Re: [TLS] Comments on
nisse@lysator.liu.se (Niels Möller ) Fri, 14 February 2014 08:42 UTC
Return-Path: <nisse@lysator.liu.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D2F11A0136 for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 00:42:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.019
X-Spam-Level:
X-Spam-Status: No, score=-1.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.548, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hgB5zA5w2Ryx for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 00:42:44 -0800 (PST)
Received: from bacon.lysator.liu.se (bacon.lysator.liu.se [IPv6:2001:6b0:17:f0a0::ce]) by ietfa.amsl.com (Postfix) with ESMTP id 08CA41A014C for <tls@ietf.org>; Fri, 14 Feb 2014 00:42:43 -0800 (PST)
Received: from bacon.lysator.liu.se (localhost [127.0.0.1]) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5) with ESMTP id s1E8gS0f004574; Fri, 14 Feb 2014 09:42:28 +0100 (MET)
Received: (from nisse@localhost) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5/Submit) id s1E8gOnG004573; Fri, 14 Feb 2014 09:42:24 +0100 (MET)
X-Authentication-Warning: bacon.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f
From: nisse@lysator.liu.se
To: Adam Langley <agl@google.com>
References: <nnha83nwy9.fsf@bacon.lysator.liu.se> <CAL9PXLyWhqSdG5YRyrOprW5wgCYCwHn7_a=R2sb+mN-irkMYbA@mail.gmail.com>
Date: Fri, 14 Feb 2014 09:42:23 +0100
In-Reply-To: <CAL9PXLyWhqSdG5YRyrOprW5wgCYCwHn7_a=R2sb+mN-irkMYbA@mail.gmail.com> (Adam Langley's message of "Thu, 13 Feb 2014 10:52:42 -0500")
Message-ID: <nna9dum6fk.fsf@bacon.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (usg-unix-v)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/v0DYiBXyMsjhiOoc6y1269SbMN8
X-Mailman-Approved-At: Fri, 14 Feb 2014 06:48:52 -0800
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 08:42:47 -0000
Adam Langley <agl@google.com> writes: > On Thu, Feb 13, 2014 at 5:11 AM, Niels Möller <nisse@lysator.liu.se> wrote: >> 1. It would be nice with a couple of additional test cases for >> AEAD_CHACHA20_POLY1305. In particular for the corner cases of empty >> associated data and/or empty plaintext. > > Ack. Yoav pulled out the AEAD bit into > https://tools.ietf.org/html/draft-nir-cfrg-chacha20-poly1305-01 so > that it's not TLS specific and that's probably the place for this now. Thanks for the pointer. This specifies a 96-bit nonce, both for chacha and chacha20-poly1305. I'm a bit confused by the different definition of chacha, with a 32-bit counter and 96-bit nonce, rather than 64 bits each like in the chacha spec. This discrepancy gives me the feeling that I definitely should consider my implementation as experimental, and not promise any compatibility until the dust settles. > (The lengths were originally prefixes of the data. wtc suggested > moving them to the end so that the AEAD could be computed without > knowing the length of the data apriori. Although this does lead to the > possibility of "streaming" APIs which I would discourage as they > release unauthenticated plaintext and force others to also.) I agree that most applications shouldn't use streaming operation, at least for decryption. But I also think there are valid usecases for streaming operation, e.g., processing a large file where you really want a single indication of autenticity for the complete file. In GNU Nettle, which is a general purpose but pretty low level crypto library, I'd like to support aead streaming operation whenever possible. >> At least in my implementantation, the length(ad) field causes some >> additional complexity, so > > Could you elaborate on why knowing the length of the AD is problematic? Knowing it is not a problem, but inserting it at that place in the poly1305 input is an annoyingly large proportion of the implementation, even if the total code size and complexity is pretty small. I have a low-level streaming interface (I'm considering adding a less general but more easy to use interface on top), with basically these functions for encryption (decryption is similar), to be called in order: set_key set_nonce (one or more times per key) update (process ad, zero or more times per nonce) encrypt (process plaintext, zero or more times per nonce digest (produce the authentication tag, once per nonce) Note that to keep this interface simple, there's no explicit function to mark the end of the ad; calling either of encrypt or digest implies the end of the associated data. Doing a final length field is very straighforward, it is added unconditionally by the digest function. However, inserting the ad length, between the ad and the crypto text, gets a bit more scattered. If encrypt is ever called, inserting the ad length has to be done for the first call to encrypt (or more precisely, I do it on the first call to encrypt providing a non-empty segment of plaintext, since for the bookkeeping I need to ensure that the ad length has been inserted if and only if the amount of processed plaintext is non-zero). But in case plaintext is empty, the ad length instead has to be inserted by the digest function. For some numbers, my current implementation is 101 non-comment lines of C (on top of chacha and poly1305 building blocks). Of those, 20% of the lines and 80% of the if statements are for the insertion of the ad length. See https://git.lysator.liu.se/nettle/nettle/blobs/master/chacha-poly1305.c (And I'm currently *not* confident that this code is correct, since I lack tests for the corner cases). > I suspect that some folks will want reduced round variants since it's > faster and the reduced round versions are holding up to analysis. I see. Vaguely related question: Do you see any need for 128-bit chacha keys? They're not really in the very short chacha paper, but they are in the reference implementation. Wan-Teh Chang <wtc@google.com> writes: > draft-agl-tls-chacha20poly1305 has been merged into > http://tools.ietf.org/html/draft-mavrogiannopoulos-chacha-tls-01. But > the specification of the ChaCha20-Poly1305 AEAD cipher suites did not > change. Thanks for the pointer. And here, chacha and chacha-poly1305 are both specified with a 64-bit nonce. > I'm also curious to know why. What about > > ad | cryptotext | length(ad) Adequately explained above, I hope. And the variant you propose should be as nice and simple to implement as ad | cryptotext | length(cryptotext). Or for that matter, ad | cryptotext | length(ad) | length(cryptotext) with both lenghts at the end, if for some reason including both length fields really is desirable. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Wan-Teh Chang
- [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Dr Stephen Henson
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Nikos Mavrogiannopoulos
- Re: [TLS] Comments on Watson Ladd
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Watson Ladd
- Re: [TLS] Comments on Bill Frantz
- Re: [TLS] Comments on Watson Ladd
- Re: [TLS] Comments on Bill Frantz
- Re: [TLS] Comments on Alfredo Pironti
- Re: [TLS] Comments on Niels Möller
- [TLS] dealing with AEAD partial delivery [was: Re… Daniel Kahn Gillmor
- Re: [TLS] Comments on Bill Frantz
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Adam Langley
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Adam Langley
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller