[cryptography] 100 Gbps line rate encryption
Tor Erling Bjørstad
tor at mnemonic.no
Thu Jul 18 04:36:13 EDT 2013
[2013-07-18, William Allen Simpson]
>On 7/17/13 4:29 AM, Tor Erling Bjørstad wrote:
>>Regarding ESTREAM, disregard the hardware ciphers in the final
>> portfolio. That limits the number of algorithms to four. Of these,
>> I think Salsa20 is the only one that has obtained significant
>> adoption. However, if I were to pick another, I'd be partial
>> to HC-128 due to its simple (somewhat RC4-like) design and very
>> impressive software performance.
>>  http://nacl.cr.yp.to/stream.html
>And there's HC-256, according to wikipedia. But what about
>independent analysis? And is it really faster?
>Salsa20: 414 cycles per byte
>HC-256: 4 cycles per byte.
>HC-128: 3 cycles per byte.
>But HC-* has a huge per packet setup penalty!?!?
There was a fair amount of attention on HC from the international research
community during the ESTREAM competition (2005-2008). Most of it didn't
very far, and probably remains unpublished or lost . The findings that
have been made public are all pretty minor.
Certainly the two HC variants haven't received the kind of attention that
the SHA-3 finalists (or Salsa20, for that matter) has, but it is also clear
that researchers have been spending a not insignificant amount of
trying to break it. Whether that's "sufficient" analysis for some
use-case is hard to quantify.
What makes HC-* interesting to me is that it's pretty much as fast as one
gets it, for a strong pure software cipher encrypting long streams of data.
If one has a limited number of data streams that are pushing a huge number
of bits over the wire, HC-* seems pretty appealing. If the use-case instead
involves a zillion independent short packets that all need to be encrypted
with a unique key/IV combo, then HC's performance will indeed suck.
 I spent some time on cryptanalysis of HC at one point, and I also
remember working on it in a larger group at some of the meetings in Leuven.
The only notable result coming our of those efforts, was that all our ideas
were totally busted .
 This is, of course, the default outcome from cryptanalysis.
More information about the cryptography