Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and AEAD_XChaCha20-Poly1305 (updated)
"David McGrew (mcgrew)" <mcgrew@cisco.com> Fri, 12 October 2018 13:26 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CF78130E1F for <cfrg@ietfa.amsl.com>; Fri, 12 Oct 2018 06:26:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rJIACjfhvYsi for <cfrg@ietfa.amsl.com>; Fri, 12 Oct 2018 06:26:34 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7E87130E1D for <cfrg@ietf.org>; Fri, 12 Oct 2018 06:26:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9658; q=dns/txt; s=iport; t=1539350793; x=1540560393; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=qWz8qWwDV9c/tXTf3VNwxtKzH96i51KK7mx82nyGIYk=; b=LfOGJ2HSfjWHqYvkHE3udZCVocQMxIEMi4IzCaYmRCtbE72nU8UfL7kw Fob/cOQLbheDxgd2JPnMrB/59256qst4ztvKzEeh6zWZpSBDb9rttfSFN aLauWKw4J7lyCjnOk8FIbHrAxZeHHauKr9JCxii/XXMzdJnAos5beuOsm s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAADVn8Bb/4sNJK1lGQEBAQEBAQEBAQEBAQcBAQEBAQGBUQQBAQEBAQsBgQx3Zn8oCoNriBaMMYINkT+FSBSBZgsBASOESQIXhEMhNA0NAQMBAQIBAQJtHAyFOQEBAQEDI2YCAQgRAwECKAMCAgIwFAkIAgQBEoMgAYEdZA+lH4EuhDMHhR4Fgi6JGBeCAIESJx+CHi6DGwICAQGBKgESAT+CYTGCJgKJD4UWj3cJAoZRigUXkBYsjBCJQQIRFIEmHThkcXAVZQGCQYJOgzaFFIU+bwyKGoEfgR8BAQ
X-IronPort-AV: E=Sophos;i="5.54,372,1534809600"; d="scan'208,217";a="184452645"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Oct 2018 13:26:32 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id w9CDQWZV024632 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 12 Oct 2018 13:26:32 GMT
Received: from xch-aln-004.cisco.com (173.36.7.14) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 12 Oct 2018 08:26:32 -0500
Received: from xch-aln-004.cisco.com ([173.36.7.14]) by XCH-ALN-004.cisco.com ([173.36.7.14]) with mapi id 15.00.1395.000; Fri, 12 Oct 2018 08:26:31 -0500
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: Paragon Initiative Enterprises Security Team <security@paragonie.com>, "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and AEAD_XChaCha20-Poly1305 (updated)
Thread-Index: AQHUXNIYI/nlr5X8mEqbGDpCMz0b5KUbtX4A
Date: Fri, 12 Oct 2018 13:26:31 +0000
Message-ID: <F56AC368-D83F-4ED6-8AB1-565E983A73AC@cisco.com>
References: <CAKws9z3+4DftG5Ov=C3w-u=toaUj6_xOC1s_f5t+dx0fWObTxw@mail.gmail.com>
In-Reply-To: <CAKws9z3+4DftG5Ov=C3w-u=toaUj6_xOC1s_f5t+dx0fWObTxw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.15.1.160411
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.80.50]
Content-Type: multipart/alternative; boundary="_000_F56AC368D83F4ED68AB1565E983A73ACciscocom_"
MIME-Version: 1.0
X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zoBN12Dp8XOzjjwnEuC7HIX_NNg>
Subject: Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and AEAD_XChaCha20-Poly1305 (updated)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2018 13:26:36 -0000
Hi Scott, it’s nice to see work that creates alternatives to deterministic nonces. As I understand it, the motivation for this draft is to enable the use of random nonces. Why not define it as a randomized AEAD algorithm, so that the nonce is dispensed with entirely? (In RFC 5116 terms, a randomized algorithm can have a maximum nonce length of zero). That way, the security of the algorithm does not depend on the user’s ability to provide random nonces, there is no need to document the security requirements (or any other requirements) around that input, and the nonce generation can be tested along with the algorithm. A couple of other comments: there needs to be a security considerations section (especially if guidance on nonce generation is needed) and there should be an IANA section that creates registry entries for this algorithm. If nonces are pseudorandomly generated, either inside or outside of the algorithm, then users need to be careful about things like fork() and VM cloning that can undermine security by causing unintentional nonce reuse. best David From: Cfrg <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> on behalf of Paragon Initiative Enterprises Security Team <security@paragonie.com<mailto:security@paragonie.com>> Date: Friday, October 5, 2018 at 1:36 PM To: "cfrg@ietf.org<mailto:cfrg@ietf.org>" <cfrg@ietf.org<mailto:cfrg@ietf.org>> Subject: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and AEAD_XChaCha20-Poly1305 (updated) Good afternoon, I've uploaded draft01, which contains some typo fixes and an additional test vector for XChaCha20 directly. https://datatracker.ietf.org/doc/draft-arciszewski-xchacha/ If anyone would like to contribute to this document directly, its development is being facilitated on GitHub: https://github.com/bikeshedders/xchacha-rfc Of course, I'm also open to feedback/criticism via email as well. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises<https://paragonie.com>
- [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha and AE… Paragon Initiative Enterprises Security Team
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… Scott Arciszewski
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… Tony Arcieri
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… Jason Cooper
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… Scott Arciszewski
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… D. J. Bernstein
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… David McGrew (mcgrew)
- Re: [Cfrg] [RFC] [DRAFT] eXtended-nonce ChaCha an… Scott Arciszewski