[TLS] ChaCha20 + Poly1305 in TLS
Adam Langley <agl@google.com> Tue, 10 September 2013 15:23 UTC
Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1500021F99DE for <tls@ietfa.amsl.com>; Tue, 10 Sep 2013 08:23:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.771
X-Spam-Level:
X-Spam-Status: No, score=-0.771 tagged_above=-999 required=5 tests=[AWL=-1.207, BAYES_40=-0.185, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e9Sph7W2bGQn for <tls@ietfa.amsl.com>; Tue, 10 Sep 2013 08:23:15 -0700 (PDT)
Received: from mail-ie0-x235.google.com (mail-ie0-x235.google.com [IPv6:2607:f8b0:4001:c03::235]) by ietfa.amsl.com (Postfix) with ESMTP id 3883311E81B6 for <tls@ietf.org>; Tue, 10 Sep 2013 08:22:59 -0700 (PDT)
Received: by mail-ie0-f181.google.com with SMTP id y16so10532423ieg.26 for <tls@ietf.org>; Tue, 10 Sep 2013 08:22:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type :content-transfer-encoding; bh=gbJ1jkclRYxuUPI73n7pYu1KCydsHHHAVq+L8FSUUX0=; b=TW6n0dtARX9DODRZq9Jo3MPQ/r33ctt04wFH8sZtH7IA8ft31bflm1y2X+MoCicvH0 vBs/rj9pDQuox3RmsPznnDga5LcttiMav/pt85+WT0gWkmoZY/kqAJMxuq9w8nvsFYq2 EJHfwAqvGMViolMr2CPFovZJ/nF/ANWdHAg4Qu7I3s3n3w2ExJ1yrnSVMNeMPQLcws5F PpPBE8iqcK4SH6HH7L44EraR80Ue8wbnyXYvXSGs4vhy7SPcbHOclSYNeH/3fFUhChgg 9ksTIPpYGSr1WOoZTECkprmSYMpjuDiAf8SwmGq5vCaUxHUuvnADzUWRV7pWbs7/G0b+ trIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type:content-transfer-encoding; bh=gbJ1jkclRYxuUPI73n7pYu1KCydsHHHAVq+L8FSUUX0=; b=AgigY8inHj3hNakQNrcW81Y0V9vZ2TfYrxliBNZEYGnsL0qYX/9A4AfmCle5BucfUb k19onF0utwsvVN8tYO4FOqXv5bEmnP+1M/n0TbXnZRTaAXDf/CwHwEZvv+7pP8q6IW+V 0vTcDgflCJg7tIduuRkUaAZN0ROwGao7USVma8e0u62almAmITLgjiN2UHSrOn6xEesn wUEiCpXD2CfdMk97LS/OhxTZFoKiBWYq3JbyZ2jZWwaOkehlcDsLonfbRruJjoVjEU24 Oz6sfkKTTDdJsfruyKuUtLdz6vVS/SwWQg99F3htKOWmfL9FcgIjGW//K8J1rQaNyE7F XpYg==
X-Gm-Message-State: ALoCoQlXb+DXCYFKzl4l38yC356vWigeS54qycZLvT8ZUo8iDIZVA/r+X69o46I+7Jmcztj1JxR9+Rzuy4ZyKpsp3dxpoSZ8+g3PQGUa9+6celOqUKUmKaSfFvTlB0Dv5iC5wBaPHB1ilrHEbU7SFHjCFMDf+8p0jn31cVYZ9kcx+zPteLCUwgST8hYooqJXf1HTykBQRPX7
X-Received: by 10.43.126.68 with SMTP id gv4mr16884icc.48.1378826578763; Tue, 10 Sep 2013 08:22:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.245.228 with HTTP; Tue, 10 Sep 2013 08:22:38 -0700 (PDT)
From: Adam Langley <agl@google.com>
Date: Tue, 10 Sep 2013 11:22:38 -0400
Message-ID: <CAL9PXLyLre-fySOY2H4oLAwSxiBmG+mnrJe9YiD9+OHmPVG-oA@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: [TLS] ChaCha20 + Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 15:23:16 -0000
I've just posted a draft defining ChaCha20+Poly1305 cipher suites for TLS: https://datatracker.ietf.org/doc/draft-agl-tls-chacha20poly1305/ (To those who might not read this mailing list all the time, this was prompted by attacks on RC4 and CBC mode earlier this year and is not a response to any recent press stories.) Neither RC4 nor the current CBC modes are looking very attractive in light of recent attacks. AES-GCM is in the process of being deployed but both AES and GHASH are very troublesome to implement in software in a way that is fast, secure and has good key agility. Modern Intel chips implement AES-GCM in hardware and future, high-end ARM chips may also. But I expect that there will always be a large number of devices without that capability and there are currently no good options for them in TLS. I know that Nikos presented about using Salsa20+UMAC at the last meeting and, although close to this proposal, I obviously made some different choices. I picked ChaCha20 over Salsa20. ChaCha20[1] is a tweak of Salsa20 to achieve better diffusion. It is conjectured to