Re: [TLS] Salsa20 and Poly1305 in TLS
Ben Laurie <benl@google.com> Tue, 30 July 2013 09:40 UTC
Return-Path: <benl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52B6721E80C8 for <tls@ietfa.amsl.com>; Tue, 30 Jul 2013 02:40:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nXjh1dijvZrr for <tls@ietfa.amsl.com>; Tue, 30 Jul 2013 02:40:52 -0700 (PDT)
Received: from mail-oa0-x22e.google.com (mail-oa0-x22e.google.com [IPv6:2607:f8b0:4003:c02::22e]) by ietfa.amsl.com (Postfix) with ESMTP id A13FE11E81C8 for <tls@ietf.org>; Tue, 30 Jul 2013 02:40:47 -0700 (PDT)
Received: by mail-oa0-f46.google.com with SMTP id l10so1291282oag.33 for <tls@ietf.org>; Tue, 30 Jul 2013 02:40:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=VzMQ+dUmZ2PIMwpDIfDEM2dCDJITBwHa3cOfRjR7Ysg=; b=g1xnkn2LbsPRiNsHV6vE7bPZOsL5i9fdcJKOsyw8ddJEwzjN38eLLCP95lVhIUpv3V jjqMGRHJd6PxwdW/7f+g/pOjs/NJs4i+Ex4mfu4RiaNOAG6Vycjbgw9h5IoiODpoWRCC z3Io7npO/2If/Nc8edM5dYNyfbAS2rFsPUbNTxpE2hVQ75lB5hf2eh+8ArPVB6NLAt00 sc0/R2ROIbuGBVxu2G9yt8RPDjmwVKm9U8nsnqKrMc88losUWqNOlUDR7InsgKLQi884 1+qY0AteehDxrYIpcjDJgfVUVMOgN0RXnk0lcmB7/f6ZyqBRU9oEMi/od9g97XdB/aiL hhhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=VzMQ+dUmZ2PIMwpDIfDEM2dCDJITBwHa3cOfRjR7Ysg=; b=AMraTTaKgGFls+SDG4vUOITjw/ufUhl1ODP6U9VFnhht0caX3yQ2qA5UEq8s9A2Aqu r3+IutHAi19w40pH14nbo8BOpjaS+gknxm/Q3lHb8RbxSmigmW08D4cC2JxzVk1auEQK 5RV7ERHfVTe4oDTQMXrbNqXsgaheZ/5LAjAygvRq9FaREgbIhrZJX47MwOXIMbgBhGFh 2t5soip5Nlw35bKPVVrrSzJK3r78MutyBennUoxyCXu5I5yrenBGS16JNMLdI97Diw3L EXfPupKxEzseXqiGXmrD6vdgjulRcZNmh+b912A5pAaGJG5J1ZBuNykV/0qvB0ONL52h KJmg==
MIME-Version: 1.0
X-Received: by 10.43.57.9 with SMTP id we9mr22159375icb.90.1375177227206; Tue, 30 Jul 2013 02:40:27 -0700 (PDT)
Received: by 10.64.230.239 with HTTP; Tue, 30 Jul 2013 02:40:27 -0700 (PDT)
In-Reply-To: <CAL9PXLySuS1gn8YisobYrbEnNpxJuYPbKB0qtkCOMnb+m90Jjg@mail.gmail.com>
References: <CAL9PXLySuS1gn8YisobYrbEnNpxJuYPbKB0qtkCOMnb+m90Jjg@mail.gmail.com>
Date: Tue, 30 Jul 2013 10:40:27 +0100
Message-ID: <CABrd9SRUNaWS-DDPy4+dVJUuaTfAnCo2SKhrMc8PPOKqiqf9tQ@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Adam Langley <agl@google.com>
Content-Type: multipart/alternative; boundary="bcaec51b1b9f21a44604e2b76651"
X-Gm-Message-State: ALoCoQk2NKJ6H6BSCyLaQTscQlC/HD6NRNP9PXPZaY3sD69wECeCz0MhPQPxbITAqL90m3wKbvK7pwClQdesdewx2PweJKquB7rg8BqcCjIb2Q7kFNJ2174zklQbTzBD2KA7BCot8bEegnrcn7pt5NvmW9HND+zPD3La63Sd9fxzoBhcROV0I/CDzM+j6MmVpZoSRqkVhihT
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Salsa20 and Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2013 09:40:59 -0000
Also, defining ciphersuites for SSL 3, TLS 1.0/1.1 would be good, so we can use them despite downgrade attacks. On 29 July 2013 20:09, Adam Langley <agl@google.com> wrote: > I cannot make it to Berlin I'm afraid (or, indeed, any meetings until > at least IETF 91) so I'm writing my thoughts on > draft-josefsson-salsa20-tls-02, which is scheduled for discussion. > > We (Google) support the addition of Salsa20 as a cipher in TLS. Having > a secure cipher which is fast