IETF Logo Mail Archive

Re: [Cfrg] RGLC on draft-irtf-cfrg-chacha20-poly1305-01.txt

Yoav Nir <ynir.ietf@gmail.com> Mon, 13 October 2014 13:32 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB2771A8A99 for <cfrg@ietfa.amsl.com>; Mon, 13 Oct 2014 06:32:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lD5Tc4wjDq3F for <cfrg@ietfa.amsl.com>; Mon, 13 Oct 2014 06:32:31 -0700 (PDT)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3950B1A1A19 for <cfrg@irtf.org>; Mon, 13 Oct 2014 06:32:31 -0700 (PDT)
Received: by mail-wi0-f182.google.com with SMTP id n3so7428365wiv.15 for <cfrg@irtf.org>; Mon, 13 Oct 2014 06:32:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FlxWchbkY5+DpBdPg8KoUECve+y0BXZXP0xC/eQRWDg=; b=dUylL79DcGDW2Wo80cVXUCEytbPBNU7XPZJZWoJ5FnXokxSNdaGu/MdTyEr8nA0QZ5 y9kNGU0As/Wqs5AMd+5WKsqWYVqu9c6apF+hrHgM/Jk9/xEqJ0FAyEgAQPPx3CGyPuf/ PiZFQblQRd7ZXwqZkOcSffCqsRv7WIZ3IvokBBIqPGYcDvDHbsOD0hdxGGYvpa7+5X1H YxFuu9gh7RLL9SpveGhMkNwzOQ6UfLOP5FGcatOlvtBMmgi+xnUTELb0NfJFygDP+t4t JBVta7724hUzCZ1O1i10fTx2SEJA1WtnvhW4pPtImN+hrk1zu2dzxumlQd2sH2FHGxjM Xc1w==
X-Received: by 10.180.80.39 with SMTP id o7mr874401wix.82.1413207149733; Mon, 13 Oct 2014 06:32:29 -0700 (PDT)
Received: from [172.24.248.64] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id bc5sm14724033wjb.14.2014.10.13.06.32.28 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 13 Oct 2014 06:32:29 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <8F77D0C2-1C1F-4302-8757-5284BA1236A0@gmail.com>
Date: Mon, 13 Oct 2014 16:32:25 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <9D2FBF7A-A31F-4C6D-A0D3-066CAD48152A@gmail.com>
References: <542D48CD.9060404@isode.com> <55183415-AD02-4BAB-86F4-73C53C5FA616@gmail.com> <20141013122419.GA28433@LK-Perkele-VII> <8F77D0C2-1C1F-4302-8757-5284BA1236A0@gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/yYvIuBWtC1dtRGouva3fp91IjPU
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-chacha20-poly1305-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Oct 2014 13:32:32 -0000

On Oct 13, 2014, at 3:41 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:

> 
> 
>> - RFC5116 recomends specifying just how badly things blow up
>>  if nonce is reused (AFAIK, XOR of plaintexts is revealed and
>>  arbitrary messages with that nonce may be forged).
> 
> Same authentication key and same keystream, so at least the XOR of the plaintexts is revealed and the same one-time Poly1305 is used. So if you know the plaintext and can choose the nonce, you will be able to encrypt another arbitrary message, but you will still fail tag calculation. I’ll add something to the security considerations.
> 
>> Also, writing IANA consideration to register this
>> (AEAD_CHACHA20_POLY1305?) could be useful (as already suggested by
>> someone). Apparently the registry is called "AEAD algorithms" (at
>> least it is that way on IANA site, even if I can't find that in
>> RFC 5116). 
> 
> Will do.
> 

OK. Done and done.

Thanks

Yoav

v2.23.0 | Report a Bug | By Email