[Cryptography] RC4 again (actual security, scalability and other discussion)

Theodore Ts'o tytso at mit.edu
Sun Mar 9 17:11:49 EDT 2014

On Sun, Mar 09, 2014 at 12:33:44PM +0100, Hanno Böck wrote:
> * Matthew Green thinks salsa20 is the way to go [1]. chacha20 is the
>   successor of salsa20 with very few changes.

That's not really a fair summary of Matthew's blog entry.  To quote
from his summary:

   "I realize none of the above actually tells you which AES
   alternative to use, and that's mostly because I don't want to
   legitimize the question. Unless your adversary is the NSA or you
   have some serious performance constraints that AES can't satisfy,
   my recommendation is to stick with AES -- it's the one standard
   cipher that nobody gets fired for using."

He was recommending salsa20 only if you have performance requirements
that can't be met by AES.  And given that many modern CPU chips have
hardware support for AES, including Intel, Arm, and Power chipsets,
presumably this mostly applies to people who need to implement
software on legacy CPU's.

> * Adam Langley tries to improve SSL and thinks chacha20 is the way to
>   go [2]

And if you read Adam's blog post carefully, he added chacha20 as a
_fallback_ cipher.  Since it is different from RC4 and AES, that's
useful if you want something that will hopefully survive some new
cryptographic attack that is able to make RC4 or AES fall.  But that's
__not__ the same as saying that it's "the way to go".


						- Ted

> [1]
> http://blog.cryptographyengineering.com/2012/10/so-you-want-to-use-alternative-cipher.html
> [2] https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html

More information about the cryptography mailing list