You are viewing a single comment's thread from:

RE: Introduction to Cryptography I: Encryption (Pt. 3 - Salsa20 Stream Cipher)

in #steemstem7 years ago

Well, you might be quite figuratively comparing apples to oranges, but maybe not!

SHA256 is a hashing algorithm, and Salsa20 is a stream cipher. They are purpose-built for separate things. However, a stream cipher scheme could be constructed using SHA256; a quick Google search yielded this example.

So, what would the strengths and weaknesses of such a scheme be? Well, as one of the answers points out, only one keystream is generated by that algorithm. This is a weakness since it is actually really dangerous to re-use the same keystream to encrypt two different plaintexts.

This is easily remedied, though; just add a nonce. Instead of computing the keystream directly by hashing the shared secret, decide upon a random constant (doesn't matter what), concatenate it to the shared secret, and hash that to kick off your keystream. The nonce can be broadcasted in plaintext; it does not need to be private. After all of that is done, you should have a secure stream cipher.

So why use a purpose-built stream cipher like Salsa20 instead? Two reasons.

  • Speed. Without going into too much detail, Salsa20 is many times faster than the scheme suggested in that link. This, by the way, was the prime motivator for launching the contest that Salsa20 was created for (and ultimately won). The algorithm was required to be faster than generating a keystream from AES.
  • Standard. There is a widely-held principle in cryptography which can be written as: "Now that you know how it's done, never, ever do it." More specifically, it is extremely frowned upon to use novel encryption schemes for serious applications. Cryptography works best when a group of researchers comes up with an algorithm and the rest of the world tries to break it at the same time. The longer each scheme stands up to that abuse, the more satisfied you can be that it is safe. I can't find anything wrong with the SHA256-based scheme, but that doesn't mean I should use it. There is already an existing, standardised algorithm which has stood up to a lot of academic and practical cryptanalysis.

I think you got more of an answer than you were looking for, @procrastilearner, but I had fun writing it. Please don't hesitate to stick around for the rest of the series!

Also, nobody has done this post's activity yet; a 100% upvote awaits you if you do!

Sort:  

Wow. Great answer. Thanks.