Re: [TLS] Salsa20 and Poly1305 in TLS
Ted Krovetz <ted@krovetz.net> Tue, 30 July 2013 03:03 UTC
Return-Path: <ted@krovetz.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD3311E81A3 for <tls@ietfa.amsl.com>; Mon, 29 Jul 2013 20:03:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iiVz2Yl3klht for <tls@ietfa.amsl.com>; Mon, 29 Jul 2013 20:03:43 -0700 (PDT)
Received: from mail-pb0-f41.google.com (mail-pb0-f41.google.com [209.85.160.41]) by ietfa.amsl.com (Postfix) with ESMTP id 8091311E81A4 for <tls@ietf.org>; Mon, 29 Jul 2013 20:03:43 -0700 (PDT)
Received: by mail-pb0-f41.google.com with SMTP id rp16so5446081pbb.14 for <tls@ietf.org>; Mon, 29 Jul 2013 20:03:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=X0ypk0L5Czxn7BHDb/Mf62w3FP6ib9OVEO0LfkWNlmw=; b=okulxuqkXso2SjBVcg/S9uP/Z+vcI6OODHrnaLxIgICUgLexVMH5PzMIUi6gMXwv7K 8cR5ZQw/n/yPDVLdNhzCVrqVoCVezprvcotnqq8d1nOq7YOf47ZSf/Ww+fpMoo55ISt1 c3l6J5EjyyB8BfuEbiN5lFlAv4hADa0Bt0PQjGDvGciiznM0TgslUgthY+OMq20u7VoF jK2tbthTaiL1i8nVa6M3/22NbbVrieQ87OK5XuVqMP34Efsz3i3+hXzN2WXs3egYI4km xZ9YONP8FZHNLVFPowcQ9C/GOzP54ZbLGilH6yrcdc2PqZj0+yDH/hhxJOukUoQhLP9z CExw==
X-Received: by 10.66.51.102 with SMTP id j6mr71455044pao.80.1375153423053; Mon, 29 Jul 2013 20:03:43 -0700 (PDT)
Received: from [192.168.3.127] (cpe-72-130-196-174.hawaii.res.rr.com. [72.130.196.174]) by mx.google.com with ESMTPSA id w8sm23975565pab.12.2013.07.29.20.03.41 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 29 Jul 2013 20:03:42 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Ted Krovetz <ted@krovetz.net>
In-Reply-To: <CADi0yUNPENmF9G=oiteRuZ3tXn4JFMOEuMsnD9Ean6arjWveKw@mail.gmail.com>
Date: Mon, 29 Jul 2013 17:03:44 -1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <23D5606B-9225-4428-99AA-EC66C93D4088@krovetz.net>
References: <CAL9PXLySuS1gn8YisobYrbEnNpxJuYPbKB0qtkCOMnb+m90Jjg@mail.gmail.com> <CADi0yUNPENmF9G=oiteRuZ3tXn4JFMOEuMsnD9Ean6arjWveKw@mail.gmail.com>
To: tls@ietf.org
X-Mailer: Apple Mail (2.1508)
X-Gm-Message-State: ALoCoQmfmF92Yfny8iIV8Wl3c133VuPrAKhM9+oiEOW4iWZXog/r+7s+EQizUTTiXK1GiPJRejXd
X-Mailman-Approved-At: Tue, 30 Jul 2013 01:53:06 -0700
Subject: Re: [TLS] Salsa20 and Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2013 03:03:48 -0000
> However, I believe that Poly1305 is superior to UMAC and we're looking > at Salsa20/12+Poly1305, not UMAC. (Note: that's Poly1305 with the > nonce generated directly by Salsa20/12, not via AES.) The key agility in a simple poly hash is certainly much better than that of UMAC, and I agree that UMAC is not appropriate for some usage scenarios. I don't know enough about TLS usage, however, to comment on whether UMAC is a bad choice. A couple of alternatives that may be worth considering... -- In an attempt to simplify from UMAC, I developed VMAC as an alternative that uses considerably less internal key and is significantly faster on 64-bit architectures. Even from L3 cache it is probably 2-3 times faster than Poly1305. http://fastcrypto.org/vmac/ http://krovetz.net/csus/papers/vhash-revise.pdf http://krovetz.net/csus/papers/vmac.pdf -- I'd also suggest using Bernstein's Chacha instead of Bernstein's Salsa. It has the same core as Salsa, but Bernstein cleaned up the rough edges of its prolog and epilog, making it smaller, faster and nicer to program. Chacha is basically a better Salsa. http://cr.yp.to/chacha.html -Ted
- Re: [TLS] Salsa20 and Poly1305 in TLS Rene Struik
- Re: [TLS] Salsa20 and Poly1305 in TLS Nick Mathewson
- Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz
- [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Nico Williams
- Re: [TLS] Salsa20 and Poly1305 in TLS Nikos Mavrogiannopoulos
- Re: [TLS] Salsa20 and Poly1305 in TLS Ben Laurie
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Geoffrey Keating
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Ben Laurie
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz
- Re: [TLS] Salsa20 and Poly1305 in TLS Simon Josefsson
- Re: [TLS] Salsa20 and Poly1305 in TLS Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz