[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ietf-tls
Subject:    Re: [TLS] comparison of draft-josefsson-salsa20-tls-02 and draft-agl-tls-chacha20poly1305-02
From:       Robert Ransom <rransom.8774 () gmail ! com>
Date:       2013-10-23 16:47:58
Message-ID: CABqy+spO9w7Yp5iYpM-07Btg_5Z5owwmyEsmi3Uy4_HX=iX9uQ () mail ! gmail ! com
[Download RAW message or body]

On 10/23/13, Nikos Mavrogiannopoulos <nmav@gnutls.org> wrote:
> On 10/23/2013 04:58 PM, Adam Langley wrote:
>> On Wed, Oct 23, 2013 at 10:51 AM, Nikos Mavrogiannopoulos
>> <nmav@gnutls.org> wrote:
>>> As far as I understand you use chacha to generate the keystream for
>>> poly1305. Thus you carry state between records (chacha is a stream
>>> cipher). I don't know if I have missed anything there, but I don't see
>>> resetting chacha with a new IV per MAC calculation.
>>
>> There is no state carried between records: "ChaCha20 is run with the
>> given key and nonce and with the two counter words set to zero. The
>> first 32 bytes of the 64 byte output are saved to become the one-time
>> key for Poly1305." (The nonce is the sequence number of the record.)
>> (http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-00#section-5)
>
> I had assumed that you used the Poly1305-AES construction but with
> Chacha in place of AES. Clearly this isn't the case, and even the
> attacks described may not apply to your construction. I have not seen
> this construction before. It looks pretty elegant. Has it been used
> somewhere else?

It's used in the 'box' and 'secretbox' operations in NaCl.  See also
section 2.5 of <http://cr.yp.to/antiforgery/pema-20071022.pdf>.


Robert Ransom

[prev in list] [next in list] [prev in thread] [next in thread]