[Cryptography] RC4 again (actual security, scalability and other discussion)

Hanno Böck hanno at hboeck.de
Sun Mar 9 17:54:21 EDT 2014 

On Sun, 9 Mar 2014 17:11:49 -0400
Theodore Ts'o <tytso at mit.edu> wrote:

> On Sun, Mar 09, 2014 at 12:33:44PM +0100, Hanno Böck wrote:
> > * Matthew Green thinks salsa20 is the way to go [1]. chacha20 is the
> >   successor of salsa20 with very few changes.
> 
> That's not really a fair summary of Matthew's blog entry.  To quote
> from his summary:
> 
>    "I realize none of the above actually tells you which AES
>    alternative to use, and that's mostly because I don't want to
>    legitimize the question. Unless your adversary is the NSA or you
>    have some serious performance constraints that AES can't satisfy,
>    my recommendation is to stick with AES -- it's the one standard
>    cipher that nobody gets fired for using."
> 
> He was recommending salsa20 only if you have performance requirements
> that can't be met by AES.  And given that many modern CPU chips have
> hardware support for AES, including Intel, Arm, and Power chipsets,
> presumably this mostly applies to people who need to implement
> software on legacy CPU's.
> 
> > * Adam Langley tries to improve SSL and thinks chacha20 is the way
> > to go [2]
> 
> And if you read Adam's blog post carefully, he added chacha20 as a
> _fallback_ cipher.  Since it is different from RC4 and AES, that's
> useful if you want something that will hopefully survive some new
> cryptographic attack that is able to make RC4 or AES fall.  But that's
> __not__ the same as saying that it's "the way to go".

We were discussing rc4 vs. chacha20, not AES vs. chacha20. Or in other
words: I think chacha20 is the stream cipher of choice these days.
Block ciphers are a different question (and we have plenty of them that
I'd feel comfortable with).

If people use AES I think that's pretty fine. No argument with that.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140309/be2637ba/attachment.pgp>

More information about the cryptography mailing list