Re: [TLS] Salsa20 and Poly1305 in TLS

Simon Josefsson <simon@josefsson.org> Sun, 11 August 2013 22:24 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C754321F9005 for <tls@ietfa.amsl.com>; Sun, 11 Aug 2013 15:24:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sQD5OL93LQmh for <tls@ietfa.amsl.com>; Sun, 11 Aug 2013 15:24:13 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) by ietfa.amsl.com (Postfix) with ESMTP id 7FF4511E812B for <tls@ietf.org>; Sun, 11 Aug 2013 15:18:56 -0700 (PDT)
Received: from latte.josefsson.org (static-213-115-179-130.sme.bredbandsbolaget.se [213.115.179.130]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id r7BMIn1T016831 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 12 Aug 2013 00:18:52 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Ted Krovetz <ted@krovetz.net>
References: <CAL9PXLySuS1gn8YisobYrbEnNpxJuYPbKB0qtkCOMnb+m90Jjg@mail.gmail.com> <CADi0yUNPENmF9G=oiteRuZ3tXn4JFMOEuMsnD9Ean6arjWveKw@mail.gmail.com> <23D5606B-9225-4428-99AA-EC66C93D4088@krovetz.net>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:130811:tls@ietf.org::YQ6i2D9LUGMRSKX8:1ELc
X-Hashcash: 1:22:130811:ted@krovetz.net::xxV2y9V8QCcziPFO:EHNf
Date: Mon, 12 Aug 2013 00:18:49 +0200
In-Reply-To: <23D5606B-9225-4428-99AA-EC66C93D4088@krovetz.net> (Ted Krovetz's message of "Mon, 29 Jul 2013 17:03:44 -1000")
Message-ID: <87zjsn3m7q.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97.8 at duva.sjd.se
X-Virus-Status: Clean
Cc: tls@ietf.org
Subject: Re: [TLS] Salsa20 and Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Aug 2013 22:24:14 -0000

Ted Krovetz <ted@krovetz.net> writes:

> I'd also suggest using Bernstein's Chacha instead of Bernstein's
> Salsa. It has the same core as Salsa, but Bernstein cleaned up the
> rough edges of its prolog and epilog, making it smaller, faster and
> nicer to program. Chacha is basically a better Salsa.
>
> http://cr.yp.to/chacha.html

Right, there is a bunch of stream ciphers that have nicer properties
than Salsa20, but Salsa20 was chosen conservatively from the set of
modern stream cipher.  Do you think the benefits of Chacha motivate
ignoring the time that went into reviewing Salsa20?  I'm assuming
Salsa20 has received more review than Chacha, but I cannot quantify it.

I would have prefered a stream cipher with builtin authentication, so we
wouldn't have to debate the choice of MAC.  Alas, I'm not aware of any
with good performance that has gone through significant review.

/Simon