[Cryptography] recommending ChaCha20 instead of RC4 (RC4 again)

[Peter Gutmann]

dan at geer.org writes:

>Let's stipulate that you are entirely correct.  How do we react if we are to
>learn the lessons of history, etc.?  Can a lack of speedups-to-come be itself
>relied upon enough to factor that into design decisions yet to be made, such
>as to put aside any need to design in resistance to a sped-up future or to
>demand specialized chipsets for devices that will have no remote management
>interface?

What we're lacking to guide us in making decisions is any proper empirical
data.  The arguments for speedups-ueber-alles all tend to be along the lines
of "we need faster X, here's an anecdote about performance issues at the ISP
my drinking buddy Dave works for, therefore we need faster X".  There's very
little empirical data out there about what is and isn't possible, and what is
and isn't needed.  The example I keep using of where this leads to is the
ridiculous requirements imposed on smart meters, in which regulators throw
everything in whatever textbook they read recently at a system with 8kB of RAM
and an 8051.  The result is something that often doesn't provide the security
that's required (or at least if someone sat down to write out a threat model,
which is rarely the case, then the "security" measures would do little to
address it), and is physically impossible to implement in the target device.
The result is fig-leaf security, doing just enough [0] to claim some sort of
compliance with the requirements without actually providing any security.

Peter.

[0] "Just enough" doesn't necessarily mean doing the bare minimum, it's often
the case that the hardware can't do anything like what's required, so the
result is compliance engineering, doing whatever the hardware can manage while
still squeaking past the compliance requirements.