Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-poly1305-00.txt
Yoav Nir <ynir@checkpoint.com> Tue, 28 January 2014 15:43 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 366901A0431 for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2014 07:43:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.436
X-Spam-Level:
X-Spam-Status: No, score=-7.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8c9wl_x5ypfm for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2014 07:43:25 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 30B151A03B6 for <cfrg@irtf.org>; Tue, 28 Jan 2014 07:43:24 -0800 (PST)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id s0SFhJgn000525; Tue, 28 Jan 2014 17:43:19 +0200
X-CheckPoint: {52E7C9AC-0-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.110]) by IL-EX10.ad.checkpoint.com ([169.254.2.228]) with mapi id 14.03.0123.003; Tue, 28 Jan 2014 17:43:19 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Robert Ransom <rransom.8774@gmail.com>
Thread-Topic: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-poly1305-00.txt
Thread-Index: AQHPHD+q6gubwME4SEaYUAZKbPoOXw==
Date: Tue, 28 Jan 2014 15:43:17 +0000
Message-ID: <FD2AD081-9F70-4ECB-BCDC-33D8204A734F@checkpoint.com>
References: <20140127114546.8921.73181.idtracker@ietfa.amsl.com> <2DD6FE86-A5C6-4144-8778-2DFFCA8AD5F8@checkpoint.com> <CABqy+spVbfA2aGKaEftKrokbdXPZjQB9RDjT2b371H_bPB+NWQ@mail.gmail.com> <07384966-B154-4CF8-9503-3A3ADA6276BE@checkpoint.com> <CABqy+sp9WthLP0WcqwJN-sUrH2Q9U0vxb=q8Opf0WHJf06i11Q@mail.gmail.com>
In-Reply-To: <CABqy+sp9WthLP0WcqwJN-sUrH2Q9U0vxb=q8Opf0WHJf06i11Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.176]
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <3E47339DDB327D48B69A48A9A6886835@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-poly1305-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2014 15:43:27 -0000
On Jan 28, 2014, at 4:55 PM, Robert Ransom <rransom.8774@gmail.com> wrote: > On 1/28/14, Yoav Nir <ynir@checkpoint.com> wrote: >> >> On Jan 28, 2014, at 2:21 AM, Robert Ransom <rransom.8774@gmail.com> >> wrote: > >>> Section 4 (‘Security Considerations’) discusses the risk that the >>> Poly1305 key derived from a ChaCha (key, nonce) pair will collide. >>> This is not a risk at all. Poly1305 keys are supposed to be chosen >>> uniformly at random, and most of the effort of proving Poly1305-AES >>> secure was in bounding the security loss caused by the fact that AES >>> could not produce the same value of s for two different nonces. >> >> AES cannot, and if we took the entire 512-bits from ChaCha, they would not >> repeat either. But with taking only half the bytes, they will repeat much >> sooner. That is why you shouldn't use the first 64 bits of an AES-encrypted >> counter as an IV for 3DES. You'll likely get a collision after 2^32 >> messages, and you'll get an unacceptably high chance of collision much >> sooner. >> >> With taking 128 bits for s out of 512, the odds are much better, so they're >> acceptable. That is what the section says. > > You missed the point entirely. The attacker does not benefit from the > repeated use of a Poly1305 key unless he/she/it knows that the key > will be repeated. Poly1305's security relies on the assumption that > the attacker has no information at all about its keys. Right. Thanks. I missed that only non-predictability was required (rather than non-repeatability). OK. Will fix. Yoav
- [Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha20-p… Yoav Nir
- Re: [Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha… Ilari Liusvaara
- Re: [Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha… Robert Ransom
- Re: [Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha… Yoav Nir
- Re: [Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha… Yoav Nir
- Re: [Cfrg] Fwd: I-D Action: draft-nir-cfrg-chacha… Robert Ransom
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Yoav Nir
- [Cfrg] I-D Action: draft-nir-cfrg-chacha20-poly13… Yoav Nir
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Stefan Bühler
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Igoe, Kevin M.
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Stefan Bühler
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Ted Krovetz
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Yoav Nir
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Ted Krovetz
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Mike Hamburg
- Re: [Cfrg] I-D Action: draft-nir-cfrg-chacha20-po… Alyssa Rowan