Re: [TLS] chacha to replace RC4 (was: Salsa vs. ChaCha)

Nikos Mavrogiannopoulos <> Sat, 07 December 2013 13:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 913721ADFA2 for <>; Sat, 7 Dec 2013 05:19:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GqC0NLuVrqZQ for <>; Sat, 7 Dec 2013 05:19:51 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A7A401ADF8D for <>; Sat, 7 Dec 2013 05:19:51 -0800 (PST)
Received: from ( []) by (8.14.4/8.14.4) with ESMTP id rB7DJkLv018408 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 7 Dec 2013 08:19:46 -0500
Received: from [] ( []) by (8.14.4/8.14.4) with ESMTP id rB7DJhZn006248 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 7 Dec 2013 08:19:45 -0500
Message-ID: <1386422383.2106.18.camel@aspire.lan>
From: Nikos Mavrogiannopoulos <>
To: Brian Smith <>
Date: Sat, 07 Dec 2013 14:19:43 +0100
In-Reply-To: <>
References: <> <> <> <> <> <> <>
Organization: Red Hat
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on
Subject: Re: [TLS] chacha to replace RC4 (was: Salsa vs. ChaCha)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 07 Dec 2013 13:19:53 -0000

On Fri, 2013-12-06 at 19:44 -0800, Brian Smith wrote:

> AFAICT, there's no technical reason to prohibit AEAD in TLS 1.0 or TLS
> 1.1.
> Also, I don't think TLS 1.2 is that much code to add to a TLS 1.0 or
> TLS 1.1 implementation, especially if you're not supporting any new
> cipher suites except the new ChaCha20 ones, and if you're not trying to
> support any functionality above what what TLS 1.0 and TLS 1.1 provide.
> Consequently, I don't think we should consider the AEAD construction to
> be too much of a burden for anybody to implement in order to support
> new cipher suites.

 I agree that there is no technical reason to prohibit AEAD in
TLS 1.x, x<2, but exactly for this prohibition, the old non-TLS 1.2
supporting implementations don't have support for AEAD. Their design is
often agile in the sense that a new cipher or MAC can be easily added,
but adding an AEAD cipher there is a non-trivial matter. If by AEAD you
mean Adam's draft, then there is also the question why replace
RC4-HMAC-SHA1 with AEAD-CHACHA-POLY1305 when you only need to fix RC4?
(and we have no reasons to believe that HMAC-SHA1 is broken).

If you suggestion is to make CHACHA-HMAC-SHA1 an AEAD design, I don't
think that this is needed. Unlike AEAD-CHACHA-POLY1305 which is
inherently an AEAD design, there is no advantage gained by making
CHACHA-HMAC-SHA1 an AEAD cipher - except for saying "cool it is AEAD",
and making it more difficult for old implementations to use it.