Re: [Cfrg] ChaCha20 and Poly1305 for IPsec

CodesInChaos <codesinchaos@gmail.com> Tue, 07 January 2014 14:02 UTC

Return-Path: <codesinchaos@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C42071AE059 for <cfrg@ietfa.amsl.com>; Tue, 7 Jan 2014 06:02:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V9AR7YvWQP-b for <cfrg@ietfa.amsl.com>; Tue, 7 Jan 2014 06:02:02 -0800 (PST)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 423E11AE072 for <cfrg@irtf.org>; Tue, 7 Jan 2014 06:02:02 -0800 (PST)
Received: by mail-wi0-f172.google.com with SMTP id en1so4168071wid.17 for <cfrg@irtf.org>; Tue, 07 Jan 2014 06:01:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ieRZKI/+CoJEMKRupHmZ0iYaMyXAJZW302j4wUco+ms=; b=tVAAJNA2+5JTCaE8AErIND8HfczO/3UPfiSsKFEpkTybAs0r5brsBk1CvvBWx2oZsj 5lhoQKPy7nj+yN3HbmwqRls3rmCqx0bhGuuRXbbmWOiKbw+AySAWgxtBGCxMoFyC0NHZ BCDhybefmfQv7Ffrsx28MY+T2x7WQPXt1vkthNgtpN+8461o5E9hrhlFBK6d99HOijcM 7r9QMIqjjtgMZ5UBaeL2LlpxqsNqEmMHLlOCRld5Jh8IfSkBVOewcGfvU4GuXkUL7Nb1 g6CyuJMhDsgMdKM4ygbS3QHaD0JEpsKhxBmoWa6Z2NLBw7hSZk7qMymNK6ycetalvT1D VsJg==
MIME-Version: 1.0
X-Received: by 10.180.109.107 with SMTP id hr11mr16902742wib.56.1389103313068; Tue, 07 Jan 2014 06:01:53 -0800 (PST)
Received: by 10.216.61.15 with HTTP; Tue, 7 Jan 2014 06:01:52 -0800 (PST)
In-Reply-To: <CACsn0cmTyxtFnFdGQ=oO+UpHFK1TmBFHBwE5SVz1oDnHGZ2GwA@mail.gmail.com>
References: <180998C7-B6E5-489E-9C79-80D9CAC0DE68@checkpoint.com> <CAL9PXLy9hrq+i_neP96FbTJRvRLbLEXnMYdBdwSeHunFAwF+jQ@mail.gmail.com> <A867BB8E-4556-44B1-A0AF-16771626BF5C@checkpoint.com> <52CB358D.3050603@cisco.com> <A6BDE08D-1F7D-4813-A9C4-61AF8C14412B@checkpoint.com> <52CB482D.6090807@cisco.com> <CACsn0cmTyxtFnFdGQ=oO+UpHFK1TmBFHBwE5SVz1oDnHGZ2GwA@mail.gmail.com>
Date: Tue, 7 Jan 2014 15:01:52 +0100
Message-ID: <CAK9dnSyyJ0H-S8cUtkfn4YRsTOk3N=qMDs9kmj5v39cLu=GSog@mail.gmail.com>
From: CodesInChaos <codesinchaos@gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset=UTF-8
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] ChaCha20 and Poly1305 for IPsec
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2014 14:02:03 -0000

> However, DJB did use XSalsa20 instead of XChaCha20 (a hypothetical longer nonce variant) in NaCl

ChaCha was published in January 2008, NaCl was published in March
2009. So I'd guess Salsa20 was chosen over ChaCha because it had seen
more analysis in the eStream contest whereas ChaCha was pretty new at
the time.

I think that's less of a concern now, most attacks were applied
against both Salsa20 and ChaCha, with ChaCha resisting them slightly
better.

The biggest difference in analysis I'm aware of is that there is a
proof of security against differential cryptoanalysis for Salsa20, but
not for ChaCha. This proof relies on the alternation of xor and
addition in Salsa20, it doesn't seem trivial to port it to ChaCha.
http://eprint.iacr.org/2013/328