Re: [TLS] Salsa20 and Poly1305 in TLS
"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Sun, 11 August 2013 23:55 UTC
Return-Path: <prvs=1935fad10c=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1196B21F9A1C for <tls@ietfa.amsl.com>; Sun, 11 Aug 2013 16:55:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.223
X-Spam-Level:
X-Spam-Status: No, score=-6.223 tagged_above=-999 required=5 tests=[AWL=-0.376, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_OBFU_ALL=0.751, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E-pZJ0ib1i41 for <tls@ietfa.amsl.com>; Sun, 11 Aug 2013 16:55:37 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id 37BBC21F9AF5 for <tls@ietf.org>; Sun, 11 Aug 2013 16:48:24 -0700 (PDT)
Received: from LLE2K7-HUB02.mitll.ad.local (LLE2K7-HUB02.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id r7BNmK1A015920; Sun, 11 Aug 2013 19:48:23 -0400
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: "'simon@josefsson.org'" <simon@josefsson.org>, "'ted@krovetz.net'" <ted@krovetz.net>
Date: Sun, 11 Aug 2013 19:40:19 -0400
Thread-Topic: [TLS] Salsa20 and Poly1305 in TLS
Thread-Index: Ac6W4+e/ZC6bsxeqQQiFx0vOuoNqxAAB/aL6
In-Reply-To: <87zjsn3m7q.fsf@latte.josefsson.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794, 1.0.431, 0.0.0000 definitions=2013-08-11_08:2013-08-09, 2013-08-11, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1308110271
Message-Id: <20130811234824.37BBC21F9AF5@ietfa.amsl.com>
Cc: "'tls@ietf.org'" <tls@ietf.org>
Subject: Re: [TLS] Salsa20 and Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Aug 2013 23:55:41 -0000
Considering the similarity between Salsa and Chacha design & construction (and the amount of analysis that went into it), IMHO Chacha advantages justify its use over Salsa. Thanks! -- Regards, Uri Blumenthal Voice: (781) 981-1638 Cyber Systems and Technology Fax: (781) 981-0186 MIT Lincoln Laboratory Cell: (339) 223-5363 244 Wood Street Email: <uri@ll.mit.edu> Lexington, MA 02420-9185 Web: http://www.ll.mit.edu/CST/ MIT LL Root CA: <https://www.ll.mit.edu/labcertificateauthority.html> DSN: 478-5980 ask Lincoln ext.1638 ----- Original Message ----- From: Simon Josefsson [mailto:simon@josefsson.org] Sent: Sunday, August 11, 2013 06:18 PM To: Ted Krovetz <ted@krovetz.net> Cc: tls@ietf.org <tls@ietf.org> Subject: Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz <ted@krovetz.net> writes: > I'd also suggest using Bernstein's Chacha instead of Bernstein's > Salsa. It has the same core as Salsa, but Bernstein cleaned up the > rough edges of its prolog and epilog, making it smaller, faster and > nicer to program. Chacha is basically a better Salsa. > > http://cr.yp.to/chacha.html Right, there is a bunch of stream ciphers that have nicer properties than Salsa20, but Salsa20 was chosen conservatively from the set of modern stream cipher. Do you think the benefits of Chacha motivate ignoring the time that went into reviewing Salsa20? I'm assuming Salsa20 has received more review than Chacha, but I cannot quantify it. I would have prefered a stream cipher with builtin authentication, so we wouldn't have to debate the choice of MAC. Alas, I'm not aware of any with good performance that has gone through significant review. /Simon _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] Salsa20 and Poly1305 in TLS Rene Struik
- Re: [TLS] Salsa20 and Poly1305 in TLS Nick Mathewson
- Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz
- [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Nico Williams
- Re: [TLS] Salsa20 and Poly1305 in TLS Nikos Mavrogiannopoulos
- Re: [TLS] Salsa20 and Poly1305 in TLS Ben Laurie
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Geoffrey Keating
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Ben Laurie
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz
- Re: [TLS] Salsa20 and Poly1305 in TLS Simon Josefsson
- Re: [TLS] Salsa20 and Poly1305 in TLS Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz