[cryptography] Google's QUIC

ianG iang at iang.org
Wed Jul 3 06:24:54 EDT 2013

On 3/07/13 12:37 PM, Eugen Leitl wrote:
> ----- Forwarded message from Saku Ytti <saku at ytti.fi> -----
> Date: Tue, 2 Jul 2013 21:35:58 +0300
> From: Saku Ytti <saku at ytti.fi>
> To: nanog at nanog.org
> Subject: Re: Google's QUIC
> User-Agent: Mutt/1.5.21 (2010-09-15)
> On (2013-06-29 23:36 +0100), Tony Finch wrote:
>> Reminds me of MinimaLT: http://cr.yp.to/tcpip/minimalt-20130522.pdf
> Now that I read separate 'QUIC Crypto' page. It sounds bit of a deja vu.
> QUIC also uses Curve25519 pubkey and Salsa20 cipher, which is hard to
> attribute as chance, considering both are DJB's work, both are used by his
> NaCl library and by extension by MinimaLT. Neither is particularly common
> algorithm.

It's not the choice of algorithm that is "by chance" it is the choice of 
suite as a design decision that matters.

I also would like to use the same ciphersuite, but the reason is that 
DJB has already done the work to define the entire suite, saving me from 
doing it.  This is quite a saving for me, and hasn't hitherto existed as 
an external service.  Last time it took over a month of hard research 
and learning to settle on RSA/AES128/CBC/SHA1/HMAC/Encrypt-then-mac.

As an added bonus, DJB came up with a shorter, catchier name:


In the past, things like TLS, PGP, IPSec and others encouraged you to 
slice and dice the various algorithms as a sort of alphabet soup mix. 
Disaster.  What we got for that favour was code bloat, insecurity at the 
edges, continual arguments as to what is good & bad, focus on numbers & 
acronyms, distraction from user security, entire projects that rate your 
skills in cryptoscrabble, committeeitus, upgrade nightmares, 
pontification ...

Cryptoplumbing shouldn't be like eating spagetti soup with a toothpick.

There should be One Cipher Suite and that should do for everyone, 
everytime.  There should be no way for users to stuff things up by 
tweaking a dial they read about in some slashdot tweakabit article while 
on the train to work.

> I'm not implying QUIC plagiarizes MinimaLT, there are differences in the
> protocol, just choice of the algorithm implies QUIC authors are aware of
> MinimaLT.

Picking curve25519xsalsa20poly1305 is good enough for that One True 
CipherSuite motive alone, and doesn't imply any other sort of copying 
one might have seen.  It's an innovation!  Adopt it.


More information about the cryptography mailing list