Re: [TLS] Salsa20 and Poly1305 in TLS

Ted Krovetz <ted@krovetz.net> Tue, 30 July 2013 03:03 UTC

Return-Path: <ted@krovetz.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD3311E81A3 for <tls@ietfa.amsl.com>; Mon, 29 Jul 2013 20:03:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iiVz2Yl3klht for <tls@ietfa.amsl.com>; Mon, 29 Jul 2013 20:03:43 -0700 (PDT)
Received: from mail-pb0-f41.google.com (mail-pb0-f41.google.com [209.85.160.41]) by ietfa.amsl.com (Postfix) with ESMTP id 8091311E81A4 for <tls@ietf.org>; Mon, 29 Jul 2013 20:03:43 -0700 (PDT)
Received: by mail-pb0-f41.google.com with SMTP id rp16so5446081pbb.14 for <tls@ietf.org>; Mon, 29 Jul 2013 20:03:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=X0ypk0L5Czxn7BHDb/Mf62w3FP6ib9OVEO0LfkWNlmw=; b=okulxuqkXso2SjBVcg/S9uP/Z+vcI6OODHrnaLxIgICUgLexVMH5PzMIUi6gMXwv7K 8cR5ZQw/n/yPDVLdNhzCVrqVoCVezprvcotnqq8d1nOq7YOf47ZSf/Ww+fpMoo55ISt1 c3l6J5EjyyB8BfuEbiN5lFlAv4hADa0Bt0PQjGDvGciiznM0TgslUgthY+OMq20u7VoF jK2tbthTaiL1i8nVa6M3/22NbbVrieQ87OK5XuVqMP34Efsz3i3+hXzN2WXs3egYI4km xZ9YONP8FZHNLVFPowcQ9C/GOzP54ZbLGilH6yrcdc2PqZj0+yDH/hhxJOukUoQhLP9z CExw==
X-Received: by 10.66.51.102 with SMTP id j6mr71455044pao.80.1375153423053; Mon, 29 Jul 2013 20:03:43 -0700 (PDT)
Received: from [192.168.3.127] (cpe-72-130-196-174.hawaii.res.rr.com. [72.130.196.174]) by mx.google.com with ESMTPSA id w8sm23975565pab.12.2013.07.29.20.03.41 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 29 Jul 2013 20:03:42 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Ted Krovetz <ted@krovetz.net>
In-Reply-To: <CADi0yUNPENmF9G=oiteRuZ3tXn4JFMOEuMsnD9Ean6arjWveKw@mail.gmail.com>
Date: Mon, 29 Jul 2013 17:03:44 -1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <23D5606B-9225-4428-99AA-EC66C93D4088@krovetz.net>
References: <CAL9PXLySuS1gn8YisobYrbEnNpxJuYPbKB0qtkCOMnb+m90Jjg@mail.gmail.com> <CADi0yUNPENmF9G=oiteRuZ3tXn4JFMOEuMsnD9Ean6arjWveKw@mail.gmail.com>
To: tls@ietf.org
X-Mailer: Apple Mail (2.1508)
X-Gm-Message-State: ALoCoQmfmF92Yfny8iIV8Wl3c133VuPrAKhM9+oiEOW4iWZXog/r+7s+EQizUTTiXK1GiPJRejXd
X-Mailman-Approved-At: Tue, 30 Jul 2013 01:53:06 -0700
Subject: Re: [TLS] Salsa20 and Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2013 03:03:48 -0000

> However, I believe that Poly1305 is superior to UMAC and we're looking
> at Salsa20/12+Poly1305, not UMAC. (Note: that's Poly1305 with the
> nonce generated directly by Salsa20/12, not via AES.)

The key agility in a simple poly hash is certainly much better than that of UMAC, and I agree that UMAC is not appropriate for some usage scenarios. I don't know enough about TLS usage, however, to comment on whether UMAC is a bad choice.

A couple of alternatives that may be worth considering...

--

In an attempt to simplify from UMAC, I developed VMAC as an alternative that uses considerably less internal key and is significantly faster on 64-bit architectures. Even from L3 cache it is probably 2-3 times faster than Poly1305.

http://fastcrypto.org/vmac/
http://krovetz.net/csus/papers/vhash-revise.pdf
http://krovetz.net/csus/papers/vmac.pdf

--

I'd also suggest using Bernstein's Chacha instead of Bernstein's Salsa. It has the same core as Salsa, but Bernstein cleaned up the rough edges of its prolog and epilog, making it smaller, faster and nicer to program. Chacha is basically a better Salsa.

http://cr.yp.to/chacha.html

-Ted