[Cryptography] AES GCM insecure vs OCB1/OCB3 ??

jrzx jrzx at protonmail.ch
Mon Feb 15 18:28:31 EST 2021

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

> jrzx jrzx at protonmail.ch writes:
> > The stream cipher AES-GCM is impossible for mortals
> > to get right, and I would not attempt to do so.
> > the stream ciphers ChaCha20 and XChaCha20 seem to me
> > to be as easy as falling off a log.

On Monday, February 15, 2021 1:26 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> ChaCha20-RC4, which is a block cipher pretending to be a
> stream cipher combined with incredibly awkward
> and complex keying requirements. In fact ChaCha20-Poly1305
> is probably the hardest-to-use cipher I've ever encountered
> - there's a 46-page RFC, RFC8439, most of which is devoted to
> all the hoops you have to jump through to key the
> thing correctly, with the cipher itself only being about 20
> lines of text in

ChaCha20-Poly1305, unlike XChaCha20 fails to increment the nonce after 2^32 packets, which is likely to bite you. (If you ever get around to sending 2^32 packets, which you might)

ChaCha20-Poly1305 is XChaCha20 without automatic incrementation of the nonce, and it differs from ChaCha20 in that it can only go for 2^32 packets without taking action on the nonce, whereas ChaCha20 can go to 2^64 packets, but it merely has a 2^64 nonce which is too small for random nonce generation.  Your nonces need to be sequential for a given secret, so your nonce management gets complicated in ChaCha20 if you are using many nonces for one secret.

But if your nonces are sequential, whether in ChaCha20 or ChaCha20-Poly1305, you are actually doing XChaCha20 over ChaCha20.  You are re-implementing XChaCha20 on top of
ChaCha20, but it has already been implemented correctly once.

If your nonce and your key is a shared secret
constructed from public and private keys,
(with at least one single use public key being
part of that construction making sure it is a
different secret each time), you are golden.

Of course, it can equally be said that pretty much
everything works if used in this fashion, but XChaCha20
continues to work for 2^96 512 bit packets, and ChaCha20
continues to work for 2^64 packets, which makes life
considerably simpler.

ChaCha20-Poly1305, used in this fashion, only continues
to work for 2^32 packets, which potentially makes life

ChaCha20-Poly1305 is designed for random nonce generation,
which is potentially complicated.  But we already have to
have random shared secret generation, so why double your
effort?  Just make everything the same shared secret.
Constructing a shared secret on the Ristretto25519 group
only takes three microseconds.

More information about the cryptography mailing list