Home
- Symmetric stream ciphers
- Message authentication code
AEAD is a better solution then directly using any of the listed algorithms; it ensures better integrity and can prevent developer errors.
ChaCha20 and Salsa20, a symmetric stream ciphers; and Poly1305, a code authenticator. All three of these cryptographic primitives were invented by Professor Dan Bernstein (djb) back in 2008 and 2005, respectively. They have been thoroughly vetted by academia and battle tested in Chrome for over a year.
- Intrinsically simpler than AES (easier to review and understand)
- Easier to implement (less prone to errors)
- As an ARX¹ design, doesn't need S-boxes, and so doesn't leave a cache footprint (cache-timing attacks)
- Designed against side-channel attacks (AES without using AES-NI is vulnerable)
- Has free key setup
- Is a stream cipher by default (allowing random access over AES²)
- Does not need padding³ the output unlike AES⁴
- Designed for performance without requiring HW instructions (AES-NI⁵)
- Crypto analysed, not broken by any attack to this date
- Adopted by IETF as RFC 7539 (obsolete), RFC 8439 standart, used in SSH and TLS 1.3 Cipher Suites, Microsoft added support for ChaCha20 in Windows 10.
¹ Addition-Rotation-Xor
² AES-CTR supports random access
³ In order to keep the ciphertext the same length as the plaintext
⁴ AES-CTR does not require padding
⁵ Instruction set for CPUs to support AES HW acceleration
They are just more efficient in some calculations than normal machines as they can exploit specific features of quantum computing. However best known attack (Grover’s algorithm) on a safe 256-bit symmetric cipher would still require ~2^128 operations (which is considered a lot) using brute-force attack to break it. So answer is no, not a chance...
Symmetric block ciphers and stream ciphers tend to use highly non-linear components which destroy any useful relations between inputs/outputs.
Any quantum solution to the problem needs to evaluate the function
times, so Grover's algorithm is asymptotically optimal.
https://blog.cloudflare.com/do-the-chacha-better-mobile-performance-with-cryptography/
https://tools.ietf.org/html/rfc7539
https://tools.ietf.org/html/rfc8439
https://tools.ietf.org/html/draft-nir-cfrg-chacha20-poly1305-06
http://cr.yp.to/snuffle/salsafamily-20071225.pdf
https://cr.yp.to/chacha/chacha-20080128.pdf
https://cr.yp.to/snuffle/xsalsa-20110204.pdf
https://cr.yp.to/mac/poly1305-20050329.pdf
https://cr.yp.to/mac.html
https://cr.yp.to/papers.html
https://www.ecrypt.eu.org/stream/salsa20p3.html
https://eprint.iacr.org/2013/759.pdf
https://crypto.stackexchange.com/questions/58056/quantum-resistance-characteristics-why-symmetric#58067