[cryptography] 100 Gbps line rate encryption
iang at iang.org
Wed Jul 17 08:42:24 EDT 2013
On 17/07/13 10:50 AM, William Allen Simpson wrote:
> Yes, folks have mentioned Salsa20. It doesn't seem as
> amenable to PPP packets as I would like.
I don't quite know what that means, but reading quickly:
it seems you are doing the same things as I and Zooko did a while ago
with what we termed SDP1. That is, a huge secret key shared previously
(out of scope) was used for key, IV and HMAC needs.
Thing is, you don't just need an encryption algorithm, you also need IV,
MAC, Padding concepts. (I agree that using a stream cipher obviates any
messing Padding needs and the 'mode' choice.)
FWIW, I'm planning on replacing my SDP1 in time with DJB's design for
Curve25519XSalsa20Poly1305, in part because his thinking is so happily
aligned -- one true cipher suite, comprehensively designed with great
thought to integrate all needs, to last for a long time.
> But as I was
> looking at it, is seemed he'd moved on to ChaCha. I'm
> behind the times on this....
He's an academic, he hasn't so much 'moved on' as published another
paper with a slight variation ;-)
> So, let's talk about what to choose for something fast and
> "modern" to implement in the next decade....
IMO, you should precisely recommend one complete suite and only one.
> We cannot
> recommend a dozen EU possibilities. We need something
> that's already had some significant analysis. Salsa20 or
> ChaCha? Discuss.
Some random comments.
I suspect that Salsa20 is still a more recommended thing, even by DJB.
In his one true crypto suite above (he calls it a cryptobox) he uses it
(or a variant/extension called XSalsa).
Salsa20 has also had 8 or so years academic scrutiny sparked by eStream.
(In the alternate, the differences between ChaCha and Salsa is pretty
slim, you could conceivably change that over at a late stage without
upsetting much demo implementation work.
Implementing Salsa isn't so hard, most popular languages are done, and
there are test vectors from eStream . I got the test vectors
basically working in a few hours of work, using an implementation I
found on the net.
If you are working at the RFC level then I'd suggest it is better to
look forward and choose a modern suite.
Especially, as people haven't even started implementing as yet ... the
cost difference between Salsa 20 and ARC4 *in implementation of the
overall protocol* is going to be trivial at this stage. A competent
cryptoblumber should be able to port in a weekend.
Also, IMHO, you are going to face a credibility barrier with ARC4, which
you will not face with Salsa20. In short, ARC4 doesn't pass the
cryptographer's laugh test. While you might not care (and frankly your
target market might even support a lightweight protection) you will find
it easier to get help in deployment if implementors respect the choice
 I haven't found them for XSalsa as yet. Don't know about ChaCha.
More information about the cryptography