AES and ChaCha

I thought more emphasis should have been given to DJB.<p>The article does mention that he created the ChaCha20 algorithm, and that he first characterized the timing side channel attack, but his extremely small, simple and fast source libraries are publicly available.<p>They are fully self contained, no dependencies, and small enough to easily include in small-ish embedded systems:<p><a href="https:&#x2F;&#x2F;nacl.cr.yp.to&#x2F;" rel="nofollow">https:&#x2F;&#x2F;nacl.cr.yp.to&#x2F;</a><p>Elliptic curve vulnerability to quantum computing is discussed here:<p><a href="https:&#x2F;&#x2F;pqcrypto.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;pqcrypto.org&#x2F;</a><p>DISCLAIMER: I&#x27;m not a crypto expert, just an occasional user<p>DJB has been at the forefront of advancing crypto for decades, and has a very strong emphasis on simplicity and security. Any article on the subject really should reference his original source pages:<p><a href="http:&#x2F;&#x2F;cr.yp.to&#x2F;" rel="nofollow">http:&#x2F;&#x2F;cr.yp.to&#x2F;</a><p>I&#x27;ve always been a fan of &quot;the DJB way&quot;, which is a very simple method of initializing and managing unix type systems. The voidlinux distro roughly follows these principles today.

ChaCha is in many ways better, but so far AES tends to win on most chips due to the existence of AES acceleration hardware. Without acceleration ChaCha is a lot faster, but with acceleration AES beats it quite a bit in both raw performance and power consumption.<p>Security-wise they are roughly equivalent in practice if they are used properly.

A little over my head, but I think it is a good article for people who understands encryption more then I do.<p>rot13 is my limit of understanding :) But I do like reading these articles.

Everytime ChaCha&#x2F;Poly come up I recall the ADRs of OTR documenting their rationale to switch from AES to ChaCha20 (see <a href="https:&#x2F;&#x2F;github.com&#x2F;otrv4&#x2F;otrv4&#x2F;blob&#x2F;master&#x2F;architecture-decisions&#x2F;001-security-level.md">https:&#x2F;&#x2F;github.com&#x2F;otrv4&#x2F;otrv4&#x2F;blob&#x2F;master&#x2F;architecture-deci...</a>) - the document nicely highlights why AES might not always be the best tool for the job:<p>&gt; We use ChaCha20 as the encryption stream cipher because it is faster than AES in software-only implementations, it is not sensitive to timing attacks and has undergone rigorous analysis ([3], [4] and [5]). We chose this over AES as future advances in cryptanalysis might uncover security issues with it, its performance on platforms that lack dedicated hardware is slow, and many AES implementations are vulnerable to cache-collision timing attacks [[6]].

One underappreciated thing about ChaCha that I think a lot of people miss is that it&#x27;s not just that the operations are simple, but DJB clearly spent almost as much time approaching the design as a computer engineer as he did as a cryptographer. He obviously thought about pipelining in modern processors, available registers, cache size, implementation details that made some operations faster with specific inputs, etc. It&#x27;s unlikely a generic ARX construction could achieve the same security level with the same speed without similar careful consideration of non-cryptographic factors.