Re: [TLS] comparison of draft-josefsson-salsa20-tls-02 and draft-agl-tls-chacha20poly1305-02

Adam Langley <agl@google.com> Wed, 23 October 2013 14:59 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05A6911E81AF for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 07:59:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RK+VXONiUMfX for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 07:59:09 -0700 (PDT)
Received: from mail-ve0-x22c.google.com (mail-ve0-x22c.google.com [IPv6:2607:f8b0:400c:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 7A27511E838F for <tls@ietf.org>; Wed, 23 Oct 2013 07:59:09 -0700 (PDT)
Received: by mail-ve0-f172.google.com with SMTP id cz12so529551veb.3 for <tls@ietf.org>; Wed, 23 Oct 2013 07:59:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=R3EOUPAE0mVHp4YSvbTqrAxpIUuF79ZPS4bYAv96xvU=; b=LxG8/EtooMLTznQyjdsSGN4R9iOSBWbl3sIl1NH01SU6mXF7GoScKpYklRl1b7YGyt FeKMNq5iXerFbmHWLlWMH+kO4ZlrPUyXozWD2KVbQmx/glBQwdGduDKaN2l/wnQjiQtx pn5xy0cTtTNGw7+Cdex/hJxjCwj84ECZBxXr/90xFsW0Tf/uacUMph4qJvEe+oENveWz sxoaXIq3axv4uOl2X+w6fdPNu99N5ttF9O8PCwvDeIWiCvkDie6kfy/rJJjLDCleqxOF +yREOApec442x0OhtFioIX9yy+ifSBILWCRDmh41pzqX5VlTU5ZWSFTTBZZE+rTHIKSN XRrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=R3EOUPAE0mVHp4YSvbTqrAxpIUuF79ZPS4bYAv96xvU=; b=KjpEqz9J8h9wtJ4JfhOKtYBQq8r3iPitlRz7J5IuzAyIazP+qSx+F93tke+1sw1/Rq /eVxWORwJmxXs2ZkTn+1FZD4shrnDA2KFsGEfMd9jya4q/724iMJqk/cnK5dAFTDrYhW MyT3lLK4JWh8bcyXJFh43r7/7/dCTI8NKFAK2xAL3pkmRYEpUs+JnJbpaWlh/cGWMqs3 9UBeeFRUoj6d+spI8GE4YHhabAfUbsry31iur29BGVmuIY3hyg7R9o4W+rnZkQ29GeOC 3rpsd57eXQ2RXghhDtMCoRLiPSB5wxTgDd2bOIDEc9oN35lqF7zt0kjF9W33mSEagjeR UBKQ==
X-Gm-Message-State: ALoCoQnxYA2z4GRkZ5un4QD9ByhlxEegJsPJg6gzpwFHJ+v4eTly4++qOfZk4H8BdEPzveF3hRSMyGh+TZGEPFAdk4k6tkJYUTeNsOQGZahvCvNZGwgqj5HNfqbPDucTx3fu+T2yk1QvVGb/OK28/LzucMpldA2bKLW14Ny7l6Ry67cbnCa+z1Uq/wKAtaZ61/nUVlghzD+2
X-Received: by 10.220.145.75 with SMTP id c11mr787661vcv.30.1382540349070; Wed, 23 Oct 2013 07:59:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.100.40 with HTTP; Wed, 23 Oct 2013 07:58:48 -0700 (PDT)
In-Reply-To: <5267E276.9050107@gnutls.org>
References: <526797EE.2000206@gnutls.org> <CAL9PXLyguGgFtb9NqbkvrL82fV-Aj=HFJiex-Hu32xEec=9SLQ@mail.gmail.com> <5267E276.9050107@gnutls.org>
From: Adam Langley <agl@google.com>
Date: Wed, 23 Oct 2013 10:58:48 -0400
Message-ID: <CAL9PXLzCTcaAHF5N_YiBaz+kP5ez6KaPkhOLfCPsSJ9jfCxehQ@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Content-Type: text/plain; charset=UTF-8
Cc: "tls@ietf.org" <tls@ietf.org>, =?UTF-8?Q?Joachim_Str=C3=B6mbergson?= <joachim@secworks.se>
Subject: Re: [TLS] comparison of draft-josefsson-salsa20-tls-02 and draft-agl-tls-chacha20poly1305-02
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2013 14:59:10 -0000

On Wed, Oct 23, 2013 at 10:51 AM, Nikos Mavrogiannopoulos
<nmav@gnutls.org>; wrote:
> As far as I understand you use chacha to generate the keystream for
> poly1305. Thus you carry state between records (chacha is a stream
> cipher). I don't know if I have missed anything there, but I don't see
> resetting chacha with a new IV per MAC calculation.

There is no state carried between records: "ChaCha20 is run with the
given key and nonce and with the two counter words set to zero. The
first 32 bytes of the 64 byte output are saved to become the one-time
key for Poly1305." (The nonce is the sequence number of the record.)

(http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-00#section-5)


Cheers

AGL