Re: [Cryptography] Evaluating draft-agl-tls-chacha20poly1305

2013-09-11 Thread Alexandre Anzala-Yamajako
2013/9/11 William Allen Simpson

 It bugs me that so many of the input words are mostly zero.  Using the
 TLS Sequence Number for the nonce is certainly going to be mostly zero
 bits.  And the block counter is almost all zero bits, as you note,

(In the case of the TLS, limits on the plaintext size mean that the
first counter word will never overflow in practice.)


 In my PPP ChaCha variant of this that I started several months ago, the
 nonce input words were replaced with my usual CBCS formulation.  That is,
invert the lower 32-bits of the sequence number,
xor with the upper 32-bits,
add (mod 2**64) both with a 64-bit secret IV,
count the bits, and
variably rotate.

Chacha20 being  a stream cipher, the only requirement we have on the ICV is
that it doesn't repeat isn't ?
This means that if there's a problem with setting 'mostly zeroed out' ICV
for Chacha20 we shouldn't use it at all period.
As far as your proposition is concerned, the performance penalty seems to
largely depend on the target platform. Wouldn't using the same set of
operations as Chacha prevent an unexpected performance drop in case of lots
of short messages ?

The cryptography mailing list

Re: [Cryptography] Good private email

2013-08-26 Thread Alexandre Anzala-Yamajako
This is everything *but* PRISM-proof : it doesn t solve the metadata issue
and your directory server containing public keys could very well be forced
by a law enforcement agency ( in the best case scenario because it could
also be the mafia) to answer the fbi/mafia public key on any request made
to it.

On Monday, August 26, 2013, Richard Salz wrote:

 I don't think you need all that much to get good secure private email.
  You need a client that can make PEM pretty seamless; reduce it to a
 button that says encrypt when possible.  You need the client to be
 able to generate a keypair, upload the public half, and pull down
 (seamlessly) recipient public keys.  You need a server to store and
 return those keys. You need an installed base to kickstart the network

 Who has that?  Apple certainly; Microsoft could; Google perhaps
 (although not reading email is against their business model). Maybe
 even the FB API.

 It's not perfect -- seems to me the biggest weakness is (a) the client
 could double-encrypt for TLA's to read, or (b) it could give you the
 wrong key so your mail only goes to the bad guy -- but it's a hell of
 a lot better than we have now and I'd say it's more than good enough.

 The cryptography mailing list javascript:;

Alexandre Anzala-Yamajako
The cryptography mailing list