985024F8@gmail.com>
From: Scott Arciszewski <scott@paragonie.com>
Date: Tue, 18 Dec 2018 11:28:18 -0500
Message-ID: <CAKws9z3oNLL7V+ZTdkLKEmfpb+su7kpsgOC+2x-VR2u4pdNT8g@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Cc: cfrg@ietf.org
Content-Type: multipart/alternative; boundary="000000000000644071057d4e63e1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/vbvXDY6SRqWU8GNJTwb8eiEuBmc>
Subject: Re: [Cfrg] Review of draft-arciszewski-xchacha-02
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 16:28:43 -0000

Thanks for the review and feedback, Neil.

I've made some other changes on Github and was going to get draft03 ready
today. I'll incorporate your suggestions as well.

Aside: Based on the responses to the "Adoption call for
draft-arciszewski-xchacha" thread
<https://www.ietf.org/mail-archive/web/cfrg/current/msg09854.html>, I
believe this will also be the last draft before CFRG adoption (which
presumably will change the filename in future editions).
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>


On Tue, Dec 18, 2018 at 7:15 AM Neil Madden <neil.e.madden@gmail.com> wrote:

> I’ve had a good look through draft-arciszewski-xchacha-02 from an
> implementor’s perspective. I think it’s a good draft that describes the
> algorithms well. I have some comments on a few parts of the text below:
>
> Section 1, Introduction:
>
> The text currently says:
>
> "However, a more straightforward strategy can prevent nonce misuse
>    conditions in environments where a large number of messages are
>    encrypted.”
>
> We should be careful with the word “prevent” here. Nonce reuse can still
> happen with large random nonces, even if it is less likely - e.g., with a
> broken or compromised PRNG. See for example failures in the Android
> SecureRandom implementation that led to compromise of a Bitcoin transaction
> due to nonce reuse in an ECDSA signature [1]. In this case the random nonce
> would have been 256 bits I believe, so even larger than that for XChaCha.
>
> I think “more straightforward” is also potentially subject to debate (if
> you ignore the S2V parts, SIV is pretty simple). Perhaps wording along the
> following lines:
>
> “However, misuse resistant cipher constructions come at a cost in
> performance as they must necessarily make two passes over the
> message to be encrypted. An alternative strategy can significantly
> reduce the chance of accidental nonce reuse in environments
> where a large number of messages are encrypted. [Simply use …]”
>
> Ironically, the main reason that I am interested in XChaCha20 is precisely
> because the larger nonce makes it more suitable for use in an SIV
> construction, as per my recent draft.
>
> Section 2.1 Motivation for XChaCha20-Poly1305:
>
> It might be worth clarifying that a 96-bit nonce is too short to generate
> randomly where you need to encrypt lots of messages with the same key (more
> than a few million). If you are doing DH with forward secrecy and
> generating fresh keys for each message anyway, then a 96-bit random nonce
> is fine.
>
> The text: "A more
>    conservative threshold (2^-32 chance of collision) still allows for
>    2^64 messages to be sent under a single key.”
>
> This should say “still allows for 2^80 messages to be sent under a single
> key.”
>
> 2.2 HChaCha20
>
> This could do with a reference to RFC 7539 section 2.3. It could be a bit
> clearer that the ChaCha20 block counter is replaced with the first 32 bits
> of the nonce (in little-endian) and the remaining 96 bits are used as per
> usual in ChaCha20.
>
> I have verified the supplied test vector with an independent
> implementation of HChaCha20 that I wrote, and it matches.
>
> 2.3.1 XChaCha20 Pseudocode:
>
> The code doesn’t include the 4 NUL bytes in the nonce it passes to
> ChaCha20.
>
> Test vectors:
>
> I have verified that the test vectors in A.1 and A.2 and produce the same
> results as documented.
>
> [1]
> https://www.symantec.com/connect/blogs/android-cryptographic-issue-may-affect-hundreds-thousands-apps
>
> Kind regards,
>
> Neil
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>