be stronger than Salsa20 and an attack against a reduced round Salsa20 in [2] broke one fewer rounds of ChaCha20. ChaCha20 received some positive remarks at the CFRG[3] and is slightly faster. Salsa20 has been the target of more analysis. Overall, I weakly preferred ChaCha20 over Salsa20. I picked Poly1305 over UMAC/VMAC. UMAC/VMAC have a clear speed advantage (~2x) on high-end chips when key agility isn't important and Nikos indicated that such a scenario is important to him[4]. However, I think that use case is likely to be met with hardware AES-GCM implementations. Otherwise, I like the conceptual simplicity of Poly1305, the lack of precomputed tables, and the theoretical benefits of randomly varying the point at which the polynomial is evaluated. It is also currently slightly faster on ARM, although in single-key benchmarks I suspect that advantage could be eliminated with more optimisation, based on the x86-64 numbers. Overall, Poly1305 over [UV]MAC was a clearer choice than ChaCha vs Salsa. ChaCha20 is very simple and even a completely naïve implementation will be secure. Poly1305 is somewhat more complex to implement but again lends itself to secure implementations. Several high-quality, optimised, public domains implementations are available of each. I have implemented this draft in NSS and OpenSSL. No heroic optimisation was done, but I used implementations by Andrew Moon, Ted Krovetz, djb and Peter Schwabe. The following numbers are encryption rates for a 1K block size with with AES-128-GCM or ChaCha20+Poly1305. The AES-128-GCM implementation is OpenSSL 1.0.1e compiled with gcc 4.6.3 and -O3, unless other compiler flags are noted. On an E5-2690@2.90GHz with Hyperthreading and Turboboost disabled: AES-128-GCM, AES-NI disabled: 131 MB/s AES-128-GCM, AES-NI enabled: 311 MB/s AES-128-GCM, AES-NI enabled & -march=native: 308 MB/s ChaCha20+Poly1305: 420 MB/s ChaCha20+Poly1305, -march=native: 560 MB/s On a Galaxy Nexus (ARM Cortex-A9@1.2GHz) gcc 4.7: AES-128-GCM: 27 MB/s ChaCha20+Poly1305: 78 MB/s Note that I'm being rather unfair to ChaCha20 here: I'm comparing 128-bit AES against a 256-bit ChaCha20. Intel suggests[5] that an E5-2690 (Sandy Bridge) should be able to do AES-128-GCM in ~2.55 cycles/byte, giving speeds of ~1.1GB/s. Possibly I've messed something up with OpenSSL, or the implementation in OpenSSL 1.0.1e is underperforming, but I'm reporting what I see. Of course, in general, one is not going to beat dedicated hardware in software. When both parties to a TLS connection have AES-GCM hardware implementations then AES-GCM is likely to be the most performant option. Cheers AGL [1] http://cr.yp.to/chacha/chacha-20080128.pdf [2] http://eprint.iacr.org/2007/472.pdf, section 3.5. [3] http://www.ietf.org/mail-archive/web/cfrg/current/msg03491.html [4] http://www.ietf.org/mail-archive/web/tls/current/msg09712.html [5] http://2013.diac.cr.yp.to/slides/gueron.pdf, page 17.
- [TLS] ChaCha20 + Poly1305 in TLS Adam Langley
- Re: [TLS] ChaCha20 + Poly1305 in TLS Yoav Nir
- Re: [TLS] ChaCha20 + Poly1305 in TLS Adam Langley
- Re: [TLS] ChaCha20 + Poly1305 in TLS Dr Stephen Henson
- Re: [TLS] ChaCha20 + Poly1305 in TLS Ben Laurie
- Re: [TLS] ChaCha20 + Poly1305 in TLS Adam Langley
- Re: [TLS] ChaCha20 + Poly1305 in TLS Yoav Nir
- Re: [TLS] ChaCha20 + Poly1305 in TLS Adam Langley
- Re: [TLS] ChaCha20 + Poly1305 in TLS Dr Stephen Henson
- Re: [TLS] ChaCha20 + Poly1305 in TLS Martin Rex
- Re: [TLS] ChaCha20 + Poly1305 in TLS Wan-Teh Chang
- Re: [TLS] ChaCha20 + Poly1305 in TLS Adam Langley
- Re: [TLS] ChaCha20 + Poly1305 in TLS Adam Langley