Re: [TLS] Salsa20 and Poly1305 in TLS

"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Sun, 11 August 2013 23:55 UTC

Return-Path: <prvs=1935fad10c=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1196B21F9A1C for <tls@ietfa.amsl.com>; Sun, 11 Aug 2013 16:55:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.223
X-Spam-Level:
X-Spam-Status: No, score=-6.223 tagged_above=-999 required=5 tests=[AWL=-0.376, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_OBFU_ALL=0.751, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E-pZJ0ib1i41 for <tls@ietfa.amsl.com>; Sun, 11 Aug 2013 16:55:37 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id 37BBC21F9AF5 for <tls@ietf.org>; Sun, 11 Aug 2013 16:48:24 -0700 (PDT)
Received: from LLE2K7-HUB02.mitll.ad.local (LLE2K7-HUB02.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id r7BNmK1A015920; Sun, 11 Aug 2013 19:48:23 -0400
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: "'simon@josefsson.org'" <simon@josefsson.org>, "'ted@krovetz.net'" <ted@krovetz.net>
Date: Sun, 11 Aug 2013 19:40:19 -0400
Thread-Topic: [TLS] Salsa20 and Poly1305 in TLS
Thread-Index: Ac6W4+e/ZC6bsxeqQQiFx0vOuoNqxAAB/aL6
In-Reply-To: <87zjsn3m7q.fsf@latte.josefsson.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794, 1.0.431, 0.0.0000 definitions=2013-08-11_08:2013-08-09, 2013-08-11, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1308110271
Message-Id: <20130811234824.37BBC21F9AF5@ietfa.amsl.com>
Cc: "'tls@ietf.org'" <tls@ietf.org>
Subject: Re: [TLS] Salsa20 and Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Aug 2013 23:55:41 -0000

Considering the similarity between Salsa and Chacha design & construction (and the amount of analysis that went into it), IMHO Chacha advantages justify its use over Salsa.

Thanks!
--
Regards,
Uri Blumenthal                            Voice: (781) 981-1638
Cyber Systems and Technology   Fax:   (781) 981-0186
MIT Lincoln Laboratory                Cell:  (339) 223-5363
244 Wood Street                        Email: <uri@ll.mit.edu>
Lexington, MA  02420-9185       

Web:  http://www.ll.mit.edu/CST/

 

MIT LL Root CA: 

 <https://www.ll.mit.edu/labcertificateauthority.html>


DSN:   478-5980 ask Lincoln ext.1638

----- Original Message -----
From: Simon Josefsson [mailto:simon@josefsson.org]
Sent: Sunday, August 11, 2013 06:18 PM
To: Ted Krovetz <ted@krovetz.net>
Cc: tls@ietf.org <tls@ietf.org>
Subject: Re: [TLS] Salsa20 and Poly1305 in TLS

Ted Krovetz <ted@krovetz.net> writes:

> I'd also suggest using Bernstein's Chacha instead of Bernstein's
> Salsa. It has the same core as Salsa, but Bernstein cleaned up the
> rough edges of its prolog and epilog, making it smaller, faster and
> nicer to program. Chacha is basically a better Salsa.
>
> http://cr.yp.to/chacha.html

Right, there is a bunch of stream ciphers that have nicer properties
than Salsa20, but Salsa20 was chosen conservatively from the set of
modern stream cipher.  Do you think the benefits of Chacha motivate
ignoring the time that went into reviewing Salsa20?  I'm assuming
Salsa20 has received more review than Chacha, but I cannot quantify it.

I would have prefered a stream cipher with builtin authentication, so we
wouldn't have to debate the choice of MAC.  Alas, I'm not aware of any
with good performance that has gone through significant review.

/Simon
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls