[cryptography] 100 Gbps line rate encryption

Matthew Green matthewdgreen at gmail.com
Tue Jul 16 11:15:22 EDT 2013

The use of RC4 should be avoided even with the drop-N due to biases that occur later in the key stream. You should also be extremely careful about mixing IVs with the key. At a minimum you ought to use a modern cryptographic hash function -- there's no evidence that repeating key setup is sufficient to prevent correlations. 


In summary, don't use RC4. Don't use it carelessly with IVs. And don't use RC4. 

Consider using Salsa20 instead. 


On Jul 16, 2013, at 10:43 AM, Thor Lancelot Simon <tls at panix.com> wrote:

> On Tue, Jul 16, 2013 at 03:23:01AM -0400, William Allen Simpson wrote:
>> On 6/22/13 8:24 PM, Greg Rose wrote:
>>> On Jun 22, 2013, at 15:31 , James A. Donald <jamesd at echeque.com> wrote:
>>>> On 2013-06-23 6:47 AM, Peter Maxwell wrote:
>>>>> I think Bernstein's Salsa20 is faster and significantly more secure than RC4, whether you'll be able to design hardware to run at line-speed is somewhat more questionable though (would be interested to know if it's possible right enough).
>>>> I would be surprised if it is faster.
>>> Be surprised, then... almost all of the recent word- or block- oriented stream ciphers are faster than RC4. And NOTHING should still be using RC4; by today's standards it is quite insecure.
>> So I spent some (much too much) time reading old PPP archives on our
>> earlier discussions selecting an algorithm.  Sadly, 3DES was chosen,
>> but rarely implemented.
>> I cobbled together a draft based on old discussion for ARC4.  It
>> surely needs more work.  Although (as you mention) that's old stuff,
>> it has the advantage of having running code in most existing systems,
>> and could be rolled out quickly on high speed connections.
>> http://tools.ietf.org/html/draft-simpson-ppp-arc4-00
> If you're really going to publish a new RFC -- even an Experimental
> one -- using RC4, you should really use RC4-drop-N.  For even moderately
> sized packets and reasonable values of N, if you effectively rekey every
> packet, you will end up wasting 25-50% of the throughput of the system.
> Conclusion: RC4 is particularly poorly suited for this application
> in the modern day.
> Thor
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130716/8fd57775/attachment.html>

More information about the cryptography mailing list