[TLS] Synopsis of CFRG discussions on new stream ciphers and MACs for TLS
"Igoe, Kevin M." <kmigoe@nsa.gov> Wed, 09 October 2013 16:50 UTC
Return-Path: <kmigoe@nsa.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A30B21F9DE9 for <tls@ietfa.amsl.com>; Wed, 9 Oct 2013 09:50:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.133
X-Spam-Level:
X-Spam-Status: No, score=-10.133 tagged_above=-999 required=5 tests=[AWL=0.465, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fPJsQXvFcrA2 for <tls@ietfa.amsl.com>; Wed, 9 Oct 2013 09:50:52 -0700 (PDT)
Received: from nsa.gov (emvm-gh1-uea09.nsa.gov [63.239.67.10]) by ietfa.amsl.com (Postfix) with ESMTP id 4718C21F9D12 for <tls@ietf.org>; Wed, 9 Oct 2013 09:50:52 -0700 (PDT)
X-TM-IMSS-Message-ID: <5bbf279e0007377f@nsa.gov>
Received: from MSHT-GH1-UEA01.corp.nsa.gov ([10.215.227.18]) by nsa.gov ([63.239.67.10]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 5bbf279e0007377f ; Wed, 9 Oct 2013 12:58:47 -0400
Received: from MSMR-GH1-UEA01.corp.nsa.gov (10.215.225.4) by MSHT-GH1-UEA01.corp.nsa.gov (10.215.227.18) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 9 Oct 2013 12:50:51 -0400
Received: from MSMR-GH1-UEA03.corp.nsa.gov ([10.215.224.3]) by MSMR-GH1-UEA01.corp.nsa.gov ([10.215.225.4]) with mapi id 14.02.0342.003; Wed, 9 Oct 2013 12:50:50 -0400
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: "'tls@ietf.org'" <tls@ietf.org>
Thread-Topic: Synopsis of CFRG discussions on new stream ciphers and MACs for TLS
Thread-Index: Ac7FD7VT2T4r3M83SauM1r3DE/e5ww==
Date: Wed, 09 Oct 2013 16:50:49 +0000
Message-ID: <3C4AAD4B5304AB44A6BA85173B4675CAB24E246F@MSMR-GH1-UEA03.corp.nsa.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.215.228.46]
Content-Type: multipart/alternative; boundary="_000_3C4AAD4B5304AB44A6BA85173B4675CAB24E246FMSMRGH1UEA03cor_"
MIME-Version: 1.0
Subject: [TLS] Synopsis of CFRG discussions on new stream ciphers and MACs for TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2013 16:50:58 -0000
As requested by the TLS WG during IETF-87, the CFRG discussed the suitability of the candidate stream ciphers and MACs proposed for use in TLS. Three stream ciphers have been discussed: * The original SALSA-20 * ChaCha, a variant of SALSA-20, modifying the prolog and epilog to increase efficiency. * eStream SALSA-20 (hereafter eSALSA) reduces the number of rounds from 20 rounds in SALSA-20 down to 12 rounds in eSalsa. The discussion of these stream ciphers boiled down to the following points: * There seems to be substantial controversy over the efficiency of the various stream cipher candidates, especially when compared to AES counter modes. This needs to be straightened out before an informed decision can be made. On the maturity of the cryptanalysis of the three stream ciphers: * The analysis of SALSA-20 has been very thorough and the degree of confidence in SALSA-20 is very high. * Though ChaCha has received slightly less analysis, the CFRG is confident that the analysis was sufficiently thorough that ChaCha is an acceptable alternative to SALSA-20. * The RG was less comfortable with the maturity of the analysis of eSALSA, but no substantive objections were raised. Cryptanalytically all three are almost certainly sufficient for use in TLS. The RG expressed a preference for ChaCha. We were also asked our opinion on the MACs being considered, UMAC and POLY1305. No cryptanalytic issues were raised, though VMAC was suggested as a more efficient alternative to UMAC. The suitability of these MACs for efficient hardware implementation was questioned. ----------------+-------------------------------------------------- Kevin M. Igoe | "We can't solve problems by using the same kind kmigoe@nsa.gov | of thinking we used when we created them." | - Albert Einstein - ----------------+--------------------------------------------------
- [TLS] Synopsis of CFRG discussions on new stream … Igoe, Kevin M.
- Re: [TLS] Synopsis of CFRG discussions on new str… Blumenthal, Uri - 0558 - MITLL