IETF Logo Mail Archive

Re: [IPsec] ChaCha20 & Poly1305, AEAD and other modes

Yoav Nir <ynir.ietf@gmail.com> Mon, 10 March 2014 08:51 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9237F1A03FB for <ipsec@ietfa.amsl.com>; Mon, 10 Mar 2014 01:51:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x2UVeTJTr8nA for <ipsec@ietfa.amsl.com>; Mon, 10 Mar 2014 01:51:08 -0700 (PDT)
Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com [IPv6:2a00:1450:400c:c00::22c]) by ietfa.amsl.com (Postfix) with ESMTP id DEC2F1A03FA for <ipsec@ietf.org>; Mon, 10 Mar 2014 01:51:07 -0700 (PDT)
Received: by mail-wg0-f44.google.com with SMTP id m15so5767569wgh.3 for <ipsec@ietf.org>; Mon, 10 Mar 2014 01:51:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=qHrSbEQsAHog1P1JxZ8tg3QJz+w8QbYWpHOV7IkC0Lk=; b=Ki/sssF+8P1uWkCKRutzNt9Xmh+Cp4XhNe8LFuNtOZ4DWhjN2qrJUSRRkAWzEqX7lT eKOf5rukoUH0WyaTYKPjLrQOamYXZ+YDti5OOr6fV4FCvIUBZCf8XDbmgwRUuWyagfCX 8ygsnzsnqAPKRI/eTOT32d6h65navQ43tMCF8W9yyboRal3lW1uf4z5OqSSgoBplYW8B fVwMq/Fnakwu03ledQrlB0tG9Vyb9f5fKx+/pzkdm6hh+DUffChSGbOLO+TdjbJn8eZo oNXtdLnit2ENR/M6wAePB9RCwF4uQWQVuXF87GS38jHBPu0kjZy6Zd7KCon6I0W9ARj4 Y3OQ==
MIME-Version: 1.0
X-Received: by 10.194.91.232 with SMTP id ch8mr29999278wjb.13.1394441462038; Mon, 10 Mar 2014 01:51:02 -0700 (PDT)
Received: by 10.194.89.1 with HTTP; Mon, 10 Mar 2014 01:51:01 -0700 (PDT)
In-Reply-To: <CADZyTk=Zmj=H9ob2VXmrfhsYSKfXZu=Y87tiaCv8556UHyydPg@mail.gmail.com>
References: <CAGvU-a619O9AGJcwod3uYXKNnBRhcWdZdBnoqnmuDECPHnX-6A@mail.gmail.com> <531D5508.4000707@gmail.com> <CAGvU-a5TSGeNm9E_k-3bnbpCtthrpS81VVXcq7AkYKjOwYQ04g@mail.gmail.com> <CADZyTk=Zmj=H9ob2VXmrfhsYSKfXZu=Y87tiaCv8556UHyydPg@mail.gmail.com>
Date: Mon, 10 Mar 2014 10:51:01 +0200
Message-ID: <CAGvU-a4aLXTqNUTbn1_Xo_+KmabDfRoO7Dy9joOFjnG9LnkVvA@mail.gmail.com>
From: Yoav Nir <ynir.ietf@gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="047d7bd916b401442e04f43cb4b0"
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/ds_n3c0uldSDWm-nC-wXqUGoxIw
Cc: ipsec <ipsec@ietf.org>
Subject: Re: [IPsec] ChaCha20 & Poly1305, AEAD and other modes
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Mar 2014 08:51:10 -0000

The draft currently has all three: standalone ChaCha, standalone Poly1305,
and AEAD.

Standalone Poly1305 has the issue that it requires a one-time key or a
nonce to generate it, but ESP only allows an IV for the cipher, not for the
MAC. The draft deals with it by using the replay counter as a nonce, but
then changes APIs. That is one reason why some people are opposed to
standalone Poly1305.

Yoav


On Mon, Mar 10, 2014 at 10:43 AM, Daniel Migault <mglt.ietf@gmail.com>wrote:

> Hi,
>
> My understanding is that Poly1305 and chacha20 are provided as
> "alternatives" to SHA* or AES*. Specific devices with AES
> accelerations may be willing, for performance optimization, to use
> Poly1305 instead of SHA with AES. For this reason it might be better
> to have:
>     - chacha20 as a stand-alone cipher
>     - Poly1305 as a stand-alone MAC
>
> On the other hand, providing the AEAD chacha20-poly1305 may be helpful
> for end users or admins. Especially if security consideration
> recommends AEAD. Would it bring too much complexity to also define
> AEAD chacha20-poly1305?
>
> BR
> Daniel
>
>
>
> On Mon, Mar 10, 2014 at 9:15 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> >
> >
> >
> > On Mon, Mar 10, 2014 at 8:00 AM, Yaron Sheffer <yaronf.ietf@gmail.com>
> > wrote:
> >>
> >> Hi Yoav,
> >>
> >> Can you explain why we need Poly1305 at all? We have SHA-2 and will
> >> probably adopt Keccak (SHA-3), so it's not like we don't have a backup.
> >
> >
> > Sure.  Poly1305 is fast.Faster than SHA-1, SHA-2, and Keccak. I haven't
> > compared it to GMAC on Intel, but that is fast only becuase it has
> special
> > Intel instructions like PCLMULQD. Both ChaCha and Poly1305 can be fast
> in a
> > plain C implementation, so they're fast on any platform.  Poly1305 needs
> > another algorithm to generate the per-message keys. That could be AES as
> in
> > DJB's original paper, or it can be ChaCha as in this draft (with or
> without
> > the AEAD).
> >
> >>
> >> Let me suggest that we adopt *only* ChaCha20, which can be combined with
> >> any integrity protection algorithm in the normal ESP way. Is there any
> extra
> >> value (maybe code sharing?) in predefining an AEAD?
> >
> >
> > The AEAD version is already in at least one crypto library (NSS as used
> in
> > Chrome) and there's a patch that AGL donated to OpenSSL (not in there
> yet).
> > So in addition to AEADs being fashionable, this combination makes sense
> for
> > performance, especially on non-Intel platforms.
> >
> > Yoav
> >
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
> >
>
>
>
> --
> Daniel Migault
> Orange Labs -- Security
> +33 6 70 72 69 58
>

v2.23.0 | Report a Bug | By Email