Re: [TLS] chacha/poly state?

Yoav Nir <ynir.ietf@gmail.com> Mon, 28 April 2014 19:27 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60CFF1A04F1 for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 12:27:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZByWA9d4U9BA for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 12:26:55 -0700 (PDT)
Received: from mail-wg0-x231.google.com (mail-wg0-x231.google.com [IPv6:2a00:1450:400c:c00::231]) by ietfa.amsl.com (Postfix) with ESMTP id A6C101A6FAC for <tls@ietf.org>; Mon, 28 Apr 2014 12:26:55 -0700 (PDT)
Received: by mail-wg0-f49.google.com with SMTP id x13so1681618wgg.20 for <tls@ietf.org>; Mon, 28 Apr 2014 12:26:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=MOt+3dqgCjHGrCFNI7Rc4iPidi4zQxGumQVcGrLxH1o=; b=WpD5xrXe1Y2+c6GQVEdYRSLBJ0npUJ0yo1b2F4VGA6mlxZ1gHxUep6/0hEghYFWwZN U/oUtfIJutPstkBuSuULEvP3LHYeMLGOmDrZteAxUxGxUaYBpT9HPL5G9TQ/zKqoTivw MkW5VMvunkodo4UKWfH7rO2Bx/sS50mJNSD6OY3SLGQb1xUwkhddYsRQSUvJyTr1tUH2 ITwok+2DztBuLLiNiaQCdRRQa6D7KSBH43h08r4GlosI0+rC0xBzDyh3TfR1t7ocnJP9 bEQ+5WE0Gr7tseCeL7Qp/U0USdBC5iVhYi0BWUkElNRpD4FHIHlrs4UU5sLSARmZPRSS oOEw==
X-Received: by 10.180.91.40 with SMTP id cb8mr16901877wib.34.1398713214441; Mon, 28 Apr 2014 12:26:54 -0700 (PDT)
Received: from [192.168.1.102] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id h1sm27411126wjy.7.2014.04.28.12.26.53 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 28 Apr 2014 12:26:53 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CAMfhd9UCMN=thasTeVA1F41dGsPYhOxLJekNwmNd-eE1y+AzUg@mail.gmail.com>
Date: Mon, 28 Apr 2014 22:26:51 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <8BF3F46B-0DD7-4262-8004-D1C8E5444FD5@gmail.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120C35E915@USMBX1.msg.corp.akamai.com> <1398669797.2453.6.camel@dhcp-2-127.brq.redhat.com> <EF841B12-F76E-4D65-AF9C-EF9311C4789A@gmail.com> <CACsn0cn+NoHJs62zXt+Yh8pkVs4wO=BPmgAfwjMPP2EAstmWUA@mail.gmail.com> <CAMfhd9UCMN=thasTeVA1F41dGsPYhOxLJekNwmNd-eE1y+AzUg@mail.gmail.com>
To: Adam Langley <agl@imperialviolet.org>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/kp-nqqtsSURWaGoGIg4Lh5Y1xt8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] chacha/poly state?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Apr 2014 19:27:04 -0000

On Apr 28, 2014, at 8:42 PM, Adam Langley <agl@imperialviolet.org> wrote:

> On Mon, Apr 28, 2014 at 8:04 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
>> So the changes were relabeling some words as counter and others as
>> nonce, in a different way from ChaCha? I think if you can tell that
>> from a PRF, you can tell the original ChaCha from a PRF, because we
>> have an injection into the original input state.
> 
> The whole AEAD construction is a "change" from the way that DJB does
> it in NaCl and so probably need review. I spoke to DJB about it at
> CRYPTO 2013, but that's hardly an endorsement.
> 
> Having said that, I think this does need to be pushed forward. Perhaps
> the best path is as an individual submission. I'll try and add the
> test vectors and then see whether that's possible.
> 

Yeah, so I don’t know DJB at all. Once we get the next revision published with decryption and some test vectors, we can talk to Dave and Kathleen, and see where this can progress better, and also ask DJB for a review. We didn’t get much at CFRG.

Yoav