and constant time on all platforms is > important. It's also good to have an alternative to AES in the wings > should that be needed in the future. At the moment I consider RC4 and > AES-CBC to be mortally wounded, even if we have to continue supporting > them for many years yet. > > Salsa20/12 is something that we are currently working on supporting. > > However, I believe that Poly1305 is superior to UMAC and we're looking > at Salsa20/12+Poly1305, not UMAC. (Note: that's Poly1305 with the > nonce generated directly by Salsa20/12, not via AES.) > > (For the following, I used UMAC in nettle 2.7 and Andrew M's > implementation of Poly1305[1], both on a E5-2690@2.90GHz with > Hyperthreading and Turboboost disabled.) > > UMAC96 (with AES for the nonce generation) takes 9146.1ns to > authenticate 1K of data, HMAC-SHA1(1K) takes 3667ns and Poly1305 takes > 561.4ns. > > However, that's not the whole story for UMAC because it can use 1.5KB > of memory for precomputation, after which it can authenticate 1KB of > memory in just 329ns with that in L1. That's typically the headline > speed that's advertised. > > However, I consider cache pressure to be a way of cheating on > benchmarks :) Benchmarks don't show cache pressure until the algorithm > itself spills the L1 cache but, in a real system, cache costs. > > With the precomputed data only in L3 cache (tested by cycling through > 10,000 contexts), UMAC takes 922.16ns to authenticate 1KB. > > So UMAC may give a small benefit to cases with few, busy connections, > but it's a loss in the case where there are many connections (a > server), or a few connections, intermittently used (i.e. a web > browser). > > Additionally, Poly1305 can be written in a tweet(*), while UMAC is > dramatically more complex. Since they are both Wegman-Carter style > hashes I believe that they both have, fundamentally, well understood > security properties. (See [2] for a good overview.) > > Thus Poly1305 is looking much more attractive to us. > > > (* Here's an attempt in 159 chars: "Take msg in 16 byte chunks. Append > 1 to each msg chunk&0-pad to 17 bytes. Interpt little-endian. Calc > polynom in key[:16] mod 2^130-5. Add key[:16]. Mod 2^128.") > > [1] https://github.com/floodyberry/poly1305-donna > [2] http://eprint.iacr.org/2013/144.pdf > > > Cheers > > AGL > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] Salsa20 and Poly1305 in TLS Rene Struik
- Re: [TLS] Salsa20 and Poly1305 in TLS Nick Mathewson
- Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz
- [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Nico Williams
- Re: [TLS] Salsa20 and Poly1305 in TLS Nikos Mavrogiannopoulos
- Re: [TLS] Salsa20 and Poly1305 in TLS Ben Laurie
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Geoffrey Keating
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Ben Laurie
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz
- Re: [TLS] Salsa20 and Poly1305 in TLS Simon Josefsson
- Re: [TLS] Salsa20 and Poly1305 in TLS Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz