[Cryptech Core] cha cha

Steven M. Bellovin smb at cs.columbia.edu
Mon Mar 10 23:06:49 UTC 2014

On Mar 4, 2014, at 9:09 AM, Randy Bush <randy at psg.com> wrote:

>> If memory serves, it's by Dan Bernstein, which means it's probably (a)
>> competently done, and (b) quirky...
> question is how well is it understood, tested, ...
> you saw, and contributed to, the discussion on the tech at cryptech list.

Yes.  I'm still slightly uneasy, because it's lightly analyzed.  Joachim
says there are only two papers that look at it.  That it's "based on"
Salsa20 is good, but I'm not competent to evaluate the changes -- algorithm
design is a really subtle subject, and it's one I have no particular skill
in.  Have a look at the abstracts of 


Now, Salsa20 has 20 rounds; I don't know if these even rise to the level
of certificational attacks.  The EU eSTREAM project has accepted Sals20
(see http://www.ecrypt.eu.org/documents/D.SYM.10-v1.pdf, those attacks
notwithstanding), and I have to believe that they're competent.

The question is whom to ask about ChaCha.  I know several people who are 
competent to understand this, but I don't know most of them well enough to
ask, and djb tends to make enemies.

Honestly, I suspect that AES is fine, but for obvious political reasons it
won't fly.

		--Steve Bellovin, https://www.cs.columbia.edu/~smb

More information about the Core mailing list