IETF Logo Mail Archive

Re: [Cfrg] Fwd: Mail regarding draft-irtf-cfrg-chacha20-poly1305

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Fri, 17 October 2014 16:34 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E792E1A1F73 for <cfrg@ietfa.amsl.com>; Fri, 17 Oct 2014 09:34:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4TH5r2d3ijL5 for <cfrg@ietfa.amsl.com>; Fri, 17 Oct 2014 09:34:38 -0700 (PDT)
Received: from emh01.mail.saunalahti.fi (emh01.mail.saunalahti.fi [62.142.5.107]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB2671A1BF9 for <cfrg@irtf.org>; Fri, 17 Oct 2014 09:34:37 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh01.mail.saunalahti.fi (Postfix) with ESMTP id 714FC9004B; Fri, 17 Oct 2014 19:34:35 +0300 (EEST)
Date: Fri, 17 Oct 2014 19:34:35 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Yoav Nir <ynir.ietf@gmail.com>
Message-ID: <20141017163435.GA23230@LK-Perkele-VII>
References: <CE03DB3D7B45C245BCA0D2432779493605DE69@MX104CL02.corp.emc.com> <F9CF9D3B-799B-452E-8177-FB03BB611E7E@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <F9CF9D3B-799B-452E-8177-FB03BB611E7E@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/wnvRFbSlzZv4kfA43d5CG5XPVuc
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Fwd: Mail regarding draft-irtf-cfrg-chacha20-poly1305
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 16:34:45 -0000

On Fri, Oct 17, 2014 at 07:25:43PM +0300, Yoav Nir wrote:
> Message from David Black:
> 
> > This nonce reuse warning in Section 4 somewhat on the light side:
> > 
> >   Consequences of repeating a nonce: If a nonce is repeated, then both
> >   the one-time Poly1305 key and the key-stream are identical between
> >   the messages.  This reveals the XOR of the plaintexts, because the
> >   XOR of the plaintexts is equal to the XOR of the ciphertexts.

This is missing the fact that attacker can also generate forgeries for
the (key,nonce) that was repeated.

That can actually matter, if attacker can also blackhole messages or if
recipient does not do nonce-based replay detection.

> > Here's some blunter text that could be used as a model - this was driven
> > into RFC 7146 by the secdir reviewer (it applies to all stream ciphers
> > and all modes that behave like stream ciphers):
> > 
> >   Of particular interest are the security considerations concerning the
> >   use of AES GCM [RFC4106] and AES GMAC [RFC4543]; both modes are
> >   vulnerable to catastrophic forgery attacks if a nonce is ever
> >   repeated with a given key.

Because AES-GCM equivalent to Poly1305 r depends only on key, any nonce
repeat will compromise the authenticity for the whole key in catastrophic
way.

Whereas Chacha20-Poly1305 has r depend on both key and nonce, somewhat
limiting the impact (but it is still bad).


-Ilari

v2.23.0 | Report a Bug | By Email