The attached patch renames the salsa20r12_crypt function to estream_salsa20_crypt(), and adds it in the benchmarks.
What is missing is an equivalent of x86_64/salsa20-crypt.asm for the estream variant.
regards, Nikos
Nikos Mavrogiannopoulos nmav@gnutls.org writes:
The attached patch renames the salsa20r12_crypt function to estream_salsa20_crypt(),
Why? Is "estream" clearer than "r12"? Do you expect more functions with the estream prefix? I'm not sure I like it as a prefix (I mean, we don't call it "nist_aes", just "aes").
If we think "estream variant of salsa20" is somehow clearer than "12-round variant of salsa", then I think "estream" should be a suffix rather than a prefix.
What is missing is an equivalent of x86_64/salsa20-crypt.asm for the estream variant.
One could add a round argument (and rename it _salsa20_crypt, with wrappers for useful variants).
Regards, /Niels
On 04/13/2013 02:42 PM, Niels Möller wrote:
Why? Is "estream" clearer than "r12"? Do you expect more functions with the estream prefix? I'm not sure I like it as a prefix (I mean, we don't call it "nist_aes", just "aes").
Do you think that using salsa20r12 is better? I thought that associating a name (estream) is more memorable than just the number of rounds. And if you use the number of rounds as a distinguisher then it comes the question why 12 and not 8 or 16? So at some point you'll have to clarify that r12 is actually the estream salsa20.
Estream doesn't really compare with AES because estream selected 5 ciphers as winners instead of one so it cannot be given simply the estream name (estream was the stream cipher competition, ecrypt was the organizer).
That's why I prefer the name estream-salsa20 (and also because we used the same name in the proposal for Salsa20 http://tools.ietf.org/html/draft-josefsson-salsa20-tls-02 )
regards, Nikos
Nikos Mavrogiannopoulos nmav@gnutls.org writes:
Do you think that using salsa20r12 is better?
Yes.
Estream doesn't really compare with AES because estream selected 5 ciphers as winners instead of one so it cannot be given simply the estream name (estream was the stream cipher competition, ecrypt was the organizer).
The authorative reference on estream ciphers seems to be http://www.ecrypt.eu.org/stream/finallist.html.
I note that it uses the name "Salsa20/12", and that the original "final" list includes "Salsa20", which I think means the original 20-round variant. And from reading http://www.ecrypt.eu.org/stream/portfolio_revision1.pdf, it seems possible that a future revision of the list might tweak the recommended number of rounds again.
we view the portfolio as being a snap-shot of a fast-moving field. All the designs in the eSTREAM portfolio are relatively immature and it is possible that more analysis will change the picture dramatically. With this in mind, we intend to maintain the eSTREAM web-pages for the foreseeable future and to update the portfolio as circumstances dictate.
So the list is volatile, which makes the "estream" name unsuitable for algorithm identifiers.
That's why I prefer the name estream-salsa20 (and also because we used the same name in the proposal for Salsa20 http://tools.ietf.org/html/draft-josefsson-salsa20-tls-02 )
I'd recommend making the substitition "ESTREAM_SALSA20" -> "SALSA20R12" there too.
Regards, /Niels
On Wed, Apr 17, 2013 at 1:51 PM, Niels Möller nisse@lysator.liu.se wrote:
The authorative reference on estream ciphers seems to be http://www.ecrypt.eu.org/stream/finallist.html.
The latest report is from 2012 at: http://www.ecrypt.eu.org/documents/D.SYM.10-v1.pdf
It still lists the Salsa20/12 in the cipher list.
I'd recommend making the substitition "ESTREAM_SALSA20" -> "SALSA20R12" there too.
I don't find the SALSA20R12 a reasonable name, it contains far too many numbers that may mean something to me and you but mean nothing to anyone else (and thus cannot be memorized). Estream-salsa20 is far more simple, and as I previously mentioned it automatically justifies the reason and need for the variant. It is the variant chosen by the estream project when it finished in sept. 2008. Yes they said they may update the list, as sha1 was replaced by sha2 and later sha3. However, sha1 is still called sha1 :)
regards, Nikos
nettle-bugs@lists.lysator.liu.se
-
Nikos Mavrogiannopoulos -
nisse@lysator.liu.se