Re: [MLS] ChaChaX

Richard Barnes <rlb@ipv.sx> Tue, 11 August 2020 19:53 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90F103A0C0F for <mls@ietfa.amsl.com>; Tue, 11 Aug 2020 12:53:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2AMC8fOZ_35k for <mls@ietfa.amsl.com>; Tue, 11 Aug 2020 12:53:44 -0700 (PDT)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCA2C3A0B23 for <mls@ietf.org>; Tue, 11 Aug 2020 12:53:43 -0700 (PDT)
Received: by mail-qt1-x832.google.com with SMTP id 6so10415641qtt.0 for <mls@ietf.org>; Tue, 11 Aug 2020 12:53:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QYaS5aawPrXncI0HvWvt4CxSG8QpG4Nbzn/JpQVP7ok=; b=Cy8z2nqHk+JY9KuJKqRYcSbpqCt7WnDZXPowKbvSfL1CSuUG8MjjMiPK4VE2kcE5UE tkTyxNV2nFATRNm0DE7mP79oyRM1UH51dA9QzYnRQhdXMgt+ruy7bopMALddeopahzXB /yQyoWVuTCULXhp6iMXiSHPsCHaUjR+cAiryXb3U7Jx3GmUVuZ+t8NEMUZ59rJHALmN8 DhPNadDbvYyrQH1ipAqdIXB672PgiqmW9zhUWfe4c1wDUOv5xahGedEhBLzChmuwHCWG D6yP98+5z70TfO2FAcDDvbgXXQon++zQVmIaH+9d8bwlfyMSMpU9HpNUtOEsulwIeGG1 SdtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QYaS5aawPrXncI0HvWvt4CxSG8QpG4Nbzn/JpQVP7ok=; b=a1RLoD1MBRxCzco7v98QqsD15XFQfMwo9Ak0n/RTI9I5eeac4soUmtkmYRNFVveiIU hux928UvLgN6klNerrXrr6Ptvy7qhlfuvxmgBM878TvB77breOgNm6MNKBqHroe8tDpK IOj2KA/BCFiCmr6lf1Wmmm0RbAB/ZDXnZnmWwTtFVj24H/mKKLmgT6ZOUUc0stAY9avb 5Wq+I2qCaRI8rwPW6/Rp4oEZGNhfzXMfJm9QYWQv+iRZyIapgqTySuV3gL7yL6if3mHh 8KB5CM2pVH9PbgGSVgGxE9dHzfN6yxUcgbpQjj3zDs9tXgE7VMaCgiFnweyCaNpWwUNE 71DQ==
X-Gm-Message-State: AOAM533EA3dcH/jLn8U9ul9HFIVXb15wHZYf5fM4M7usxkyetTfT+cgN AnPfPccw1TddLjinSTXTJZw8EMPiIwrA8n4ThMCG8g3Z4CvwfA==
X-Google-Smtp-Source: ABdhPJy9Bbrmp29ViBEcq1s9vkmMitmoCqxNc1x22tmpRfCLd5vgsNbatNk1rUtdaTglaN6HheT0hZYNH16KzipsNFo=
X-Received: by 2002:aed:2a11:: with SMTP id c17mr2785705qtd.84.1597175622581; Tue, 11 Aug 2020 12:53:42 -0700 (PDT)
MIME-Version: 1.0
References: <CABP-pSQazQV_DO=W0GhxRFiHptM-3r9VCaEirdoo+Q7PXU54Uw@mail.gmail.com> <CAL02cgRJHBSe_hF0MsY3eMRwSJsWKJ3DV5_+Q3jhOMZ3f16cPA@mail.gmail.com> <CABP-pSRmc5d2-KMfjOWzUGcHECeBFAbWwxZb03z6kYuKRPdiDg@mail.gmail.com>
In-Reply-To: <CABP-pSRmc5d2-KMfjOWzUGcHECeBFAbWwxZb03z6kYuKRPdiDg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 11 Aug 2020 15:53:27 -0400
Message-ID: <CAL02cgS55Pu1AncYKThQcdmEAHtO+u20pP4ru+V3vpieg6FCAw@mail.gmail.com>
To: Brendan McMillion <brendan@cloudflare.com>
Cc: Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a0d82105ac9f6d32"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/BsPBIeEkdZCE2_FCPaT_nSKCBPc>
Subject: Re: [MLS] ChaChaX
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 19:53:46 -0000

Ah, thanks.  It seems like this is mainly a question of limits / how many
ciphertext you can send within an epoch -- you get more reuse with longer
nonces.  Cf. https://tools.ietf.org/html/draft-wood-cfrg-aead-limits-00

Note also that this primarily mattes for sender data encryption.  For
content encryption, you're effectively using a fresh key *and* nonce each
time, so you more space.

--Richard


On Mon, Aug 10, 2020 at 3:36 PM Brendan McMillion <brendan@cloudflare.com>
wrote:

> Sorry, I suppose the real name is XChaCha and it's defined here:
> https://tools.ietf.org/html/draft-irtf-cfrg-xchacha-01
>
> XChaCha has a 24 byte nonce and is meant to be more suitable for randomly
> generated nonces
>
> On Mon, Aug 10, 2020 at 12:31 PM Richard Barnes <rlb@ipv.sx> wrote:
>
>> Hey Brendan,
>>
>> I'm not sure I follow.  Could you clarify what you mean by ChaChaX, and
>> how it's different from base ChaCha?  Where by "base ChaCha", I mean RFC
>> 8439.
>>
>> https://tools.ietf.org/html/rfc8439
>>
>> Thanks,
>> --Richard
>>
>> On Mon, Aug 10, 2020 at 2:03 PM Brendan McMillion <brendan=
>> 40cloudflare.com@dmarc.ietf.org> wrote:
>>
>>> Hello mls@
>>>
>>> I wanted to quickly poll the list on a somewhat annoying issue.
>>> Currently, every time we encrypt with our AEAD we use an unstructured
>>> nonce: sender data encryption is properly random, while HPKE and message
>>> encryption use the output of a KDF which is as good as random. Accordingly,
>>> we should be using ChaChaX instead of ChaCha.
>>>
>>> Does everyone else agree? Should I open these PRs?
>>> _______________________________________________
>>> MLS mailing list
>>> MLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mls
>>>
>>