IETF Logo Mail Archive

[TLS] Comments on

nisse@lysator.liu.se (Niels Möller ) Thu, 13 February 2014 10:12 UTC

Return-Path: <nisse@lysator.liu.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 386171A0159 for <tls@ietfa.amsl.com>; Thu, 13 Feb 2014 02:12:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.019
X-Spam-Level:
X-Spam-Status: No, score=-1.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.548, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F2cLa2BFWaUc for <tls@ietfa.amsl.com>; Thu, 13 Feb 2014 02:12:06 -0800 (PST)
Received: from bacon.lysator.liu.se (bacon.lysator.liu.se [IPv6:2001:6b0:17:f0a0::ce]) by ietfa.amsl.com (Postfix) with ESMTP id 3EA991A011C for <tls@ietf.org>; Thu, 13 Feb 2014 02:12:04 -0800 (PST)
Received: from bacon.lysator.liu.se (localhost [127.0.0.1]) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5) with ESMTP id s1DABxjW022630; Thu, 13 Feb 2014 11:11:59 +0100 (MET)
Received: (from nisse@localhost) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5/Submit) id s1DABw5u022629; Thu, 13 Feb 2014 11:11:58 +0100 (MET)
X-Authentication-Warning: bacon.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f
From: nisse@lysator.liu.se
To: agl@google.com, wtc@google.com
Date: Thu, 13 Feb 2014 11:11:58 +0100
Message-ID: <nnha83nwy9.fsf@bacon.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (usg-unix-v)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Mailman-Approved-At: Fri, 14 Feb 2014 06:48:50 -0800
Cc: tls@ietf.org
Subject: [TLS] Comments on
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2014 10:13:53 -0000

Hi,

I have a couple of comments on
https://datatracker.ietf.org/doc/draft-agl-tls-chacha20poly1305/?include_text=1
I hope cc:ing the tls ietf list is appropriate (I'm not involved in this
wg).

1. It would be nice with a couple of additional test cases for
   AEAD_CHACHA20_POLY1305. In particular for the corner cases of empty
   associated data and/or empty plaintext.

2. The input to the poly1305mac is defined as

     ad | length(ad) | cryptotext | length(cryptotext)

   As far as I understand, this is a bit redundant, since the second
   length field is sufficient to make the encoding injective. Does using
   two length fields increase security in some subtle way?

   At least in my implementantation, the length(ad) field causes some
   additional complexity, so

     ad | cryptotext | length(cryptotext)

   would be preferable. I'm not sure if this draft should be read as
   proposing a new aead construction, or if it documents an algorithm
   which is already deployed; in the latter case changes like this can't
   be made easily, of course.

3. Do you think reduced round variants of chacha make sense? If not,
   the name "chacha-poly1305" is nicer than "chacha20-poly1305".

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

v2.23.0 | Report a Bug | By Email