[cryptography] 100 Gbps line rate encryption

Tor Erling Bjørstad tor at mnemonic.no
Thu Jul 18 04:36:13 EDT 2013


[2013-07-18, William Allen Simpson]
>On 7/17/13 4:29 AM, Tor Erling Bjørstad wrote:
>>Regarding ESTREAM, disregard the hardware ciphers in the final
>> portfolio. That limits the number of algorithms to four. Of these,
>> I think Salsa20 is the only one that has obtained significant
>> adoption. However, if I were to pick another, I'd be partial
>> to HC-128 due to its simple (somewhat RC4-like) design and very
>> impressive software performance.
>>
>> [1] http://nacl.cr.yp.to/stream.html
>>
>And there's HC-256, according to wikipedia.  But what about
>independent analysis?  And is it really faster?
>
>Salsa20: 4­14 cycles per byte
>
>HC-256: 4 cycles per byte.
>HC-128: 3 cycles per byte.
>
>But HC-* has a huge per packet setup penalty!?!?

There was a fair amount of attention on HC from the international research
community during the ESTREAM competition (2005-2008). Most of it didn't
lead
very far, and probably remains unpublished or lost [1]. The findings that
have been made public are all pretty minor.

Certainly the two HC variants haven't received the kind of attention that
the SHA-3 finalists (or Salsa20, for that matter) has, but it is also clear
that researchers have been spending a not insignificant amount of
brainpower
trying to break it. Whether that's "sufficient" analysis for some
particular
use-case is hard to quantify.

What makes HC-* interesting to me is that it's pretty much as fast as one
gets it, for a strong pure software cipher encrypting long streams of data.
If one has a limited number of data streams that are pushing a huge number
of bits over the wire, HC-* seems pretty appealing. If the use-case instead
involves a zillion independent short packets that all need to be encrypted
with a unique key/IV combo, then HC's performance will indeed suck.

Cheers, Tor

[1] I spent some time on cryptanalysis of HC at one point, and I also
remember working on it in a larger group at some of the meetings in Leuven.
The only notable result coming our of those efforts, was that all our ideas
were totally busted [2].

[2] This is, of course, the default outcome from cryptanalysis.



More information about the cryptography mailing list