Re: [TLS] Salsa20 and Poly1305 in TLS
Simon Josefsson <simon@josefsson.org> Sun, 11 August 2013 22:24 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C754321F9005 for <tls@ietfa.amsl.com>; Sun, 11 Aug 2013 15:24:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sQD5OL93LQmh for <tls@ietfa.amsl.com>; Sun, 11 Aug 2013 15:24:13 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) by ietfa.amsl.com (Postfix) with ESMTP id 7FF4511E812B for <tls@ietf.org>; Sun, 11 Aug 2013 15:18:56 -0700 (PDT)
Received: from latte.josefsson.org (static-213-115-179-130.sme.bredbandsbolaget.se [213.115.179.130]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id r7BMIn1T016831 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 12 Aug 2013 00:18:52 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Ted Krovetz <ted@krovetz.net>
References: <CAL9PXLySuS1gn8YisobYrbEnNpxJuYPbKB0qtkCOMnb+m90Jjg@mail.gmail.com> <CADi0yUNPENmF9G=oiteRuZ3tXn4JFMOEuMsnD9Ean6arjWveKw@mail.gmail.com> <23D5606B-9225-4428-99AA-EC66C93D4088@krovetz.net>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:130811:tls@ietf.org::YQ6i2D9LUGMRSKX8:1ELc
X-Hashcash: 1:22:130811:ted@krovetz.net::xxV2y9V8QCcziPFO:EHNf
Date: Mon, 12 Aug 2013 00:18:49 +0200
In-Reply-To: <23D5606B-9225-4428-99AA-EC66C93D4088@krovetz.net> (Ted Krovetz's message of "Mon, 29 Jul 2013 17:03:44 -1000")
Message-ID: <87zjsn3m7q.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97.8 at duva.sjd.se
X-Virus-Status: Clean
Cc: tls@ietf.org
Subject: Re: [TLS] Salsa20 and Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Aug 2013 22:24:14 -0000
Ted Krovetz <ted@krovetz.net> writes: > I'd also suggest using Bernstein's Chacha instead of Bernstein's > Salsa. It has the same core as Salsa, but Bernstein cleaned up the > rough edges of its prolog and epilog, making it smaller, faster and > nicer to program. Chacha is basically a better Salsa. > > http://cr.yp.to/chacha.html Right, there is a bunch of stream ciphers that have nicer properties than Salsa20, but Salsa20 was chosen conservatively from the set of modern stream cipher. Do you think the benefits of Chacha motivate ignoring the time that went into reviewing Salsa20? I'm assuming Salsa20 has received more review than Chacha, but I cannot quantify it. I would have prefered a stream cipher with builtin authentication, so we wouldn't have to debate the choice of MAC. Alas, I'm not aware of any with good performance that has gone through significant review. /Simon
- Re: [TLS] Salsa20 and Poly1305 in TLS Rene Struik
- Re: [TLS] Salsa20 and Poly1305 in TLS Nick Mathewson
- Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz
- [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Nico Williams
- Re: [TLS] Salsa20 and Poly1305 in TLS Nikos Mavrogiannopoulos
- Re: [TLS] Salsa20 and Poly1305 in TLS Ben Laurie
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Geoffrey Keating
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Ben Laurie
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz
- Re: [TLS] Salsa20 and Poly1305 in TLS Simon Josefsson
- Re: [TLS] Salsa20 and Poly1305 in TLS Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz