[Cryptography] RC4 again (actual security, scalability and other discussion)
Jerry Leichter
leichter at lrw.com
Sun Mar 9 07:20:26 EDT 2014
On Mar 8, 2014, at 5:40 PM, Hanno Böck <hanno at hboeck.de> wrote:
> From what I hear a lot of people have a very high opinion on salsa20 or
> its successor chacha20. I have done some tests with openssh recently
> which supports now both rc4 and chacha20.... Why not stay on the safe side and use a stream cipher everybody out there thinks provides very high security?
The reasoning here disturbs me. Use chacha20 because "everyone out there thinks [it] provides very high security"? Was a poll taken of "everyone out there" for any reasonable definition of "everyone"? And the *all* agreed? Really?
RC4 has been around for much longer the chacha20, and has been subject to a hell of a lot more cryptanalytic attack. So far, it's stood up remarkably well - especially when you consider how simple its basic ideas are, and how far cryptanalysis has advanced in the interim. (RC4 was designed in 1987 - making it roughly contemporaneous with the publication of differential cryptanalysis, arguably the beginning of a serious public cryptanalytic capability.)
Perhaps chacha20 is the way to go. I think the design behind it is a very nice bit of work, but whether it will stand the test of time is impossible to answer.
What *is* important, though, is to avoid the temptation to rush off after "the new shiny", just because it's new and shiny. Even most cryptosystems proposed by the best in the business - and djb is certainly in that category - don't survive the community's attacks.
-- Jerry
More information about the cryptography
mailing list