Re: [TLS] chacha to replace RC4 (was: Salsa vs. ChaCha)

Robert Ransom <> Fri, 06 December 2013 12:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F29CA1AE382 for <>; Fri, 6 Dec 2013 04:54:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uSkML4yuPQQe for <>; Fri, 6 Dec 2013 04:54:09 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c01::22e]) by (Postfix) with ESMTP id 8BDC51ADF9E for <>; Fri, 6 Dec 2013 04:54:09 -0800 (PST)
Received: by with SMTP id n7so402654qcx.5 for <>; Fri, 06 Dec 2013 04:54:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=EyebRBcZd4rfuBnw/ptLAGO0bu0ycTr1v2f2QPyW+YE=; b=SdjTc9tdZToqdGCcVWmLNfg5L7aUX80oZfGZgKXHSNWM1S5rXZqJKU7fhwSOc86IfO 9Syyq3kSoJvnrhcwPF32VJUljOQzV9puhfteeF3w8XW1aCBogs3ezpMcy4hwJmb1etEa MLnK1W6bmGER77/Fa8xiY3R0BJLxy7b1pgd5b1R+/a3zRQ7Wc9Mk1ZjE5VcP4ME/YCfw dDPzWw0kOWy3kq0gtsr0+uiBp3fmROooUDj4U/oQG3zHn+xhQ4hPMw9md9Uk0X40eLep hmjzVs2ADtTP00lK83poidSmptz0Ashr6Hk4whZhp/cwOIf3XTfnpWTul5Q1jQZFMwHu ScOQ==
MIME-Version: 1.0
X-Received: by with SMTP id 4mr6404049qaa.17.1386334445677; Fri, 06 Dec 2013 04:54:05 -0800 (PST)
Received: by with HTTP; Fri, 6 Dec 2013 04:54:05 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <>
Date: Fri, 6 Dec 2013 04:54:05 -0800
Message-ID: <>
From: Robert Ransom <>
To: Nikos Mavrogiannopoulos <>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [TLS] chacha to replace RC4 (was: Salsa vs. ChaCha)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 06 Dec 2013 12:54:13 -0000

On 12/6/13, Nikos Mavrogiannopoulos <> wrote:
> On Thu, 2013-11-28 at 04:30 +0000, Samuel Neves wrote:
>>  - Zooko has mentioned BLAKE and its success against cryptanalysis, but
>> as noted this does not translate to a useful security reduction. It is
>> worth pointing out, however, that cryptographers chose to base the core
>> of their algorithm in the ChaCha quarter-round rather than the Salsa
>> quarter-round. This suggests equal or more confidence in ChaCha (see
>> also [4]).
> To speed things up, we have submitted an alternative draft that replaces
> RC4 with Chacha [0] instead of Salsa20. This draft is based on the 20
> round variant of chacha.
> We believe there are merits in selecting a winner of cryptographic
> competition, but given your comments and that Chacha was the
> recommendation of the CFRG there is no need to delay things if Chacha vs
> Salsa20 is only issue to replace RC4.

The other issue in replacing RC4 with Salsa20 or ChaCha is that the
currently available efficient implementations of Salsa20 and ChaCha
encrypt a whole message at once, rather than incrementally generating
a stream as with RC4.  (And modifying them to do the latter would add
considerable complexity -- if it must be done, I would generate 3 or 4
blocks of output at a time and have some other piece of code XOR the
keystream with the data.)

Salsa20 and ChaCha are meant to be used as in Adam Langley's draft,
not as replacements for RC4.

Robert Ransom