[Cryptography] recommending ChaCha20 instead of RC4 (RC4 again)
Zooko O'Whielacronx
zookog at gmail.com
Thu Mar 13 13:45:24 EDT 2014
On Thu, Mar 13, 2014 at 1:19 PM, <dan at geer.org> wrote:
>
> Let's stipulate that you are entirely correct. How do we react if we are to learn the lessons of history, etc.?
The lesson I take is that when you design a protocol today, someone
might want to deploy it into new, more constrained environments
tomorrow (eyeglasses, wristwatches, smart dust, Javascript, a
cryptocurrency blockchain, SNARKs, …) and the more efficient your
protocol is then the less likely they'll have a showstopper problem at
that point.
Fortunately there are well-studied cryptographic primitives available
today that are *both* secure and efficient, so we don't have to spend
a lot of energy trying to balance a difficult security-vs-efficiency
trade-off:
* cipher: ChaCha20
* Diffie-Hellman: Curve25519
* digsig: Ed25519
* MAC: Poly1305
* hash: BLAKE2
* KDF: HKDF
[Bias alert: I'm one of the authors of BLAKE2.]
Interesting to note that these are all designed by Daniel J.
Bernstein, except for HKDF and for BLAKE2, which re-uses the ChaCha
function as its core. However, I didn't choose these ones out of sheer
DJB-fandom, but rather these happen to be my current favorites.
There are also other good options for some of these.
Regards,
Zooko
More information about the cryptography
mailing list