[Cryptography] Evaluating draft-agl-tls-chacha20poly1305

Alexandre Anzala-Yamajako anzalaya at gmail.com
Wed Sep 11 06:00:40 EDT 2013

2013/9/11 William Allen Simpson <william.allen.simpson at gmail.com>

> It bugs me that so many of the input words are mostly zero.  Using the
> TLS Sequence Number for the nonce is certainly going to be mostly zero
> bits.  And the block counter is almost all zero bits, as you note,
>    (In the case of the TLS, limits on the plaintext size mean that the
>    first counter word will never overflow in practice.)
> [...]

> In my PPP ChaCha variant of this that I started several months ago, the
> nonce input words were replaced with my usual CBCS formulation.  That is,
>    invert the lower 32-bits of the sequence number,
>    xor with the upper 32-bits,
>    add (mod 2**64) both with a 64-bit secret IV,
>    count the bits, and
>    variably rotate.
> [...]

Chacha20 being  a stream cipher, the only requirement we have on the ICV is
that it doesn't repeat isn't ?
This means that if there's a problem with setting 'mostly zeroed out' ICV
for Chacha20 we shouldn't use it at all period.
As far as your proposition is concerned, the performance penalty seems to
largely depend on the target platform. Wouldn't using the same set of
operations as Chacha prevent an unexpected performance drop in case of lots
of short messages ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130911/2e8253a4/attachment.html>

More information about the cryptography mailing list