[TLS] Synopsis of CFRG discussions on new stream ciphers and MACs for TLS

"Igoe, Kevin M." <kmigoe@nsa.gov> Wed, 09 October 2013 16:50 UTC

Return-Path: <kmigoe@nsa.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3A30B21F9DE9 for <tls@ietfa.amsl.com>; Wed, 9 Oct 2013 09:50:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.133
X-Spam-Status: No, score=-10.133 tagged_above=-999 required=5 tests=[AWL=0.465, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id fPJsQXvFcrA2 for <tls@ietfa.amsl.com>; Wed, 9 Oct 2013 09:50:52 -0700 (PDT)
Received: from nsa.gov (emvm-gh1-uea09.nsa.gov []) by ietfa.amsl.com (Postfix) with ESMTP id 4718C21F9D12 for <tls@ietf.org>; Wed, 9 Oct 2013 09:50:52 -0700 (PDT)
X-TM-IMSS-Message-ID: <5bbf279e0007377f@nsa.gov>
Received: from MSHT-GH1-UEA01.corp.nsa.gov ([]) by nsa.gov ([]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 5bbf279e0007377f ; Wed, 9 Oct 2013 12:58:47 -0400
Received: from MSMR-GH1-UEA01.corp.nsa.gov ( by MSHT-GH1-UEA01.corp.nsa.gov ( with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 9 Oct 2013 12:50:51 -0400
Received: from MSMR-GH1-UEA03.corp.nsa.gov ([]) by MSMR-GH1-UEA01.corp.nsa.gov ([]) with mapi id 14.02.0342.003; Wed, 9 Oct 2013 12:50:50 -0400
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: "'tls@ietf.org'" <tls@ietf.org>
Thread-Topic: Synopsis of CFRG discussions on new stream ciphers and MACs for TLS
Thread-Index: Ac7FD7VT2T4r3M83SauM1r3DE/e5ww==
Date: Wed, 9 Oct 2013 16:50:49 +0000
Message-ID: <3C4AAD4B5304AB44A6BA85173B4675CAB24E246F@MSMR-GH1-UEA03.corp.nsa.gov>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_3C4AAD4B5304AB44A6BA85173B4675CAB24E246FMSMRGH1UEA03cor_"
MIME-Version: 1.0
Subject: [TLS] Synopsis of CFRG discussions on new stream ciphers and MACs for TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2013 16:50:58 -0000

As requested by the TLS WG during IETF-87, the CFRG discussed the
suitability of the candidate stream ciphers and MACs proposed for
use in TLS.

Three stream ciphers have been discussed:
        * The original SALSA-20
        * ChaCha, a variant of SALSA-20, modifying the prolog and
        epilog to increase efficiency.
        * eStream SALSA-20 (hereafter eSALSA) reduces the number
        of rounds from 20 rounds in SALSA-20 down to 12 rounds in

The  discussion of these stream ciphers boiled down to the
following points:
        * There seems to be substantial controversy over the
        efficiency of the various stream cipher candidates,
        especially when compared to AES counter modes.  This
        needs to be straightened out before an informed decision
        can be made.
On the maturity of the cryptanalysis of the three stream ciphers:
        * The analysis of SALSA-20 has been very thorough and the
        degree of confidence in SALSA-20 is very high.
        * Though ChaCha has received slightly less analysis, the
        CFRG is confident that the analysis was sufficiently
        thorough that ChaCha is an acceptable alternative to
        * The RG was less comfortable with the maturity of the
        analysis of eSALSA, but no substantive objections were
Cryptanalytically all three are almost certainly sufficient for
use in TLS.  The RG expressed a preference for ChaCha.

We were also asked our opinion on the MACs being considered, UMAC
and POLY1305. No cryptanalytic issues were raised, though VMAC was
suggested as a more efficient alternative to UMAC. The
suitability of these MACs for efficient hardware implementation
was questioned.

Kevin M. Igoe   | "We can't solve problems by using the same kind
kmigoe@nsa.gov  | of thinking we used when we created them."
                |              - Albert Einstein -