AES is the gold standard for symmetric encryption. It is highly trusted and highly secure. Do any other symmetric ciphers - besides OTP - come close to AES's usability, security, trust-ability?
Asked
Active
Viewed 383 times
2
-
5ChaCha20 is in TLS 1.3. – kelalaka Oct 22 '19 at 19:35
-
OTP's because they're regaining popularity with the spread of quantum key distribution networks. – Paul Uszak Oct 22 '19 at 20:23
-
7@PaulUszak: not according to the people I've talked to; when a QKD vendor touts message encryption, they always seem to use AES to perform the actual message encryption (because QKD bit rates are just too slow for OTP...) – poncho Oct 22 '19 at 22:00
-
There are many algorithms - SEED, CAST5, ChaCha20, just to name a few. All of this is available on Wikipedia. – Legorooj Oct 23 '19 at 02:37
-
Also Serpent, Twofish, Deoxys-II, Camellia – Richie Frame Oct 23 '19 at 05:06
-
AES is not the gold standard for symmetric encryption; it is more of a primitive building block in cryptography. It is not useful for applications to use directly, because it operates only on 128-bit blocks, and it does not provide a security goal that is needed by most applications (even to attain mere confidentiality), namely authenticated encryption. – Squeamish Ossifrage Oct 24 '19 at 02:04
1 Answers
2
ChaCha20
- Provides 128 or 256-bit key space.
- The best attack against 6 (128-bit) or 7 (256-bit) of 20 rounds
- Stream cipher requires 64-bit nonce and 64-bit position counter
- Used in TLS 1.3, OpenSSH, as well as BSD and Linux kernel RNGs
- Part of ESTREAM portfolio
Serpent
- Provides 128, 192, or 256 bit key space.
- Best attack against 11 or 12 of 32 rounds
- Block cipher with 128-bit block
- AES competition finalist
Twofish
- Provides 128, 192, or 256 bit key space.
- Best attack against 6 of 16 rounds
- Block cipher with 128-bit block and Feistel network design
- AES competition finalist
- Used in disk encryption software, OpenPGP standard, numerous applications
Deoxys-II
- It provides 128 or 256-bit keyspace.
- Authenticated encryption scheme with a 120-bit nonce, nonce misuse resistant
- Based on 16-round tweakable block cipher using AES round function
- Designed to provide better security than AES-GCM
- Part of CAESAR portfolio for use case 3 (maximum security)
Camellia
- Provides 128, 192, or 256-bit key space.
- Block cipher with 128-bit block and Feistel network design
- Patented but royalty-free
- Used in OpenSSL, optional in OpenPGP and numerous other standards
- Part of NESSIE and CRYPTREC portfolios
SEED
- Provides 128-bit key space.
- Best attack against 8 of 16 rounds
- Block cipher with 128-bit block and Feistel network design
- Used primarily in South Korea
CAST-256
- Provides 128 to 256 bit security in 32-bit increments
- Best attack against 28 of 48 rounds
- Block cipher with 128-bit block and Feistel network design
There is the generic multi-target attack on n-bit key ciphers that requires less than the $2^n$ cipher evaluations.
kelalaka
- 48,443
- 11
- 116
- 196
-
‘128-bit security or 256-bit security’ as used here is misleading, because the cost of a multi-target attack on a generic cipher with a 128-bit key is much less than about $2^{128}$ cipher evaluations. Consider just saying 128-bit key or 256-bit key instead? – Squeamish Ossifrage Oct 24 '19 at 01:57
-
Why this list ? Why exclude other CAESAR winners or SM4, which most used than any of the above, except probably chacha20 ? – Ruggero Oct 24 '19 at 13:03
-
-
"Stream cipher requires 64-bit nonce and 64-bit position counter" - there are like 3 different standard ways to use chacha20 (the one that you mentioned, rfc7539's 32-bit counter and 96-bit nonce, and xchacha with 192-bit nonce and 64-bit counter). "Provides 128 or 256-bit key space" - you can theoretically use from 0 up to 384 or 512-bit keys with chacha20, thing is however, only 256-bit keys are really supported in the wild. I would also mention that chacha20 is much faster than the rest when implemented in software. – Astolfo Oct 29 '19 at 15:36