Re: [openpgp] Request on Adding ChaCha20-Poly1305 to the OpenPGP Standardization

Bart Butler <bartbutler@protonmail.com> Wed, 15 April 2020 22:20 UTC

Return-Path: <bartbutler@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 417463A0AE0 for <openpgp@ietfa.amsl.com>; Wed, 15 Apr 2020 15:20:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2DZELSAC0Uzq for <openpgp@ietfa.amsl.com>; Wed, 15 Apr 2020 15:20:54 -0700 (PDT)
Received: from mail2.protonmail.ch (mail2.protonmail.ch [185.70.40.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F84F3A0ADF for <openpgp@ietf.org>; Wed, 15 Apr 2020 15:20:53 -0700 (PDT)
Date: Wed, 15 Apr 2020 22:20:36 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1586989246; bh=AG6/Su1KiQ61nijFiPjbKlC61ulZvVDFlL9VQdQnF0U=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=HnruFF2Sw9RMR3NJbdfjxqGqpM5L6Hq9VrSLpa9hiYF9p8MkBnwg+Y35egbj9nbWZ lJCIwX+RopI4R3h8uX9CBj36qjlVs6J5FoeK3J+pg+JwIamMFfuYv/qAXGwG/DdMKn sw8L++O0FQ9jkCfMNlsry9FdKO+rld54WRxos9Y4=
To: "Tanveer.Salim" <Tanveer.Salim@protonmail.com>
From: Bart Butler <bartbutler@protonmail.com>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>
Reply-To: Bart Butler <bartbutler@protonmail.com>
Message-ID: <UW0DHeR2Gnu_wyh5Kxnt1MiZZ9IuZkDrBgE_plRe00lciWdx48zwGCfy3mH1JvXoUE6w7nM2EhGytyNTJ_TW2U7QlYyxLetjhbq430UFJP0=@protonmail.com>
In-Reply-To: <j9dQb5ZX4J72RggcAWKiafQOwaDebpEJnA2j3Yks5ahI9kNECdscL9nGmyP-wzXN7UY5Gtc4w_HjsaJHX3IUf8xBbCJv38JtOYQgr0GNGX0=@protonmail.com>
References: <j9dQb5ZX4J72RggcAWKiafQOwaDebpEJnA2j3Yks5ahI9kNECdscL9nGmyP-wzXN7UY5Gtc4w_HjsaJHX3IUf8xBbCJv38JtOYQgr0GNGX0=@protonmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha512; boundary="---------------------42ac1b258a135b50fa3df07f7f21a231"; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/trWoJRqOkdSFpeERITkjVz5N368>
Subject: Re: [openpgp] Request on Adding ChaCha20-Poly1305 to the OpenPGP Standardization
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2020 22:20:57 -0000

Hi Tanveer,

Thanks for the suggestion. I'll be the first to admin that ChaCha20-Poly1305 is a great symmetric algorithm.

That said, there's nothing really wrong with AES, and I agree with Werner that if anything the OpenPGP specification has too many ciphers rather than too few (though most of these are asymmetric, to be fair). More ciphers mean more work to implement and maintain the OpenPGP spec, and there has already been so much effort on the cryptographic refresh for OpenPGP, and so many implementations which are done or close to implementing the current draft, that the likelihood of adding yet another cipher to the mix I'd say is slim, despite it being, on the merits, a good one.

Another thing worth mentioning is that OpenPGP messages are archival. Removal of algorithms is always hard, because you need to still be able to decrypt old messages. In contrast, most of the examples you have cited involve transient transport-layer security, which is ephemeral and therefore easier to drop legacy support. The same goes for those protocols and examples being non-distributed organizations--if you only have to be compatible with yourself, you can do whatever you'd like, which is essentially Werner's point about experimental algorithms.

What this means is that we'd never be able to "drop" AES--the best we could do is add ChaCha and wait for the major implementations to add it. This would in turn delay the cryptographic refresh of OpenPGP by even more, introduce more opportunities for incompatibilities between implementations, and increase the algorithm bloat of OpenPGP for a minor speed and security benefit, and, because OpenPGP messages last forever, it would obligate that support to continue for the next several decades. It does not seem worth it to me, at least at this time.

Cheers,

Bart Butler
Proton CTO

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, April 15, 2020 10:53 AM, Tanveer.Salim <Tanveer.Salim=40protonmail.com@dmarc.ietf.org> wrote:

> Dear IETF,
> 

> Hello. I am Tanveer Salim and am a Computer Engineering Student from Texas Tech University.
> 

> Firstly, I would like to thank you for taking the time to work on GNUPG for all these years.
> 

> I personally am really glad you are willing to ensure people have a sound option for secure communication on the internet.
> 

> I discussed the pros and cons of using ChaCha20-Poly1305 first with the ProtonMail Security Team on a Reddit Forum:
> 

> (https://www.reddit.com/r/ProtonMail/comments/g0pa55/protonmail_securitys_opinion_on_using_the/)
> 

