ChaCha20- and Poly1305-based Cipher Suites for TLS

related blog post from agl: <a href="https://www.imperialviolet.org/2013/10/07/chacha20.html" rel="nofollow">https:&#x2F;&#x2F;www.imperialviolet.org&#x2F;2013&#x2F;10&#x2F;07&#x2F;chacha20.html</a>

I think it&#x27;s an interesting idea, but I admit I&#x27;m a bit surprised at the choice of ChaCha20. The related Salsa20 algorithm has received far more public analysis and while ChaCha20 has some interesting (if minor) performance and theoretical security improvements, but they don&#x27;t seem worth giving up the assurance you get from the extra review of Salsa20.

By Google&#x27;s Adam Langley. Nice. I know he&#x27;s been a big supporter of DJB&#x27;s curves.

why does DJ Bernstein advocate using a counter for <i>r</i> (see section 3 of the poly1305 paper)? this RFC uses a random value (derived from the one-time key), which seems reasonable to me (i think there are 106 bits available, so you&#x27;re getting a collision in 53 bits, which at 1000 connections a second is over 10^5 years).<p>just seems odd to go to the effort of specifying how to safely implement a counter in some detail in the paper when a random value seems fine (it&#x27;s also quite possible i&#x27;ve misunderstood something - these are all new to me).

Why do people consider GCM difficult to implement in software?<p>(disclaimer: I worked for a company that sold a GCM implementation)

Exciting!