Re: [IPsec] ChaCha20 & Poly1305, AEAD and other modes

Yaron Sheffer <yaronf.ietf@gmail.com> Mon, 10 March 2014 06:00 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C9E51A03D6 for <ipsec@ietfa.amsl.com>; Sun, 9 Mar 2014 23:00:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I2C7aUDABr0D for <ipsec@ietfa.amsl.com>; Sun, 9 Mar 2014 23:00:47 -0700 (PDT)
Received: from mail-ea0-x22b.google.com (mail-ea0-x22b.google.com [IPv6:2a00:1450:4013:c01::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 9BCB31A03D1 for <ipsec@ietf.org>; Sun, 9 Mar 2014 23:00:47 -0700 (PDT)
Received: by mail-ea0-f171.google.com with SMTP id n15so3480532ead.30 for <ipsec@ietf.org>; Sun, 09 Mar 2014 23:00:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=Npbgeh/VRLYx7gtBwv0CnGCTGbZOzLo1iYTXJN/RQ1M=; b=Bw0Ez+7/U8WcEpn+u1KQ5YJfzLVABZomH+4EQfu3tX0t8q3+G2rjUtkdbvHKhA03yG qpqoZiD9g+xVQj6CAc53bAjMwXTc9Ww+XXzeQZr+xQF0NHAiagcaektbn90XQtTHt2eN UVgE7dxDBDRzG8TX2xvyHA4w8GNcPgnALYsjciw6O2JEcPC3/jh9r+HW0rX+j63Tp32D pZBQVuN8WjzrzY8DWUTekFu1tr+G8pwxNKbeQZOwbYqVVptBKaK3LuNda4kMY9YOsyYf BuQj3e8POPvyhAmsiA0HdvDLimYeIEcRPeKKn6LVRCYCguMaaAD3z6CaT8kEjwW8Pp7L pDwg==
X-Received: by 10.15.26.67 with SMTP id m43mr14607eeu.109.1394431242004; Sun, 09 Mar 2014 23:00:42 -0700 (PDT)
Received: from [10.0.0.6] (bzq-109-65-63-189.red.bezeqint.net. [109.65.63.189]) by mx.google.com with ESMTPSA id o43sm40944223eef.12.2014.03.09.23.00.40 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 09 Mar 2014 23:00:41 -0700 (PDT)
Message-ID: <531D5508.4000707@gmail.com>
Date: Mon, 10 Mar 2014 08:00:40 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>, ipsec <ipsec@ietf.org>
References: <CAGvU-a619O9AGJcwod3uYXKNnBRhcWdZdBnoqnmuDECPHnX-6A@mail.gmail.com>
In-Reply-To: <CAGvU-a619O9AGJcwod3uYXKNnBRhcWdZdBnoqnmuDECPHnX-6A@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/oaCx4Imd0LUVv-pqjywG4IVRGXk
Subject: Re: [IPsec] ChaCha20 & Poly1305, AEAD and other modes
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Mar 2014 06:00:49 -0000

Hi Yoav,

Can you explain why we need Poly1305 at all? We have SHA-2 and will 
probably adopt Keccak (SHA-3), so it's not like we don't have a backup.

Let me suggest that we adopt *only* ChaCha20, which can be combined with 
any integrity protection algorithm in the normal ESP way. Is there any 
extra value (maybe code sharing?) in predefining an AEAD?

Thanks,
	Yaron

On 03/09/2014 05:03 PM, Yoav Nir wrote:
> Hi
>
>
> draft-nir-ipsecme-chacha20-poly1305 currently specifies three transforms:
>
>  1. chacha20 as a stand-alone cipher
>  2. Poly1305 as a stand-alone MAC
>  3. ChaCha20-Poly1305 as an AEAD.
>
> Some people in the room said that we should only do the AEAD and skip
> the stand-alone algorithms. This would prevent SAs with combinations
> such as ChaCha20 + HMAC-SHA1 or AES-128-CBC + Poly1305.
>
> I'm not saying whether we need or don't need these combinations. I don't
> see much use for them personally. My question to the list now is whether
> everyone agrees that it's fine to drop them and leave only the combined
> mode algorithm in the draft.
>
> Thanks
>
> Yoav
>
>
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>