Re: [TLS] Salsa20 and Poly1305 in TLS

Ted Krovetz <ted@krovetz.net> Mon, 12 August 2013 01:14 UTC

Return-Path: <ted@krovetz.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6515D11E8121 for <tls@ietfa.amsl.com>; Sun, 11 Aug 2013 18:14:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.349
X-Spam-Level:
X-Spam-Status: No, score=-3.349 tagged_above=-999 required=5 tests=[AWL=0.250, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6q1EGhz9A15r for <tls@ietfa.amsl.com>; Sun, 11 Aug 2013 18:14:32 -0700 (PDT)
Received: from mail-pa0-f51.google.com (mail-pa0-f51.google.com [209.85.220.51]) by ietfa.amsl.com (Postfix) with ESMTP id 2D1D211E8167 for <tls@ietf.org>; Sun, 11 Aug 2013 18:06:20 -0700 (PDT)
Received: by mail-pa0-f51.google.com with SMTP id lf1so4047122pab.24 for <tls@ietf.org>; Sun, 11 Aug 2013 18:06:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=+2Us4szwPFTUFyJZS5BVvc/Z+d5Ch+qU6v5JEyXaMxM=; b=Q8OXHtX2t1ierThgo3nb5hUAb6RRgP+CK63pTbXLWyWvkNheZhEEMNG+7qG8FuaLnS EzljtXjBw/pwywXy5h9tOGFRyJAXz+/qNMyTrLL1TkTDJxvfHEbxR3ep/myE0VVQMnVW lefIAON+WAkQvETw5XlzAtcgerPhRlVNJMcOz+pjxedT8jNQO9H0To4P6hvdKx8JY2EG eRksDJ8oon7GETPUDMq0XQ64Gcdojr5qR+p+6+R+BbJRIT1WPxIDO8ui2R7+UrwWAyGW e3v3vzsCYxlDJzW4vU7u6izxqXXHhFwVWfxLH+l6MwminE0nNGjEg5aE3zLU/F8xVjQZ YTyA==
X-Gm-Message-State: ALoCoQns66qj1K+VkotFyXGzJLz4GeAkcGhVQB8ebl7UFaq0VVXT3Aq+d/sKcPttkZUuHnHKu6X0
X-Received: by 10.66.235.105 with SMTP id ul9mr21545669pac.112.1376269578533; Sun, 11 Aug 2013 18:06:18 -0700 (PDT)
Received: from [192.168.1.162] (c-67-166-145-119.hsd1.ca.comcast.net. [67.166.145.119]) by mx.google.com with ESMTPSA id r7sm36321927pao.18.2013.08.11.18.06.16 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 11 Aug 2013 18:06:17 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Ted Krovetz <ted@krovetz.net>
In-Reply-To: <87zjsn3m7q.fsf@latte.josefsson.org>
Date: Sun, 11 Aug 2013 18:06:16 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <92C52D00-644F-4814-A77B-FD793FB4D676@krovetz.net>
References: <CAL9PXLySuS1gn8YisobYrbEnNpxJuYPbKB0qtkCOMnb+m90Jjg@mail.gmail.com> <CADi0yUNPENmF9G=oiteRuZ3tXn4JFMOEuMsnD9Ean6arjWveKw@mail.gmail.com> <23D5606B-9225-4428-99AA-EC66C93D4088@krovetz.net> <87zjsn3m7q.fsf@latte.josefsson.org>
To: Simon Josefsson <simon@josefsson.org>
X-Mailer: Apple Mail (2.1508)
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Salsa20 and Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 01:14:38 -0000

> Do you think the benefits of Chacha motivate
> ignoring the time that went into reviewing Salsa20?

The nice thing about Chacha is that most of the Salsa analysis applies. The only differences between the two algorithms is (1) the ordering of the initial and final 16 word state, and (2) two rotation distances. I believe that Dan Bernstein has said that he believes (1) has no security consequences and that (2) improves security.

If I were choosing between the two, yes, I'd be willing to transfer my confidence from Salsa to Chacha and  use that.

-Ted