[Cryptography] recommending ChaCha20 instead of RC4 (RC4 again)

Zooko O'Whielacronx zookog at gmail.com
Thu Mar 13 13:45:24 EDT 2014

On Thu, Mar 13, 2014 at 1:19 PM,  <dan at geer.org> wrote:
> Let's stipulate that you are entirely correct.  How do we react if we are to learn the lessons of history, etc.?

The lesson I take is that when you design a protocol today, someone
might want to deploy it into new, more constrained environments
tomorrow (eyeglasses, wristwatches, smart dust, Javascript, a
cryptocurrency blockchain, SNARKs, …) and the more efficient your
protocol is then the less likely they'll have a showstopper problem at
that point.

Fortunately there are well-studied cryptographic primitives available
today that are *both* secure and efficient, so we don't have to spend
a lot of energy trying to balance a difficult security-vs-efficiency

* cipher: ChaCha20
* Diffie-Hellman: Curve25519
* digsig: Ed25519
* MAC: Poly1305
* hash: BLAKE2

[Bias alert: I'm one of the authors of BLAKE2.]

Interesting to note that these are all designed by Daniel J.
Bernstein, except for HKDF and for BLAKE2, which re-uses the ChaCha
function as its core. However, I didn't choose these ones out of sheer
DJB-fandom, but rather these happen to be my current favorites.

There are also other good options for some of these.



More information about the cryptography mailing list