Re: [TLS] Salsa20 and Poly1305 in TLS

Nick Mathewson <nickm@torproject.org> Tue, 30 July 2013 00:40 UTC

Return-Path: <nick.a.mathewson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45C6D21F9B85 for <tls@ietfa.amsl.com>; Mon, 29 Jul 2013 17:40:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h0-XrxHc6JFU for <tls@ietfa.amsl.com>; Mon, 29 Jul 2013 17:40:38 -0700 (PDT)
Received: from mail-lb0-x231.google.com (mail-lb0-x231.google.com [IPv6:2a00:1450:4010:c04::231]) by ietfa.amsl.com (Postfix) with ESMTP id 8C7E421F9B60 for <tls@ietf.org>; Mon, 29 Jul 2013 17:40:38 -0700 (PDT)
Received: by mail-lb0-f177.google.com with SMTP id r11so953187lbv.22 for <tls@ietf.org>; Mon, 29 Jul 2013 17:40:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=J3hnIzU35dtybbVLuQMkrvuRmqZDjB5PvVklmDGgmkQ=; b=vBfJvQBGLo+SRiLWOXVQ8uvGARbdhd/XjMsIsbSJwUm3SQjyn6Z20ka5feyYEq5sJ2 bx3iodirGdZFkV/UysQESjnyE9k5dw4rnYrtKAsGcxvJDb5a97k93PnXWXLdgkpg+jRu 1J0ZPpW3cN4euF8Efd+FOgXX6t7VM9W8KfTigPShNRDxf5eW3xZahMTtzEqThGf4W//o GrOT+5Z9c1qVpsBGboxMRA5toSxsubh3tjc+pTTcDhfiTwb7LVIkiOwXkZDyghBdjaDh Pqle3oDuTMTDj4flrHyiOtdiBUIwTN4fvOIt1LTNwllhiTEFAaYD/5Lc2XeR0sqNqjMn ugBg==
MIME-Version: 1.0
X-Received: by 10.152.87.171 with SMTP id az11mr6867875lab.40.1375144837367; Mon, 29 Jul 2013 17:40:37 -0700 (PDT)
Sender: nick.a.mathewson@gmail.com
Received: by 10.112.30.166 with HTTP; Mon, 29 Jul 2013 17:40:37 -0700 (PDT)
In-Reply-To: <CAL9PXLySuS1gn8YisobYrbEnNpxJuYPbKB0qtkCOMnb+m90Jjg@mail.gmail.com>
References: <CAL9PXLySuS1gn8YisobYrbEnNpxJuYPbKB0qtkCOMnb+m90Jjg@mail.gmail.com>
Date: Mon, 29 Jul 2013 20:40:37 -0400
X-Google-Sender-Auth: jrFUGBf2WRa4s3Cx8B0os5DT8i0
Message-ID: <CAKDKvuw80qTptv4zCnpxqq7u=iuB950bvUPbWT_YDQmUOakBRA@mail.gmail.com>
From: Nick Mathewson <nickm@torproject.org>
To: Adam Langley <agl@google.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Salsa20 and Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2013 00:40:39 -0000

On Mon, Jul 29, 2013 at 3:09 PM, Adam Langley <agl@google.com> wrote:
> I cannot make it to Berlin I'm afraid (or, indeed, any meetings until
> at least IETF 91) so I'm writing my thoughts on
> draft-josefsson-salsa20-tls-02, which is scheduled for discussion.
>
> We (Google) support the addition of Salsa20 as a cipher in TLS. Having
> a secure cipher which is fast and constant time on all platforms is
> important. It's also good to have an alternative to AES in the wings
> should that be needed in the future. At the moment I consider RC4 and
> AES-CBC to be mortally wounded, even if we have to continue supporting
> them for many years yet.

Hi!  Nick Mathewson (Tor guy) here.

We at Tor also support adding Salsa20 as a TLS ciphersuite, for about
the same reasons as Adam.  (We won't be able to start using it much
till browsers start using it, of course, since it's not in our
interest to be among the first adopters of any externally detectable
TLS feature.)

I also personally concur with Adam's arguments in favor of Poly1305,
but UMAC wouldn't be a disaster.

best wishes,
-- 
Nick Mathewson