IETF Logo Mail Archive

Re: [TLS] Comments on draft-nir-cfrg-chacha20-poly1305-02

Adam Langley <agl@google.com> Fri, 06 February 2015 18:15 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB1071A870A for <tls@ietfa.amsl.com>; Fri, 6 Feb 2015 10:15:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.089
X-Spam-Level:
X-Spam-Status: No, score=-1.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wFeKgrzifuOV for <tls@ietfa.amsl.com>; Fri, 6 Feb 2015 10:15:42 -0800 (PST)
Received: from mail-qg0-x22f.google.com (mail-qg0-x22f.google.com [IPv6:2607:f8b0:400d:c04::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 610821A017F for <tls@ietf.org>; Fri, 6 Feb 2015 10:15:42 -0800 (PST)
Received: by mail-qg0-f47.google.com with SMTP id l89so12515389qgf.6 for <tls@ietf.org>; Fri, 06 Feb 2015 10:15:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=rzJZ24zp1HnOvl5BvPOxeW3F6WVbiGROUrDxJDWx54M=; b=SwDp2qeFZc76dJUqM5hd1xpOFJvv1307j7KRUuTdF9MFlaRxL6Ot3hZTzDDT5/tgqA 27yRNYrMJk+Ko+t0ANbPLmKK0iyq91sbT4YmSberh0iuJiBHXTIGqKy68v0XZUOmDXvo JdoCJEMs9g/vmGlOk2IRV0wTkfxQSEfKDWyNC/ZVLGuNFX4XWVbItDpfUp1kCovpmZYU L8dQz8vHDADTW5Gal9K1mdFOPkMZghfXtwT5WrchZ3AUSN0AD+oskturx13ptAGo6jZd JqBD97FwLQAWVkQ894m+dpLK2XIw889Z0P5qwGun8QbaNvzI9Avo3FQBglWiaztocnLR c3JA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=rzJZ24zp1HnOvl5BvPOxeW3F6WVbiGROUrDxJDWx54M=; b=DB689VH7HFDZIkGpNoPWf8makj3SaeuxMgbLmN2oySXTkTmYFJyjOyqD5QSC0WSy2b C+AK1hCNdXUkPf+loJfoJGZLq3Y2dt80BCvp/uxcsEnlQ8Vtq6LICVj/9uEmv/XDGQC4 rOf/e5ILHlR6ZSzU31dQUpELqVxhtalyWLaccpij3SwrhX9drueHcd/uGJ/WMkcnFGnA iGsayyiGP9mq2djWBRp6xEVFuZ06Yw8vSRJvI1a0ziO3BidjP1vdfJAq9boMbZwqabOT JocH+KPHOvx76ZI9rcZ93O/7Zh/gOGovEt6DHIrqpP+tam6lG8rpFPMuCCbMVl+2/zNa JDzg==
X-Gm-Message-State: ALoCoQlOO0TQz4b1flyRwr+Q+Zl45ao9Re+4E4A8HQxvgS5LcCZhioNZu4KxeZX729EGQoGXKAsd
X-Received: by 10.140.22.234 with SMTP id 97mr10199714qgn.21.1423246541399; Fri, 06 Feb 2015 10:15:41 -0800 (PST)
MIME-Version: 1.0
Received: by 10.229.40.67 with HTTP; Fri, 6 Feb 2015 10:15:21 -0800 (PST)
In-Reply-To: <nnk2zv3zbo.fsf@bacon.lysator.liu.se>
References: <nnha83nwy9.fsf@bacon.lysator.liu.se> <CAL9PXLyWhqSdG5YRyrOprW5wgCYCwHn7_a=R2sb+mN-irkMYbA@mail.gmail.com> <nniopgn2sr.fsf@bacon.lysator.liu.se> <CAMfhd9VsetxqazXdmDPTDCJJqC5jNr1LVC-qsgPM9RRSBXSTqA@mail.gmail.com> <nnk2zv3zbo.fsf@bacon.lysator.liu.se>
From: Adam Langley <agl@google.com>
Date: Fri, 06 Feb 2015 10:15:21 -0800
Message-ID: <CAL9PXLx7O-qRQcsDVcTTjTmt7Uk+DTLaMRwST=cZj30OSrBbog@mail.gmail.com>
To: Niels Möller <nisse@lysator.liu.se>, Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/lLD4Dn0Bkt7G8lhBCM5lL3wTuDw>
Cc: Adam Langley <agl@imperialviolet.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on draft-nir-cfrg-chacha20-poly1305-02
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Feb 2015 18:15:44 -0000

On Fri, Feb 6, 2015 at 6:10 AM, Niels Möller <nisse@lysator.liu.se> wrote:
> Adam Langley <agl@imperialviolet.org> writes:
>
>> On Thu, May 8, 2014 at 12:32 AM, Niels Möller <nisse@lysator.liu.se> wrote:
>>> Is this something you'd want to address? After all, high performance is
>>> one of the primary design goals for both chacha and poly1305. The easiest
>>> way I see is to change the formatting for authentication to
>>>
>>>   ad | pad1 | cryptotext | pad2 | length(ad) | length(cryptotext)
>>
>> I think this might be a good idea, thanks!
>
> I've now updated my implementation to match
> draft-irtf-cfrg-chacha20-poly1305-08
> (https://git.lysator.liu.se/nettle/nettle/blob/master/chacha-poly1305.c).
> I have a couple of comments on the testcases.

+Yoav, so that he sees this, as he's doing the editing work on this
draft in practice.

> In section 2.4.2, the test vector for the chacha20 cipher, I think it
> would be good to have an example with initial counter = 0. I think
> that's going to be the typical case when using chacha as cipher only.

The draft defines an AEAD so I think it's ok that the examples are
focused on that.

> In section 2.8.2, the nonce is given in two pieces, an "IV" and a
> "32-bit fixed common part". It's not crystal clear how to put then
> together. Please also write out the complete 12-byte nonce explicitly.

It does seem that this section might be a little IPSec focused. The
nonce is called an nonce elsewhere in the draft, but is given as an
"IV" and "fixed-common part" here, but those terms are never used
elsewhere. Possibly they should be merged and called an nonce,
although I'm sure that Yoav will decide what's best here.

> For naming, I think it would be more consistent with the (admittedly
> confused) terminology used in the literature to consistently write
> "chacha", not "chacha20", and "salsa20", not "salsa".

ChaCha is the family and ChaCha20 is an instance with a specific
number of rounds. I think the two names are ok, although I do think
there's a little confusion at the beginning of section 2.3 where it
might be worth mentioning that the the ChaCha20 block function is
specifically the ChaCha block function with 20 rounds.


Cheers

AGL

v2.23.0 | Report a Bug | By Email