On 01/15/2014 10:01 PM, Niels Möller wrote:
It might be a bit confusing if we have
chacha20_crypt (20 rounds) chacha12_crypt (12 rounds) chacha128_set_key (128 key bits) chacha256_set_key (256 key bits)
I'd say to simplify to: chacha_crypt (20 rounds) chacha128_set_key (128 key bits) chacha256_set_key (256 key bits)
_chacha_crypt (arbitrary number of rounds)
In any case adding an algorithm which isn't used in any standard way is going to have the same issues (which options to add, how to name them etc.) and some arbitrary choices will be made anyway. My prediction is that only the 20 round variant will be used extensively for encryption and the arbitrary round variant may be used in constructions like crypt() and so on.
btw. why splitting the chacha_set_key() to chacha128_set_key() and chacha256_set_key() when the context is exactly the same?
Even in aes where there can be some minor space improvements, it is quite an overkill to have 9 set_key functions instead of 3. In the end memory is allocated in pages and saving 8 bytes from aes192 to aes128 isn't going to make any difference. Are there applications where the benefits outweigh this additional complexity?
regards, Nikos