[noise] Lightweight ciphers and Noise

Trevor Perrin trevp at trevp.net
Wed Nov 22 02:04:18 PST 2017


On Wed, Nov 22, 2017 at 8:25 AM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
>> > We may want to have a separate discussion as to when it is acceptable to
>> > use
>> > 64-bit block ciphers with Noise.
[...]
>>
>> The Noise spec currently has a discussion about the (small) security
>> concern with large data volumes and 128-bit block ciphers like AES.
>> So I'd prefer if things went the other direction (towards PRFs like
>> ChaCha with *less* risk than 128-bit PRPs; rather than towards more
>> risk and tighter limits).
>
>
> Fair enough.  Given that Speck is so fast, it should be possible for someone
> to design a 256-bit or 512-bit block cipher using the same idea, but I don't
> have the necessary math skills to try so I won't.  Speck got some of its
> ideas from Threefish.  I vaguely recall someone on the cryptography mailing
> list (Dan Bernstein maybe?) talking about Speck variants with larger block
> sizes a year or so ago.  Maybe someone has a link?  I haven't yet
> implemented Threefish-256 on Arduino but maybe I should give it a try.

My 2c: All that is way too creative.  For actual use you want
well-studied, widely-available crypto, so just optimizing and
verifying the common algorithms (e.g. ChaChaPoly) is much more
worthwhile.


Trevor


More information about the Noise mailing list