Re: [Cfrg] Task for the CFRG

Ted Krovetz <ted@krovetz.net> Thu, 08 August 2013 20:24 UTC

Return-Path: <ted@krovetz.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C04111E821E for <cfrg@ietfa.amsl.com>; Thu, 8 Aug 2013 13:24:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.099
X-Spam-Level:
X-Spam-Status: No, score=-3.099 tagged_above=-999 required=5 tests=[AWL=0.500, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bOPEwOhdY4UB for <cfrg@ietfa.amsl.com>; Thu, 8 Aug 2013 13:24:23 -0700 (PDT)
Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by ietfa.amsl.com (Postfix) with ESMTP id CE29611E820D for <cfrg@irtf.org>; Thu, 8 Aug 2013 13:24:19 -0700 (PDT)
Received: by mail-pb0-f54.google.com with SMTP id ro12so3797106pbb.13 for <cfrg@irtf.org>; Thu, 08 Aug 2013 13:24:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:content-transfer-encoding:message-id:references:to; bh=qB7YtHhhhVBscyAoEKYXDlV51nb5bjfzwISJ6fVhQP4=; b=Y31gGBH63+XuoHwEsDBXzheaxq/ki4YP0g8aiYHoawdsqFgFz/v/mKtZUIGeKnk1iv bQ2yH+0XvWcYlhDiZUsf9y57uA48bkMF+A/fingrwvx4NL8jyS7GPkypC7aY/Cfx9WZZ TY1W6Mqubks3Q9pD1EUfxZVrxlEtFF2C/HA0Lp/mNdAIcJOocT/I4eoY0fkoy00CVCQ5 6CCkYuMlWrbWRmZ410+DSHtYN0YfusmIZvUVJMcIGQmXTQlZ/Ogq87mYkbtS8pMFMu5U 1X3dg8m7Jgb/6gMDNyJNmaNDf1xMk/tS3P78f825Irm2ogrvQHtp19WmISvD+fRDZam4 RmfA==
X-Gm-Message-State: ALoCoQnAXvnBKe289guTITv9m1lpNBxTDf/jsBY4mGueIBwjBqSit+V2q5HMYftLNLD7sjpTJOrQ
X-Received: by 10.66.154.1 with SMTP id vk1mr7997591pab.85.1375993452752; Thu, 08 Aug 2013 13:24:12 -0700 (PDT)
Received: from [192.168.1.162] (c-67-166-145-119.hsd1.ca.comcast.net. [67.166.145.119]) by mx.google.com with ESMTPSA id sx7sm15929681pbc.41.2013.08.08.13.24.10 for <cfrg@irtf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 08 Aug 2013 13:24:11 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Ted Krovetz <ted@krovetz.net>
In-Reply-To: <3C4AAD4B5304AB44A6BA85173B4675CAB247161D@MSMR-GH1-UEA03.corp.nsa.gov>
Date: Thu, 08 Aug 2013 13:24:10 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <BDE10FD9-A9EB-406D-A02E-29AD0888820C@krovetz.net>
References: <3C4AAD4B5304AB44A6BA85173B4675CAB247161D@MSMR-GH1-UEA03.corp.nsa.gov>
To: "cfrg@irtf.org" <cfrg@irtf.org>
X-Mailer: Apple Mail (2.1508)
Subject: Re: [Cfrg] Task for the CFRG
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 20:24:31 -0000

> The TLS WG has asked the CFRG for their opinion for a stream cipher, eSTREAM-SALSA20,
> and two MAC algorithms, UMAC and POLY1305, that have been suggested for use in TLS

I am well familiar with all three. I edited the UMAC RFC, have been working with a Salsa variant called Chacha, and have used several polynomial hashes similar to Poly1305.

I have no security concerns for any of the three. I do have a few comments.

UMAC: Uses a large internal key (about 1KB), and complex code. UMAC has very high speed if key can be kept in cache. I suggested to the TLS mailing list VMAC as an alternative that uses less internal key and is of similar speed.

Salsa20/12: The estream variant under consideration is the 12-round one. All the fastest Salsa implementations are SIMD, and Salsa's prolog and epilog are complicated under SIMD. Dan Bernstein recognized this and made a SIMD-friendly variant called Chacha. Chacha also made a couple rotation tweaks that improve speed and (Dan speculates) improves security. I wish everyone would forget about Salsa and replace it with Chacha.

Poly1305: This is a standard polynomial evaluation hash with good security. As with UMAC and VMAC, it depends heavily on multiplication (in this case 128x128->256 bits followed by divisionless mod), making it expensive in hardware (same for UMAC and VMAC).

If all the TLS group wants is our security assessment of Salsa, UMAC and Poly1305, we should give them a positive one. If we wish to give some advice as well, I'd recommend consideration of VMAC over UMAC and, especially, Chacha over Salsa.

-Ted