Results 1 to 8 of 8

Thread: AES Alternatives

  1. #1
    Member
    Join Date
    Sep 2007
    Location
    Denmark
    Posts
    878
    Thanks
    50
    Thanked 106 Times in 84 Posts

    AES Alternatives

    Both the runner up for AES aka Serpent and twofish are both very well known cryptoes. how come there is so little focus/infomation about the Estream portfolie.
    Well besides Salsa20 that seesm to begetting a lot of ground in its chacha20 form (google)
    but I have almost never heard about NC-256 or rabbit.
    I just happend to stumble upon them on wikipedia.


    Why did they never really take of at least as something ppl debate ?
    Is there some kind of easy comparison of performance securty among these especial vs the AES and the AES runner ups?
    Especially not to technical information about the cryptoes.

  2. #2
    Administrator Shelwien's Avatar
    Join Date
    May 2008
    Location
    Kharkov, Ukraine
    Posts
    3,423
    Thanks
    223
    Thanked 1,052 Times in 565 Posts
    Here they have the requirements for AES: https://competitions.cr.yp.to/aes.html
    as you can see, its not decided based on the cryptographic strength only.

    But I never heard of NC-256 or rabbit, where did you find them?

  3. #3
    Member
    Join Date
    Sep 2007
    Location
    Denmark
    Posts
    878
    Thanks
    50
    Thanked 106 Times in 84 Posts
    Yeah i know AES was chosen due to speed in the final so it would be eaiser/faster ti integrate and could widespread support for it

    Rabbit and NC-256 are other winners in Estream which is the european version of EAS
    https://en.wikipedia.org/wiki/ESTREAM
    salsa20
    HC-128/256
    Rabbit

    but besides chacha20 the other that are all from the same portfolio are like forgotten myths.
    it jsut funny to see how the AES semi finalist are very well known but the estream finalist are not getting any attention besides salsa20 (chacha20)

    -- edit --
    I wrote NC-256. the real name is HC-256

  4. #4
    Member SolidComp's Avatar
    Join Date
    Jun 2015
    Location
    USA
    Posts
    238
    Thanks
    95
    Thanked 47 Times in 31 Posts
    FYI, neither Salsa20 nor ChaCha is from Google. They're both from Daniel Bernstein.

  5. #5
    Member
    Join Date
    Sep 2007
    Location
    Denmark
    Posts
    878
    Thanks
    50
    Thanked 106 Times in 84 Posts
    Quote Originally Posted by SolidComp View Post
    FYI, neither Salsa20 nor ChaCha is from Google. They're both from Daniel Bernstein.
    Don't think anybody said it was from google.

    but chacha20 is getting a lot of support from google
    https://security.googleblog.com/2014...ing-https.html
    https://vikingvpn.com/blogs/security...0-and-poly1305


    i just find it funny that in the AES competion both the runner ups (serpent and twofish) get a lot of attention
    But as even the finalist from Estream, besides salsa20 (chacha20), are like forgotten myths.

  6. #6
    Member
    Join Date
    Nov 2015
    Location
    boot ROM
    Posts
    92
    Thanks
    27
    Thanked 15 Times in 14 Posts
    Quote Originally Posted by SvenBent View Post
    Don't think anybody said it was from google.

    but chacha20 is getting a lot of support from google
    https://security.googleblog.com/2014...ing-https.html
    https://vikingvpn.com/blogs/security...0-and-poly1305


    i just find it funny that in the AES competion both the runner ups (serpent and twofish) get a lot of attention
    But as even the finalist from Estream, besides salsa20 (chacha20), are like forgotten myths.
    I can imagine the following advantages of Salsa/Chacha:
    1) Rather simple and fast. Even more or less OK on small MCUs and somesuch, like Cortex M. It can be better than AES in terms of speed and/or program memory & RAM requirements, as it mostly boils down to pure math, with fairly small state. Its possible to trade security vs speed by number of rounds. Even versions with lower number of rounds haven't suffered major breakdowns (however, extra margin never hurts - it can eventually save a day).
    2) Designed by independent cryptographers, who are experts in the area and long-known proponnents of crypto. Its hard to expect foul play from someone like DJB and his fellow cryptographers.
    3) There're numerous implementations - and these were used for some years already. Without major known problems, as long as implementations are correct. DJB himself got fairly brief and readable implementation in tweetnacl library, where whole lib doing public key, signatures and symmetric crypto fits in shy 100 (140-char) tweets.
    4) Plenty cryptanalisys has been run, full versions have not faced any major problems so far, and even faster, lower-round versions faced only mild attacks, fairly useless in practice.

    So I'd say salsa/chacha (they are quite similar in design) are fairly good things. Especially when you lack hardware AES. And actually, whole idea to trust hardware doing hell knows what, implemented hell knows how jeopardizes security. Even if implementation lacks backdoors, it can have unexpected data leak paths (e.g. timing attacks) and so on. As Spectre/Meltdown has shown us, CPU manufacturers are willing to take quite a debatable shortcuts pursuing the speed, and with no implementation sources available for scrutiny implementation is not to be trusted. At which point salsa/chacha get advantage of being fast even without HW acceleration, while implementation could be thoroughly examined.

    p.s. ECRYPT challenges and also SUPERCOP benchmark and initiatives around got ton of various algos, including many things ppl never heard of. Some algos fell apart on early phases, some algos lasted longer. Before rushing to use new cool algo one have to consider the fact it could be relatively poorly researched - and therefore eventually broken or so. Though it relatively unlikely for algos surviving few phases of such competitions, it can still happen. So the more algo used and researched, the better (as long as no major flaws found).

  7. #7
    Member
    Join Date
    Sep 2007
    Location
    Denmark
    Posts
    878
    Thanks
    50
    Thanked 106 Times in 84 Posts
    I agree i am a big fan of chacha20 ( but not really enough knowledge for that to make a difference)
    and ive changed from using aes to chacha20 on devices with no AES specific hardware ( aka my phone)

    i did reda into some ecrypt and super cop but i believe ecryps tottaly bonked as non of the algo was found to be food enough which then lead into estream
    and supercop (asian?) did have a veeery weird setup of recommendation that i gave up on it



    i wonder if aes twofish andf serpent already had so much attention that there was only really room on that attention spand for one more from Estream.
    Or did salsa/chacha20 just outperform the rest of the estream porfolie with such a big marken that we dont reallyy care for the runner ups ?

    Just wondering why NC-256 and rabbit a so way unheard off

  8. #8
    Member
    Join Date
    Sep 2007
    Location
    Denmark
    Posts
    878
    Thanks
    50
    Thanked 106 Times in 84 Posts
    my apolgoies i messed up ecrypt with Nessie

    Nessie is the EU crypto competition where all the candidates failed

Similar Threads

  1. Meow hash 0.5 - an improved AES-NI hash
    By svpv in forum Data Compression
    Replies: 10
    Last Post: 28th September 2019, 23:10
  2. Any alternatives to 7z regarding speed/ratio xept rar?
    By necros in forum Data Compression
    Replies: 3
    Last Post: 25th July 2017, 18:53
  3. COMPRESSING AES CBC MODE OUTPUT
    By biject.bwts in forum Data Compression
    Replies: 3
    Last Post: 24th January 2012, 23:40
  4. zlib-compatible alternatives
    By Cyan in forum Data Compression
    Replies: 0
    Last Post: 12th May 2009, 02:28

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •