Abbreviating the stream-cipher discussions
D. J. Bernstein
2005.06.14
ECRYPT's Call for Stream Cipher Primitives has produced an astonishingly
large pool of submissions: 41 stream ciphers from 97 people. With tongue
planted only partly in cheek, I propose the following abbreviations for
some common criticisms (X*) and responses (Y*) that we're likely to hear
repeatedly in the ensuing discussions.
XBig: ``This cipher does a huge amount of work per byte. It is too slow
for most applications.''
YBig: ``Speed is irrelevant for most applications. What we care about is
security.''
XKeySetup: ``This cipher takes a long time to load a key. It is too slow
for applications where the average amount of data per key is small.''
YKeySetup: ``Most applications send a huge amount of data per key. We
don't care about short-term keys.''
XNonceSetup: ``This cipher takes a long time to load a nonce. It is too
slow for applications where the average message length is short.''
YNonceSetup: ``Most applications send very long messages. We don't care
about short messages.''
XSBox: ``This cipher relies heavily on variable-index table lookups. It
is too slow for applications that need to resist timing attacks.''
YSBox: ``Most applications don't need to resist timing attacks. We're
taking advantage of memory as an extremely fast mixer.''
XMult: ``This cipher relies heavily on multiplications. It is too slow
for applications that use dedicated hardware.''
YMult: ``Dedicated hardware is a tiny part of the cryptographic market.
What we care about is software speed.''
XBits: ``This cipher relies heavily on bit twiddling. It is too slow for
software applications.''
YBits: ``Anyone who really cares about speed will use dedicated
hardware. We don't care about software speed.''
XFlimsy: ``This cipher is easily breakable, and here's how.''
YFlimsy: ``Whoops.''