Re: ChaCha20-Poly1305 for SSH

[nisse%lysator.liu.se@localhost (Niels Möller)]

Damien Miller <djm%mindrot.org@localhost> writes:

> IMO if you're going to the trouble of preserving packet length
> privacy then you should do it properly and use a separate cipher
> instance to do it.

Does it matter if we xor it with some unused bytes in the same chacha
key stream used for the rest of the data, or use a separate instance
with a different key (but generated from the same key exchange secret)?

> In the case of chacha20, it's ridiculously cheap
> to do so; the cipher has negligible state.

It just seems nice to me to not have to produce yet another session key
just for this, when we have 32 perfectly good key stream bytes left
over. I agree the per-message overhead with an extra chacha instance is
very low, and it's no big deal, it's more about eliminating a little
book-keeping.

Or are you suggesting the even more proper thing to do, which would be
to encrypt the length field *and* add separate authentication tag for
it?

Off the top of my head, I think it would make sense with some
building-block which takes as input a per-session key, the 32-bit
length, and per-message nonce, and produces, e.g., 64 random looking
output bits, such that (1) the length can be recovered only by the
receiver, with whome we share the key, and (2) any malicious
modification of the 64 bits on the wire can be detected with probability
close to 1. Or just use a separate chacha-poly1305 on the length, with
it's larger tag.

Regards,
/Niels


-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.