IETF Logo Mail Archive

Re: [TLS] ChaCha20 + Poly1305 in TLS

Adam Langley <agl@google.com> Tue, 08 October 2013 15:32 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA0E221E81F1 for <tls@ietfa.amsl.com>; Tue, 8 Oct 2013 08:32:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JbSRk2sxN+VS for <tls@ietfa.amsl.com>; Tue, 8 Oct 2013 08:32:56 -0700 (PDT)
Received: from mail-vb0-x236.google.com (mail-vb0-x236.google.com [IPv6:2607:f8b0:400c:c02::236]) by ietfa.amsl.com (Postfix) with ESMTP id 2F22B21E818D for <tls@ietf.org>; Tue, 8 Oct 2013 08:32:56 -0700 (PDT)
Received: by mail-vb0-f54.google.com with SMTP id q14so4229153vbe.41 for <tls@ietf.org>; Tue, 08 Oct 2013 08:32:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=AwTzQIRmFbKcAm4FiG/PAFNyY/1Llkq3AxApoRRji/k=; b=KYQgytY6E7bB3ys7V8n0CfHX1dMtd5EOXsuXQvs2VDTfVQw3cvevpIi1fA3e4zjK8f agpQ8FdmAMoP4V7GbmsHYl6ZrhaZ8dncs1jeCm9Q61ONthM8f80TCt6EDAn3BHxnIvGK 1MT2r3Yy3GDLF1/Qr/j3j20kNk042AzLSFv2A/eHfC5uZWWxkJKxtyA2lOvIpDzUL354 bFkFIlrG0nVU89NvU05jRROLWItRz6jpypKnMy2WctqD9DhW1rfqeHaZaIkT4ISKKzls KNZPgthPGpjF0wHqo3KH0GnuSu4U4ZtzA+wDGcCg29oE5IENi5jCBEt1mP94XWZweubg cLMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=AwTzQIRmFbKcAm4FiG/PAFNyY/1Llkq3AxApoRRji/k=; b=IfsRcg4zKI7o2ZQZX/TpiYD27q6K2bNZNMR5jquog3wKPJoWBF1xEKpfyZ+F1/EU8T ChOmwd7jJNvQgZvnu2FZrxljWM4ZmIcIeaS42CXJqKc7wIzHn865DZkAADZ9eIO55Bo7 euK3YDZIfzBLhheNt8ZOYobuA/Lsn0arFp5R95KscjlkGvByd9BlMDTh8VbmzFyrWcAb kozIvtvZVyRuf032Wf1J7EgM84WVC5tn0GwGPs7J6GptbNuns4+DLN5fZAvfwDXlTxoY j1EXOQ2d3qHwN7wKwRqFM442SelZ5B3Cqpr0/n09I84v02iWQJCCQ+nk/caOBamwQrk/ vmzg==
X-Gm-Message-State: ALoCoQkYTzNI/erhq70GlfTANcTN5adqQszl5OG/5wJcG/INjSD87Colb/lsHBu4d9Fne6+KewSgFi6R9mdj/i5y4GZMF/CE0CK/BuefD6Tdfq6Hq0zins4Qv98n8RpxMCEhG9iddY/t2tmah0B8eVNLelunpsM6mAvsU2NmkwRdr8K2R4/nK1rE18vtNrmViGGgRLBdKt+0
X-Received: by 10.52.65.136 with SMTP id x8mr1236107vds.23.1381246375411; Tue, 08 Oct 2013 08:32:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.100.40 with HTTP; Tue, 8 Oct 2013 08:32:35 -0700 (PDT)
In-Reply-To: <CALTJjxFHj=mG40AFaBsyS78-FqSyj4CLbUmnpE5CvmH54uhZjA@mail.gmail.com>
References: <CAL9PXLyLre-fySOY2H4oLAwSxiBmG+mnrJe9YiD9+OHmPVG-oA@mail.gmail.com> <CALTJjxFHj=mG40AFaBsyS78-FqSyj4CLbUmnpE5CvmH54uhZjA@mail.gmail.com>
From: Adam Langley <agl@google.com>
Date: Tue, 08 Oct 2013 11:32:35 -0400
Message-ID: <CAL9PXLwLNv=3Jft11DmF5XWD-4ibXNanYfSfbpEgGJ5zqvtwZg@mail.gmail.com>
To: Wan-Teh Chang <wtc@google.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] ChaCha20 + Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2013 15:32:57 -0000

On Sat, Oct 5, 2013 at 11:37 AM, Wan-Teh Chang <wtc@google.com> wrote:
> * Define that <<< means a rotate left shift.

Done.

> * The second paragraph says the block counter is four input words. The
> last paragraph says the block counter is two input words.

Fixed, thanks.

>
> * The last paragraph says the nonce (input words 12 and 13) is before
> the block counter (input words 14 and 15), but
> http://cr.yp.to/chacha/chacha-20080128.pdf says the block counter is
> followed by the nonce. Assuming little-endian order, I think it seems
> better for the block counter to be before the nonce.

I got confused between Salsa and ChaCha in this case and have
corrected the draft to be in line with the ChaCha specification.

> Section 5. AEAD construction:
>
> * In the input for Poly1305, the byte count of the ciphertext is
> before the ciphertext. I think this should be reversed to allow an
> implementation to start computing Poly1305 before having all the
> ciphertext. For consistency, also reverse the order of the byte count
> of additional data and the addtional data.

Although I don't think it's needed in this case, I agree that it might
be useful and have changed the draft and code accordingly. I will
publish an updated draft shortly.

> Section 9. IANA considerations:
>
> * We should also ask IANA to assign an AEAD algorithm ID to
> chacha20poly1305 in its registry
> http://www.iana.org/assignments/aead-parameters/aead-parameters.xhtml.

Done.


Cheers

AGL

v2.23.0 | Report a Bug | By Email