[Cryptography] Evaluating draft-agl-tls-chacha20poly1305

William Allen Simpson william.allen.simpson at gmail.com
Wed Sep 11 12:55:08 EDT 2013

On 9/11/13 10:37 AM, Adam Langley wrote:
> On Tue, Sep 10, 2013 at 10:59 PM, William Allen Simpson
> <william.allen.simpson at gmail.com> wrote:
>> Or you could use 16 bytes, and cover all the input fields....  There's no
>> reason the counter part has to start at 1.
> It is the case that most of the bottom row bits will be zero. However,
> ChaCha20 is assumed to be secure at a 256-bit security level when used
> as designed, with the bottom row being counters. If ChaCha/Salsa were
> not secure in this formulation then I think they would have to be
> abandoned completely.
I kinda covered this in a previous message.  No, we should design with
the expectation that there's something wrong with every cipher (and
every implementation), and strengthen it as best we know how.

It's the same principle we learned (often the hard way) in school:
  * Software designers, assume the hardware has intermittent failures.
  * Hardware designers, assume the software has intermittent failures.

> Taking 8 bytes from the initial block and using it as the nonce for
> the plaintext encryption would mean that there would be a ~50% chance
> of a collision after 2^32 blocks. This issue affects AES-GCM, which is
> why the sequence number is used here.
Sorry, you're correct there -- my mind is often still thinking of DES
with its unicity distance of 2**32, so you had to re-key anyway.

> Using 16 bytes from the initial block as the full bottom row would
> work, but it still assumes that we're working around a broken cipher
> and it prohibits implementations which pipeline all the ChaCha blocks,
> including the initial one. That may be usefully faster, although it's
> not the implementation path that I've taken so far.
OK.  I see the pipeline stall.  But does poly1305 pipeline anyway?

> There is an alternative formulation of Salsa/ChaCha that is designed
> for random nonces, rather than counters: XSalsa/XChaCha. However,
> since we have a sequence number already in TLS I've not used it.
Aha, I hadn't found this (XSalsa, there doesn't seem to be an XChaCha).
Good reading, and some of the same points I was trying to make here.

More information about the cryptography mailing list