5

Blake2b has a lightning fast compression function with more-than-overkill security even against quantum attacks. It seems to be based on ChaCha, but with 64-bit words and different rotation constants.

Is it possible to use this compression function with feed-forward as a stream cipher? If not, would a different variation on ChaCha with a 64-bit word size be secure?

Demi
  • 4,793
  • 1
  • 19
  • 39
  • 3
    I see no reason why it shouldn't be secure with sufficient rounds. But if you have access to SIMD instructions, ChaCha should be just as fast, so I don't really see a reason to use 64-bit ChaCha. – CodesInChaos Mar 30 '16 at 07:33
  • @CodesInChaos, since Blake2b uses double the state size, if it can get away with fewer than twice the rounds it can be faster with long messages. Either way, having a larger state size means it has a different tradeoff between short vs. long message performance. – otus Mar 30 '16 at 10:44
  • @otus Using SIMD, two 32 bit operations have the same cost as one 64 bit operation. Thus using the same number of rounds for 32 and 64 bit ChaCha would result in the same performance. As far as I can tell, the 64 bit variant is only faster when you can't use SIMD on a 64 bit CPU. – CodesInChaos Mar 30 '16 at 10:47
  • @CodesInChaos, you can interleave/pipeline more operations if you have a larger state size. However, I agree that it is far from clear it gives you a faster cipher. – otus Mar 30 '16 at 10:51
  • 2
    @otus Since ChaCha runs in CTR mode, you can operate on as many blocks at the same time as you want. Typical SIMD ChaCha implementations work on two or three blocks. Hashing is different, because one block depends on the output of the previous block and parallelizable modes come with extra overhead. – CodesInChaos Mar 30 '16 at 10:58
  • @CodesInChaos, you've convinced me that it is unlikely it would help. Still, ChaCha does leave over half the potential SIMD throughput on the table and with 64-bit words the non-SIMD resources are also significant, so I wouldn't totally rule it out. – otus Mar 30 '16 at 12:57
  • @CodesInChaos, my motivation for the idea was to provide 256-bit security against quantum computers. The idea is to create a cipher that cannot be broken with the computing power of the observable Universe. – Demi Apr 01 '16 at 23:34
  • @Demi If you can forgo using an IV, ChaCha can be effectively made into a 384-bit stream cipher. – forest Dec 25 '18 at 10:57
  • ChaCha as is already provides adequate security even against a quantum adversary in the multi-user setting. There's no need to use a larger key. – Squeamish Ossifrage Mar 08 '19 at 07:03

0 Answers0