> and as of now with the creators of WireGuard VPN.
> 

> ProtonMail users and the ProtonMail Security Team admitted that most hardware devices already have hardware support for AES-GC 256-bit encryption and therefore AES-GCM 256-bit will be faster than a pure-software implementation of ChaCha20.
> 

> Jason Dononfeld, one of the creators of WireGuard VPN, said that although that was true ARX-512 bit vector extensions for the Intel and AMD instruction set architectures will allow hardware-accelerated implementations of ChaCha20-Poly1305 to run even faster than hardware-accelerated implemetnations of AES (e.g. AES-NI). (https://www.wireguard.com/papers/wireguard.pdf)
> 

> This was why Jason Dononfeld and the rest of the WireGuard VPN team made ChaCha20-Poly1305 the primary, exclusive AEAD in their VPN.
> 

> For now, support for AVX-512 bit instructions is not as widespread just yet. But that should be the case in a matter of a few years as cited in the WireGuard VPN Whitepaper.(https://en.wikipedia.org/wiki/AVX-512).
> (https://www.wireguard.com/papers/wireguard.pdf)
> 

> For now, although ProtonMail is mostly correct in their saying that hardware-accelerated AES is faster than pure-software, Jason Dononfeld definitely seems to be making a strong argument for using ChaCha20-Poly1305. Soon in the future, ARX-512 bit vector extensions will allow hardware-accelerated ChaCha20-Poly1305 to run faster than hardware-accelerated AES.
> 

> ProtonMail did admit it would be a good idea to try to add the ChaCha20-Poly1305 to OpenPGP and WebCrypto. Afterwards, they would be happy to add support for ChaCha20-Poly1305.
> 

> This is perhaps also why other projects are adding support for ChaCha20-Poly1305 as we speak.
> 

> Other famous projects that are using ChaCha20-Poly1305 in their works include NordPass (https://nordpass.com/features/xchacha20-encryption/), KeePassXC, and SSH (http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html).
> 

> Considering the growing usage of ChaCha20-Poly1305, would you consider adding ChaCha20-Poly1305 as an additional cipher to your draft of OpenPGP standardization. I noticed you were working on a new draft for OpenPGP in RFC 4880bis: (https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-09).
> 

> Libgcrypt already supports ChaCha20 and Poly1305 individually after all. But OpenPGP does not yet accept ChaCha20-Poly1305 as an additional/experimental cipher yet.
> 

> Since you are the lead developer of GNUPG, which is the world's most influential implementation of OpenPGP, you could certainly make it an additional cipher to OpenPGP.
> 

> With saying all of this, I would like to ask if you are now considering to add ChaCha20-Poly1305 itself to the OpenPGP standardization?
> 

> I thank you for any responses to send back to me.
> 

> I actually first emailed Werner Koch directly and has given me permission to reiterate his response:
> 

> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 

> Werner Koch's Response Below:
> 

> Hi!
> 

> Thanks for the long writeup but you should better direct this mail to
> the IETF WG list: openpgp@ietf.org which is the appropriate place for
> such requests.
> 

> The set of cipher algorithms in OpenPGP is long and actually longer than
> we like it.  Most of the extra cipher algorithms are there for political
> reasons (e.g. Camellia) and in practice not used.  We have settled long
> ago for AES because that is a the best block cipher algorithm we have
> and main stream CPUs provide hardware acceleration for it.
> 

> Regarding encryption modes, we are using CFB+MDC and are preparing to
> move on to OCB and EAX (with the latter only there for political/patent
> fears).  This allows us keep on using AES.  Changing to a stream cipher,
> as you propose is very unlikely.
> 

> You may however use the experimental range of algo identifiers for
> ChaCha but that won't be useful for production.  Replacing algorithms
> takes years and we are not even there to enable OCB or EAX modes.
> 

> Shalom-Salam,
> 

>    Werner
> 

> ps.
> if you want to post to the WG list, feel free to include this mail.
> 

> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 

> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
> 

> So Mr. Koch admits that there are political problems and technical issues with adding ChaCha20-Poly1305. Political in the sense that many implementations will be offended if the switch was made from AES to ChaCha20-Poly1305. I am not saying we should necessarily switch the official standard from AES to ChaCha20-Poly1305. Just to add ChaCha20-Poly1305 as an alternative. The technical challenge was that even the OCB and EAX mode meant to improve AES performance were not even added yet.
> 

> Finally, I have one more additional question.
> 

> According to the Autocrypt website, it would be great if Argon2 and SCrypt key derivation functions to OpenPGP as well. But Autocrypt admitted that this is yet to be done. (https://autocrypt.readthedocs.io/en/latest/faq.html)
> 

> So will the IETF be trying to add support for both key derivation functions in the current draft for RFC 4880bis?
> 

> I thank the IETF for updating OpenPGP and taking the time to send back any replies to me.
> 

> Sincerely,
> 

> Tanveer Salim
> 

> Sent with ProtonMail Secure Email.
> 

> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp