Re: [TLS] comparison of draft-josefsson-salsa20-tls-02 and draft-agl-tls-chacha20poly1305-02

Adam Langley <agl@google.com> Wed, 23 October 2013 16:46 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6C7611E81BE for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 09:46:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a2qBcXYNVKhp for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 09:46:28 -0700 (PDT)
Received: from mail-vb0-x235.google.com (mail-vb0-x235.google.com [IPv6:2607:f8b0:400c:c02::235]) by ietfa.amsl.com (Postfix) with ESMTP id 5AEB411E83C3 for <tls@ietf.org>; Wed, 23 Oct 2013 09:46:24 -0700 (PDT)
Received: by mail-vb0-f53.google.com with SMTP id i3so664260vbh.26 for <tls@ietf.org>; Wed, 23 Oct 2013 09:46:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=SYipiw6+Dz4z1DREz1r/u4FX46jsGDd7K9RldyTs6ks=; b=TfJFoICNHLmEhtHAJkXdVb/xhHCx8zODM8sgqoOutnnPA6meQ4HZuPh21IQ33vfJSZ 5IxmJCJUtuX37W5lIvtLFuuC/GDsOdOPySgCBD6Z3CkQnGu/K/bx0k/N875l2lm/FD/X iOV22Lx+wPccxWEVuaRuG11JlEu8kR+E25KHOKLM2EyA/VsOsLRaUjwQ5CWsxFgMU07N DfnWM2+u1xWUakI18Tm++t7zGn+iFMt8w5RRCD+NNDCfAkdsKLb4gbUJ82nqDrbWn0wO zKj3HTwUBPzMdMYCBiVgDVo/kAW5sDOuKLZ7ccDBpyn0JEQDvSjng6L75rpK1eBlsJ4s c5Ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=SYipiw6+Dz4z1DREz1r/u4FX46jsGDd7K9RldyTs6ks=; b=GMFZLDjjB2yoDufeDQ9mU+mQ55m7u5J5WnBEqjX4rNFfpfoVE4Rcn7kBKny4r2Jvu0 5tjHbR6G3iR+Njmd69znsjx5k15i+7x2bx0Yjrm4ydFFMPg/oPi9st8MU5KasMDJgu7K 9h/mJcsIRDHqUA1L+lXHFilU2T/DSZ3sR7K9kYVNdd2fhS41MLAZ5NlixXO/dwSCejai t/7C4VlqpsWfd1sYo47bsaO7AWduQkQH9Bda74hu+AYY3LaZqcSrlFqZrQ1ZJWJCaLv2 M5Uo+lf8gda/hYirfWYXHefWNY5LBMS/QDDBQp4ZtJsUPoH2nBfhG7hZiQls4on4jIj+ QGKw==
X-Gm-Message-State: ALoCoQlJVqfheZv1yBAjLqbnO2k2J99pXUio+mIMqPpiwEqo77LytQKeSTeRd09pu3ofXMN8XzdGQwkBz42UFaf/JgCzr0H+PYJQaQwgLxVApMqcvrtbon3Pl0XIjP7MgS5M5IjZy2JoYV9SInebKcuRUVEe77pqdvV7KslX3h5isOEvQPjW6gz3hobNKwDxVs/v4iZQbYPp
X-Received: by 10.220.184.70 with SMTP id cj6mr1791138vcb.23.1382546783649; Wed, 23 Oct 2013 09:46:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.100.40 with HTTP; Wed, 23 Oct 2013 09:46:03 -0700 (PDT)
In-Reply-To: <5267FAA7.80601@gnutls.org>
References: <526797EE.2000206@gnutls.org> <CAL9PXLyguGgFtb9NqbkvrL82fV-Aj=HFJiex-Hu32xEec=9SLQ@mail.gmail.com> <5267E276.9050107@gnutls.org> <CAL9PXLzCTcaAHF5N_YiBaz+kP5ez6KaPkhOLfCPsSJ9jfCxehQ@mail.gmail.com> <5267FAA7.80601@gnutls.org>
From: Adam Langley <agl@google.com>
Date: Wed, 23 Oct 2013 12:46:03 -0400
Message-ID: <CAL9PXLwWXO9O487SXz8UDXcCrMVRXS4NhzwK9LxO-r8qoHSC1g@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Content-Type: text/plain; charset=UTF-8
Cc: "tls@ietf.org" <tls@ietf.org>, =?UTF-8?Q?Joachim_Str=C3=B6mbergson?= <joachim@secworks.se>
Subject: Re: [TLS] comparison of draft-josefsson-salsa20-tls-02 and draft-agl-tls-chacha20poly1305-02
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2013 16:46:29 -0000

On Wed, Oct 23, 2013 at 12:34 PM, Nikos Mavrogiannopoulos
<nmav@gnutls.org>; wrote:
> I had assumed that you used the Poly1305-AES construction but with
> Chacha in place of AES. Clearly this isn't the case, and even the
> attacks described may not apply to your construction. I have not seen
> this construction before. It looks pretty elegant. Has it been used
> somewhere else?

I lifted it from NaCl, see section 9 of
http://cr.yp.to/highspeed/naclcrypto-20090310.pdf.

The difference is that the ChaCha AEAD doesn't use HChaCha, because
the extended nonce isn't useful, and it moves the authenticator from
the beginning to the end of the output because that fits more easily
into existing code bases.


Cheers

AGL