Re: [TLS] ChaCha20 + Poly1305 in TLS

Wan-Teh Chang <wtc@google.com> Sat, 05 October 2013 15:37 UTC

Return-Path: <wtc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F256321F90FD for <tls@ietfa.amsl.com>; Sat, 5 Oct 2013 08:37:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3nZuW0ul2GYy for <tls@ietfa.amsl.com>; Sat, 5 Oct 2013 08:37:02 -0700 (PDT)
Received: from mail-vb0-x22a.google.com (mail-vb0-x22a.google.com [IPv6:2607:f8b0:400c:c02::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 8709821F84F8 for <tls@ietf.org>; Sat, 5 Oct 2013 08:37:02 -0700 (PDT)
Received: by mail-vb0-f42.google.com with SMTP id e12so2930358vbg.1 for <tls@ietf.org>; Sat, 05 Oct 2013 08:37:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=lq2cf76+GZPLcY3hicvKUbdl6zSDNqJ3ehDiOW6oVtM=; b=d5lsqe8BGXk7AAd4h0CS41QiufHcoTRmO6ov2N3CL5ZpNjrSqvcbxy+wMWwbK5k5mF szIZryOKvQtSt/nvswSGs4cen9MZ5kUjaV3j0+dBllWsyMtXAAZZjpCi8G7zDUCXv1GN vddciXSpPSmvyGYf3X+XF2OnQryf3FTYTq+TN/IACDLqpQzBsAI5u0ZAvBiiDSVR1nzz jxGQTMQ+j9otmwgmE0CGBnthRK4FsqiC3DiAK7hNBK8yxZcJ7zXzwCNDTFAD67fPpIuC PeEKeXjg7NmfoJDImzZYwnVdo/Nb5bzP+1v5n3eLbTgir6OhIpGMCHOU2/t2seZQeSlq GwoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=lq2cf76+GZPLcY3hicvKUbdl6zSDNqJ3ehDiOW6oVtM=; b=MxX8W5sj2li2esqGVwgS0ry+AaSRdnV0Ba32hLgslr1b1bzURpzYvQAdl0w20U0sEw fk2kQ3qiZ/EU8yMhU4P9pACDkDRdq0fM/6obfZhVYreUYYGIBPIGk/kPgLkWmVHsHORc RQDlscN5HQgFlUM0CbzgAS/ZUHhtHDIz3/nqdBUskh/BPRicK9zHt4+hh+1Ugw4LoS98 NGqad9A0syVLM7+qI2WyYZ5oSn7ldh2ljIdWKcN5BJM1YUR4E18DWA16qPMq7g45vNU3 b6IU+lLpPcXazLEnoFiadwRnDM6FjwJsQZcISoj0+UzV/UboIwRMPJB7pOLUVhyGSWP7 kUKQ==
X-Gm-Message-State: ALoCoQkTOmR+X1uvbi5z4Cx58CUFXgDQP4vw/lXtQbwo9iFyQ6HTHIp/SVqaQTT5+2AxRwqP+bR0fA8zUbqRDvoIJ4nKIKew+FyuKtVzgH5Ypdl84OXGcjzX6SeTypEMmKN28JNAx/Rpab/WLO/O+PEQ+6oWAUA9CYHhGHaxW9/IsneAfyisiHeTPwLA6e/exls/ITYAsUQ9
MIME-Version: 1.0
X-Received: by 10.52.34.109 with SMTP id y13mr15037374vdi.8.1380987421886; Sat, 05 Oct 2013 08:37:01 -0700 (PDT)
Received: by 10.52.167.105 with HTTP; Sat, 5 Oct 2013 08:37:01 -0700 (PDT)
In-Reply-To: <CAL9PXLyLre-fySOY2H4oLAwSxiBmG+mnrJe9YiD9+OHmPVG-oA@mail.gmail.com>
References: <CAL9PXLyLre-fySOY2H4oLAwSxiBmG+mnrJe9YiD9+OHmPVG-oA@mail.gmail.com>
Date: Sat, 5 Oct 2013 08:37:01 -0700
Message-ID: <CALTJjxFHj=mG40AFaBsyS78-FqSyj4CLbUmnpE5CvmH54uhZjA@mail.gmail.com>
From: Wan-Teh Chang <wtc@google.com>
To: Adam Langley <agl@google.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] ChaCha20 + Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Oct 2013 15:37:04 -0000

On Tue, Sep 10, 2013 at 8:22 AM, Adam Langley <agl@google.com> wrote:
> I've just posted a draft defining ChaCha20+Poly1305 cipher suites for
> TLS: https://datatracker.ietf.org/doc/draft-agl-tls-chacha20poly1305/

Hi Adam,

I just reviewed the -01 draft. I have some comments. The most
important comment is about the AEAD construction in Section 5.

Section 3. ChaCha20:

* Define that <<< means a rotate left shift.

* The second paragraph says the block counter is four input words. The
last paragraph says the block counter is two input words.

* The last paragraph says the nonce (input words 12 and 13) is before
the block counter (input words 14 and 15), but
http://cr.yp.to/chacha/chacha-20080128.pdf says the block counter is
followed by the nonce. Assuming little-endian order, I think it seems
better for the block counter to be before the nonce.

Section 5. AEAD construction:

* In the input for Poly1305, the byte count of the ciphertext is
before the ciphertext. I think this should be reversed to allow an
implementation to start computing Poly1305 before having all the
ciphertext. For consistency, also reverse the order of the byte count
of additional data and the addtional data.

Section 9. IANA considerations:

* We should also ask IANA to assign an AEAD algorithm ID to
chacha20poly1305 in its registry
http://www.iana.org/assignments/aead-parameters/aead-parameters.xhtml.

Wan-Teh Chang