IETF Logo Mail Archive

Re: [TLS] Comments on draft-nir-cfrg-chacha20-poly1305-02

nisse@lysator.liu.se (Niels Möller ) Thu, 08 May 2014 07:33 UTC

Return-Path: <nisse@lysator.liu.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 636951A03F2 for <tls@ietfa.amsl.com>; Thu, 8 May 2014 00:33:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.122
X-Spam-Level:
X-Spam-Status: No, score=-1.122 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.651, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bW7qzjDCUp-h for <tls@ietfa.amsl.com>; Thu, 8 May 2014 00:33:00 -0700 (PDT)
Received: from bacon.lysator.liu.se (bacon.lysator.liu.se [IPv6:2001:6b0:17:f0a0::ce]) by ietfa.amsl.com (Postfix) with ESMTP id 6D78B1A010A for <tls@ietf.org>; Thu, 8 May 2014 00:33:00 -0700 (PDT)
Received: from bacon.lysator.liu.se (localhost [127.0.0.1]) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5) with ESMTP id s487WeRZ015613; Thu, 8 May 2014 09:32:40 +0200 (MEST)
Received: (from nisse@localhost) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5/Submit) id s487Waq5015612; Thu, 8 May 2014 09:32:36 +0200 (MEST)
X-Authentication-Warning: bacon.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f
From: nisse@lysator.liu.se
To: Adam Langley <agl@google.com>
References: <nnha83nwy9.fsf@bacon.lysator.liu.se> <CAL9PXLyWhqSdG5YRyrOprW5wgCYCwHn7_a=R2sb+mN-irkMYbA@mail.gmail.com>
Date: Thu, 08 May 2014 09:32:36 +0200
Message-ID: <nniopgn2sr.fsf@bacon.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (usg-unix-v)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/wAS5TkFM62zDHKxV3yg6nyX95z0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on draft-nir-cfrg-chacha20-poly1305-02
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2014 07:33:02 -0000

I'm going back to look at the draft-nir-cfrg-chacha20-poly1305-02 draft,
from an implementation point of view.

One thing that I think is suboptimal is that some buffering is required
between the chacha encryption and the mac.

First consider the case that the ad | length(ad) is a multiple of the
poly1305 blocksize (i.e., 16 bytes, and with the current draft this
would happen when length(ad) mod 16 = 8). Then for authentication, the
crypto text starts at a poly1305 block boundary. So each encrypted
chacha block, 64 bytes, lines up nicely as 4 poly1305 blocks. For a
software implementation, there's some potential for short-circuiting the
conversion from integers to octets and back. For a hardware
implementation, I think it would also be pretty straight-forward to do
those 4 poly1305 blocks in parallel if desired.

On the other hand, if cryptotext doesn't start at a poly1305 block
boundary, i.e., the general case, the cryptotext has to be buffered and
shifted around when split into poly1305 blocks. The above software
optimizations get much more complex or impossible. And I would imagine
(but I'm no hardware designer) that it adds significant complexity for a
hardware implementation.

Is this something you'd want to address? After all, high performance is
one of the primary design goals for both chacha and poly1305. The easiest
way I see is to change the formatting for authentication to

  ad | pad1 | cryptotext | pad2 | length(ad) | length(cryptotext)

where pad1 and pad2 are the minimum number of zero bytes needed to get
to 16-byte boundary. The length fields fill up a poly1305 block of their
own, and I think they should definitely use little-endian encoding,
since that's what poly1305 uses and little-endian makes it easier to
assemble the block without going via any byte representation.

There are some other possibilities, taking advantage of the fact that
poly1305 has an unambibuous encoding for short blocks. E.g, if the ad is
the single byte "a", 0x61, zero-padding produces the poly1305
coefficient 0x10000000000000061, but one could also represent it as
0x161, as is specified for a final, short, block in poly1305-aes. With
some care, I think one could even drop both length fields. What's needed
is to use the poly1305 short block encoding for the final ad and crypto
text blocks, and in addition make sure that the ad *always* is
terminated with a short block, by adding an empty block (poly1305
coefficient 0x1) between ad and cryptotext in case the ad length is a
multiple of 16.

Another minor point: The unused 32 bytes of the first chacha block
(after the 32 bytes used for the poly1305 subkeys), could they be
considered a separate (and optional) output? When chacha-poly1305 is
used in openssh, they encrypt the packet length field separately, and
they seem to be using another instance of chacha for that, with an
independent key. Which seems a bit unnecessary when there are plenty of
left over keystream bytes from the chacha-poly1305 instance they use for
the message payload.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

v2.23.0 | Report a Bug | By Email