IETF Logo Mail Archive

Re: [TLS] Comments on draft-nir-cfrg-chacha20-poly1305-02

Adam Langley <agl@imperialviolet.org> Thu, 08 May 2014 17:35 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 494771A0087 for <tls@ietfa.amsl.com>; Thu, 8 May 2014 10:35:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L_CDcdgg2p1t for <tls@ietfa.amsl.com>; Thu, 8 May 2014 10:35:22 -0700 (PDT)
Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 8AA521A007D for <tls@ietf.org>; Thu, 8 May 2014 10:35:22 -0700 (PDT)
Received: by mail-lb0-f171.google.com with SMTP id 10so4025178lbg.2 for <tls@ietf.org>; Thu, 08 May 2014 10:35:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=mJColv5GmuvfGZnN5uUH0NzBCXNlqweSpA82E0b3M7I=; b=DjwHjVNXEcOrg1+xOSz7bNbc2vD5QyZ3RA/nfQB5ogZGOsf8U/FxW0FkOeGKMI2S35 cqESRD39sIoqrvhbg3HFMOBc+RBdDzPRe1uzFEARMRTTJgZNRW/291EpYKteFXaQseUt MPJpdbE8Lv5YhxwDPzhRY3/WVRBEGNfcxm9VL98ZqfuUveAJWvLefYZfr9Md8Xmd7/Xa p2U+UoE49PEqb85UBBxA7kwQDEEtgbpNCCgDw6Z6Q8hQLTc8EAiKwcyyFw+azGM67e+z hd+/VDxe8flGgAcWp+O37rH4BFqiZVnJBWqVl4AHE7wBUk/Vthey/rgS/NAHDmIj27zL +bcQ==
MIME-Version: 1.0
X-Received: by 10.112.164.148 with SMTP id yq20mr5912257lbb.22.1399570517251; Thu, 08 May 2014 10:35:17 -0700 (PDT)
Sender: alangley@gmail.com
Received: by 10.112.5.68 with HTTP; Thu, 8 May 2014 10:35:17 -0700 (PDT)
In-Reply-To: <nniopgn2sr.fsf@bacon.lysator.liu.se>
References: <nnha83nwy9.fsf@bacon.lysator.liu.se> <CAL9PXLyWhqSdG5YRyrOprW5wgCYCwHn7_a=R2sb+mN-irkMYbA@mail.gmail.com> <nniopgn2sr.fsf@bacon.lysator.liu.se>
Date: Thu, 08 May 2014 10:35:17 -0700
X-Google-Sender-Auth: _wn7UXQ84YGSu-qhLvy6GVFyjxQ
Message-ID: <CAMfhd9VsetxqazXdmDPTDCJJqC5jNr1LVC-qsgPM9RRSBXSTqA@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: Niels Möller <nisse@lysator.liu.se>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ats8Kuz8Zo4ccp6zKCgTY4WLG7Y
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on draft-nir-cfrg-chacha20-poly1305-02
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2014 17:35:24 -0000

On Thu, May 8, 2014 at 12:32 AM, Niels Möller <nisse@lysator.liu.se> wrote:
> Is this something you'd want to address? After all, high performance is
> one of the primary design goals for both chacha and poly1305. The easiest
> way I see is to change the formatting for authentication to
>
>   ad | pad1 | cryptotext | pad2 | length(ad) | length(cryptotext)

I think this might be a good idea, thanks!

I happen to be meeting with some hardware folks tomorrow (although not
about this) and I'll see whether they agree that this would be useful.
(Although I'm less sure about moving the lengths to the end.)

> There are some other possibilities, taking advantage of the fact that
> poly1305 has an unambibuous encoding for short blocks. E.g, if the ad is
> the single byte "a", 0x61, zero-padding produces the poly1305
> coefficient 0x10000000000000061, but one could also represent it as
> 0x161, as is specified for a final, short, block in poly1305-aes. With
> some care, I think one could even drop both length fields. What's needed
> is to use the poly1305 short block encoding for the final ad and crypto
> text blocks, and in addition make sure that the ad *always* is
> terminated with a short block, by adding an empty block (poly1305
> coefficient 0x1) between ad and cryptotext in case the ad length is a
> multiple of 16.

My feeling is that this is getting too complex for the resulting benefit.

> Another minor point: The unused 32 bytes of the first chacha block
> (after the 32 bytes used for the poly1305 subkeys), could they be
> considered a separate (and optional) output? When chacha-poly1305 is
> used in openssh, they encrypt the packet length field separately, and
> they seem to be using another instance of chacha for that, with an
> independent key. Which seems a bit unnecessary when there are plenty of
> left over keystream bytes from the chacha-poly1305 instance they use for
> the message payload.

Implementations could certainly extract this if they wished, although
I'd like to stay in the RFC 5116 framework for AEADs in the spec.

For SSH's use, I guess this would complicate their AEAD implementation
because they would need to break it up: they need to calculate the
first block to decrypt the length and then they can figure out what
the ciphertext is. Actually, if they were going to use the leftover
keystream bytes from the first block for the length then I would
imagine that they would use a separate ChaCha call to calculate it and
then, if they decrypt the length and find they have a whole record to
process, call the AEAD function, which will redundantly calculate the
first block again.


Cheers

AGL

-- 
Adam Langley agl@imperialviolet.org https://www.imperialviolet.org

v2.23.0 | Report a Bug | By Email