Re: [TLS] comparison of draft-josefsson-salsa20-tls-02 and draft-agl-tls-chacha20poly1305-02
Nikos Mavrogiannopoulos <nmav@gnutls.org> Wed, 23 October 2013 16:34 UTC
Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63CC911E83E2 for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 09:34:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5xJh85-mwuWT for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 09:34:50 -0700 (PDT)
Received: from mail-ee0-x235.google.com (mail-ee0-x235.google.com [IPv6:2a00:1450:4013:c00::235]) by ietfa.amsl.com (Postfix) with ESMTP id 8E8E121F9CA9 for <tls@ietf.org>; Wed, 23 Oct 2013 09:34:49 -0700 (PDT)
Received: by mail-ee0-f53.google.com with SMTP id c13so520959eek.26 for <tls@ietf.org>; Wed, 23 Oct 2013 09:34:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:openpgp:content-type :content-transfer-encoding; bh=I928MMeP2v0uA7XU6SD+iL/L5ebTdj5Zj2zOeLISQIc=; b=wUhk5/9hYe2ENMj7ldVUQDHiGzVPVAgHj5p0MWAy0PV53TuWRfszkTtpO8WiCBCMl6 uqx2bDhMulaBl9zSO03aEwf+ck94Gy2dyJkTZ7DU8toLcIVs5ogeQ1KL02KdXpPX9jeD jO9cDb3m+TH2ShaGIvmwOucrfHMKA+yzqepupZ/JtpDNegAaXjWYIdeWecwrXrdkQIVc H6l3B5iUxcJFw+g0B2KTZiHetLnL6S9+eYOaHSwjp0TeEd7U38wXn2ZFGNNk3d12EZuJ hu1B0xd3ONgFdt4Xi2iqbXBW2myAjwOikwY/Vv29RUOsIqmhc2FEf7HyFQ9rWnvkzbSD WrHQ==
X-Received: by 10.14.225.199 with SMTP id z47mr2845255eep.24.1382546088822; Wed, 23 Oct 2013 09:34:48 -0700 (PDT)
Received: from [10.100.2.17] (ip-62-245-100-42.net.upcbroadband.cz. [62.245.100.42]) by mx.google.com with ESMTPSA id k7sm72050855eeg.13.2013.10.23.09.34.47 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 23 Oct 2013 09:34:47 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <5267FAA7.80601@gnutls.org>
Date: Wed, 23 Oct 2013 18:34:47 +0200
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130630 Icedove/17.0.7
MIME-Version: 1.0
To: Adam Langley <agl@google.com>
References: <526797EE.2000206@gnutls.org> <CAL9PXLyguGgFtb9NqbkvrL82fV-Aj=HFJiex-Hu32xEec=9SLQ@mail.gmail.com> <5267E276.9050107@gnutls.org> <CAL9PXLzCTcaAHF5N_YiBaz+kP5ez6KaPkhOLfCPsSJ9jfCxehQ@mail.gmail.com>
In-Reply-To: <CAL9PXLzCTcaAHF5N_YiBaz+kP5ez6KaPkhOLfCPsSJ9jfCxehQ@mail.gmail.com>
X-Enigmail-Version: 1.5.1
OpenPGP: id=96865171
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>, Joachim Strömbergson <joachim@secworks.se>
Subject: Re: [TLS] comparison of draft-josefsson-salsa20-tls-02 and draft-agl-tls-chacha20poly1305-02
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2013 16:34:52 -0000
On 10/23/2013 04:58 PM, Adam Langley wrote: > On Wed, Oct 23, 2013 at 10:51 AM, Nikos Mavrogiannopoulos > <nmav@gnutls.org> wrote: >> As far as I understand you use chacha to generate the keystream for >> poly1305. Thus you carry state between records (chacha is a stream >> cipher). I don't know if I have missed anything there, but I don't see >> resetting chacha with a new IV per MAC calculation. > > There is no state carried between records: "ChaCha20 is run with the > given key and nonce and with the two counter words set to zero. The > first 32 bytes of the 64 byte output are saved to become the one-time > key for Poly1305." (The nonce is the sequence number of the record.) > (http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-00#section-5) I had assumed that you used the Poly1305-AES construction but with Chacha in place of AES. Clearly this isn't the case, and even the attacks described may not apply to your construction. I have not seen this construction before. It looks pretty elegant. Has it been used somewhere else? regards, Nikos
- [TLS] comparison of draft-josefsson-salsa20-tls-0… Nikos Mavrogiannopoulos
- Re: [TLS] comparison of draft-josefsson-salsa20-t… Eric Rescorla
- Re: [TLS] comparison of draft-josefsson-salsa20-t… Adam Langley
- Re: [TLS] comparison of draft-josefsson-salsa20-t… Nikos Mavrogiannopoulos
- Re: [TLS] comparison of draft-josefsson-salsa20-t… Nikos Mavrogiannopoulos
- Re: [TLS] comparison of draft-josefsson-salsa20-t… Adam Langley
- Re: [TLS] comparison of draft-josefsson-salsa20-t… Eric Rescorla
- Re: [TLS] comparison of draft-josefsson-salsa20-t… Nikos Mavrogiannopoulos
- Re: [TLS] comparison of draft-josefsson-salsa20-t… Nikos Mavrogiannopoulos
- Re: [TLS] comparison of draft-josefsson-salsa20-t… Adam Langley
- Re: [TLS] comparison of draft-josefsson-salsa20-t… Robert Ransom
- [TLS] DTLS resilience [was: comparison of draft-j… Nikos Mavrogiannopoulos