[Cryptography] RC4 again (actual security, scalability and other discussion)

[Jerry Leichter]

On Mar 8, 2014, at 5:40 PM, Hanno Böck <hanno at hboeck.de> wrote:
> From what I hear a lot of people have a very high opinion on salsa20 or
> its successor chacha20. I have done some tests with openssh recently
> which supports now both rc4 and chacha20....  Why not stay on the safe side and use a stream cipher everybody out there thinks provides very high security?
The reasoning here disturbs me.  Use chacha20 because "everyone out there thinks [it] provides very high security"?  Was a poll taken of "everyone out there" for any reasonable definition of "everyone"?  And the *all* agreed?  Really?

RC4 has been around for much longer the chacha20, and has been subject to a hell of a lot more cryptanalytic attack.  So far, it's stood up remarkably well - especially when you consider how simple its basic ideas are, and how far cryptanalysis has advanced in the interim.  (RC4 was designed in 1987 - making it roughly contemporaneous with the publication of differential cryptanalysis, arguably the beginning of a serious public cryptanalytic capability.)

Perhaps chacha20 is the way to go.  I think the design behind it is a very nice bit of work, but whether it will stand the test of time is impossible to answer.

What *is* important, though, is to avoid the temptation to rush off after "the new shiny", just because it's new and shiny.  Even most cryptosystems proposed by the best in the business - and djb is certainly in that category - don't survive the community's attacks.
                                                        -- Jerry