[cryptography] 100 Gbps line rate encryption

ianG iang at iang.org
Wed Jul 17 08:42:24 EDT 2013


Hi Bill,

On 17/07/13 10:50 AM, William Allen Simpson wrote:
> Yes, folks have mentioned Salsa20.  It doesn't seem as
> amenable to PPP packets as I would like.

I don't quite know what that means, but reading quickly:
http://tools.ietf.org/html/draft-simpson-ppp-arc4-00
it seems you are doing the same things as I and Zooko did a while ago 
with what we termed SDP1.  That is, a huge secret key shared previously 
(out of scope) was used for key, IV and HMAC needs.

Thing is, you don't just need an encryption algorithm, you also need IV, 
MAC, Padding concepts.  (I agree that using a stream cipher obviates any 
messing Padding needs and the 'mode' choice.)

FWIW, I'm planning on replacing my SDP1 in time with DJB's design for 
Curve25519XSalsa20Poly1305, in part because his thinking is so happily 
aligned -- one true cipher suite,  comprehensively designed with great 
thought to integrate all needs, to last for a long time.


> But as I was
> looking at it, is seemed he'd moved on to ChaCha.  I'm
> behind the times on this....

He's an academic, he hasn't so much 'moved on' as published another 
paper with a slight variation ;-)

> So, let's talk about what to choose for something fast and
> "modern" to implement in the next decade....

IMO, you should precisely recommend one complete suite and only one.

> We cannot
> recommend a dozen EU possibilities.  We need something
> that's already had some significant analysis.  Salsa20 or
> ChaCha?  Discuss.


Some random comments.

I suspect that Salsa20 is still a more recommended thing, even by DJB. 
In his one true crypto suite above (he calls it a cryptobox) he uses it 
(or a variant/extension called XSalsa).

Salsa20 has also had 8 or so years academic scrutiny sparked by eStream.

(In the alternate, the differences between ChaCha and Salsa is pretty 
slim, you could conceivably change that over at a late stage without 
upsetting much demo implementation work.
https://en.wikipedia.org/wiki/Salsa20#ChaCha_variant )

Implementing Salsa isn't so hard, most popular languages are done, and 
there are test vectors from eStream [0].  I got the test vectors 
basically working in a few hours of work, using an implementation I 
found on the net.

If you are working at the RFC level then I'd suggest it is better to 
look forward and choose a modern suite.

Especially, as people haven't even started implementing as yet ... the 
cost difference between Salsa 20 and ARC4 *in implementation of the 
overall protocol* is going to be trivial at this stage.  A competent 
cryptoblumber should be able to port in a weekend.

Also, IMHO, you are going to face a credibility barrier with ARC4, which 
you will not face with Salsa20.  In short, ARC4 doesn't pass the 
cryptographer's laugh test.  While you might not care (and frankly your 
target market might even support a lightweight protection) you will find 
it easier to get help in deployment if implementors respect the choice 
of cryptosuite.





iang


[0]  I haven't found them for XSalsa as yet.  Don't know about ChaCha.


More information about the cryptography mailing list