Re: [TLS] Salsa20 and Poly1305 in TLS

Adam Langley <agl@google.com> Tue, 30 July 2013 14:45 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E67221F8C93 for <tls@ietfa.amsl.com>; Tue, 30 Jul 2013 07:45:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ggV3BBTJ-bpJ for <tls@ietfa.amsl.com>; Tue, 30 Jul 2013 07:45:27 -0700 (PDT)
Received: from mail-ob0-x22c.google.com (mail-ob0-x22c.google.com [IPv6:2607:f8b0:4003:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 28EDD11E81FF for <tls@ietf.org>; Tue, 30 Jul 2013 07:45:27 -0700 (PDT)
Received: by mail-ob0-f172.google.com with SMTP id er7so881203obc.3 for <tls@ietf.org>; Tue, 30 Jul 2013 07:45:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=GIJxHGWCW6i/FdHVxRUzmQSo7qZSxgpwAkzOSCAH+Jc=; b=d3zLjC8pc5HKwDIqrZTLSHGl9VIo6yX1mVdSFPbes092Q8Ih66uORHdbRGOk+GlqV+ agX1PSqwHh+lBrd5tAm0zmvHcqmmHDGbZTl9I/IJfVg4k/stawVwJUYCsZ6gPmEt4Ocu Pa9XBct6qOhGIY00guUM3qszBdyGqDTmrV7AiXEKchdpjJCV0+bWDqVX9N2mPsERgAu0 tHFnUgp/hPiaed8+MezNw9coHe/X4co5sTBhk+Zje7geyM8IOAoiQZIi0sPcumytP4RS 06/YcMMrnI0Z0NN3equ+mea4Qii5vwuNMZCavVHEPkBt+n6YMROsvQuNo6OyQwiNYAZ0 U+wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=GIJxHGWCW6i/FdHVxRUzmQSo7qZSxgpwAkzOSCAH+Jc=; b=S/YuYQp2NKLFU7i5WYs7sPgfBowiH8vRQirCuIB3hTpUq0sxH/BUE2mDMF8I6LHJEs Z3Expc4SnJwp2Y/VrJry1a7bluQM9tqM5xmPLDch1+Q2Eq1aU06Wudn2gosXf42q5CvQ gu8HNoEr0+O/Uq7d+ay8C2NB62qalnByRWwL+X3mcSbNOy5lS6AlC/qOfr+a9QKq3DFu 8wfWC7amYBrXkwimjd6Aa4+n785kuj8pTAHCniddtBoHT1jRiby2vp8L2N+SIUMbjLhp YliWRpHZufsQFpT5Ahr7xpsbwqtu9S2NWP5Z5iuajQcq4dUuVx8ZHcfyWg5t+TJkG7rk vhRw==
X-Received: by 10.182.200.230 with SMTP id jv6mr9428366obc.46.1375195525579; Tue, 30 Jul 2013 07:45:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.111.66 with HTTP; Tue, 30 Jul 2013 07:45:05 -0700 (PDT)
In-Reply-To: <23D5606B-9225-4428-99AA-EC66C93D4088@krovetz.net>
References: <CAL9PXLySuS1gn8YisobYrbEnNpxJuYPbKB0qtkCOMnb+m90Jjg@mail.gmail.com> <CADi0yUNPENmF9G=oiteRuZ3tXn4JFMOEuMsnD9Ean6arjWveKw@mail.gmail.com> <23D5606B-9225-4428-99AA-EC66C93D4088@krovetz.net>
From: Adam Langley <agl@google.com>
Date: Tue, 30 Jul 2013 10:45:05 -0400
Message-ID: <CAL9PXLxhPh=+uaac_+oWJsd7ePkY-47sfZGDRs6yUJouxrxWfQ@mail.gmail.com>
To: Ted Krovetz <ted@krovetz.net>
Content-Type: text/plain; charset="UTF-8"
X-Gm-Message-State: ALoCoQn+fY6qag4PCKOUlPkE5Iz1s96C88j2WscfXz6NdjKvsOeIzsnbggUbSA5sd7DHCPO8E1aZXSNs/TMISkWMQ87OebITSsB4CnKb9a3jyuTtLZBRfkED1CHV+ZEKDg+N5Um6puuXzzAwvn8Rh3GE/J6S/UEgSyDnXopVV46F0LWRmiSuOW2pLRf89RUKj85turYlHJwW
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Salsa20 and Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2013 14:45:28 -0000

On Mon, Jul 29, 2013 at 11:03 PM, Ted Krovetz <ted@krovetz.net> wrote:
> In an attempt to simplify from UMAC, I developed VMAC as an alternative that uses considerably less internal key and is significantly faster on 64-bit architectures. Even from L3 cache it is probably 2-3 times faster than Poly1305.
>
> http://fastcrypto.org/vmac/
> http://krovetz.net/csus/papers/vhash-revise.pdf
> http://krovetz.net/csus/papers/vmac.pdf

I agree that VMAC has considerably less memory footprint, around 168
bytes in total, and is faster. I will try to repeat the above
benchmarks for VMAC this week. (And, hopefully, run some tests on
ARM.)

> I'd also suggest using Bernstein's Chacha instead of Bernstein's Salsa. It has the same core as Salsa, but Bernstein cleaned up the rough edges of its prolog and epilog, making it smaller, faster and nicer to program. Chacha is basically a better Salsa.
>
> http://cr.yp.to/chacha.html

I do like ChaCha more than Salsa. However, in this case we don't have
the theoretical foundations of polynomial authenticators to stand on.
Salsa is what gets reviewed, ChaCha has had relatively little
attention. The improvement from Salsa to ChaCha doesn't seem to be
large enough to justify switching.

Having said that, I'm fine with either.


Cheers

AGL