[Cryptography] AES GCM insecure vs OCB1/OCB3 ??

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Feb 15 04:26:53 EST 2021

jrzx <jrzx at protonmail.ch> writes:

>The stream cipher AES-GCM is impossible for mortals to get right, and I would
>not attempt to do so.
>But the stream ciphers ChaCha20 and XChaCha20 seem to me to be as easy as
>falling off a log.

AES-RC4 is almost easy to use (correctly) compared to ChaCha20-RC4, which is a
block cipher pretending to be a stream cipher combined with incredibly awkward
and complex keying requirements.  In fact ChaCha20-Poly1305 is probably the
hardest-to-use cipher I've ever encountered - there's a 46-page RFC, RFC8439,
most of which is devoted to all the hoops you have to jump through to key the
thing correctly, with the cipher itself only being about 20 lines of text in
section 2.1.  Every single instance of its use that I've looked at, although
admittedly a very small sample, has got it wrong, usually in several different
places, typically in keying, IV use, and blocking.

After the last audit I did of some code that got it wrong in multiple places I
started working on a writeup on this which begins:

  libhairshirt vs libfootgun

  This is a discussion of two crypto libraries, libhairshirt and libfootgun.

  * In libhairshirt, the crypto is hard to use, and the API is hard to use.

  * In libfootgun, the crypto is incredibly hard to use safely but the API
    makes it look really easy to use.

I really must get back to that some time... and to update your comment:

  Using the stream ciphers ChaCha20 and XChaCha20 incorrectly are as easy as
  falling off a log.


More information about the cryptography mailing list