Chacha Cipher - Computerphile

Рет қаралды 171,648

3 жыл бұрын

The only viable alternative to AES? Dr Mike Pound unravels the clever ChaCha cipher.
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com

Пікірлер: 294

@U014B 3 жыл бұрын

While not the fastest or most robust cipher, many computer scientists confidently assert the ChaCha as being real smooth.

@franatrturcech8484 3 жыл бұрын

See whatcha did there

@mayabartolabac 3 жыл бұрын

that's a real smooth joke

@techieadam5031 3 жыл бұрын

If AES was broken that would be a turnaround

@korpos8833 3 жыл бұрын

hahahahhaa, how Dr. Mike explains things is just amazing!. I can barely hold my cup of tea while enjoying his lectures.

@microcolonel 3 жыл бұрын

To completely miss the point though, ChaCha's standard round count (20) makes its security margin significantly more than AES. To have a similar margin, eight rounds of ChaCha should be sufficient.

@TrojanHell 3 жыл бұрын

Mike: KSG is not a real thing My brain: "Kerbal Space Grogram"

@_..--- 3 жыл бұрын

"someone incredibly smart like me", lmao humble Mike

@ethansimmons82 3 жыл бұрын

but is he wrong...

@RedwoodRhiadra 3 жыл бұрын

@@ethansimmons82 I'm now half-expecting the next issue of the Journal of Cryptology to publish a new paper by Mike...

@digitalairaire 3 жыл бұрын

1:43

@khronos142 3 жыл бұрын

now we all waiting for that paper drop. you know Mike just bought hella cha cha stocks too

@keyboard_toucher 3 жыл бұрын

Let's put aside the ludicrousness of that

@philipschloesser 3 жыл бұрын

In my cryptology lecture, there were two lectures given by a guest lecturer, he was introduced by name, but nothing more. He talked a bit about the history and the ideas behind modern symmetric cryptography (we had been doing RSA and prime stuff before that). He mentioned ChaCha20 and Poly-1305, but mostly talked about DES and AES... Until: "Oh, and maybe I should mention that I am actually the designer of ChaCha20 and Poly-1305." Name of the guest lecturer? Daniel J Bernstein.

@stevefan8283 3 жыл бұрын

Lucky you, he also designed Curve25519 which is an alternative to RSA and is quickly accelerated in adopting for the likes of its smaller key sizes (128-bit curve25519 = 2048-bit RSA)

@sundhaug92 3 жыл бұрын

Too bad he's an asshole

@alalize 3 жыл бұрын

@@sundhaug92 Could you expand on that ?

@Spongezipper 3 жыл бұрын

I guess we were in the same lecture then. It was after the lecture that I looked him up and discovered that he was quite influential indeed.

@y8fpe 3 жыл бұрын

@@sundhaug92 no that's you mate

@oafkad 3 жыл бұрын

Wait? He has legs? I just assumed he was a torso attached to a server simulating humanity.

@stefanhermansen8975 3 жыл бұрын

They clearly added more computing power.

@juanjocg1870 3 жыл бұрын

There's Mike on the background. *me:* click

@kigtod 3 жыл бұрын

I can think of another 16 character constant string that might have been appropriate: ‘DanielJBernstein’. If artists can sign beautiful creations, why not mathematicians?

@spinner4148 3 жыл бұрын

When I saw it was a 16 character string I thought it was going to be "chacharealsmooth" and that's how it got its name. Slightly disappointed!

@scheimong 3 жыл бұрын

There will probably be people talking trash and complaining about something something egotistical something [insert your profanity of choice]. So I respect his choice. But on the other hand, maybe he could learn a thing or two from Linus Torvalds on dealing with morality disagreements...

@heh2393 3 жыл бұрын

@@scheimong "Nvidia, ... F*@€ you!"

@risv 3 жыл бұрын

Oh boy, it's Dr. Pound back again!

@joonasfi 3 жыл бұрын

Aww yiss, take me to Pound town

@spicybaguette7706 3 жыл бұрын

Always my favourite videos

@BerkDDemir 3 жыл бұрын

So good. Tiny nit: in the animations XOR is denoted with circled times ⊗ but the operator for XOR is circled plus ⊕.

@0LoneTech 3 жыл бұрын

Depending on your logic family, you may still have to do extra work to make this constant time or power. Mainly because carry chains will take different time to complete depending on values. But for a typical synchronous processor with constant clock rate, it's constant time.

@georgebizos944 3 жыл бұрын

"Let's not have me dance on the internet; people don't need to see that" I disagree; people definitely need to see that.

@olusegun4388 3 жыл бұрын

Exactly! We would love to see it!

@marioh9926 3 жыл бұрын

Very illustrative, thanks again. Mike, could you do a video talking about SHA-3 or the Keccak construction? It would be very helpful.

@stromboli183 3 жыл бұрын

Yes I’d love to see this as well 👍

@TechyBen 3 жыл бұрын

I can see Mike secretly hopes AES is broken/superseded, so he can tell everyone to go "do the Chacha" for his job. XD

@No0utlet 3 жыл бұрын

Maybe it's cause I was watching at 2x speed, but as a parent I felt about 95% confident that Dr. Pound has to pee.

@AlexanderMichelson 3 жыл бұрын

Thank you, Dr Mike Pound!

@Brainstorm4300 3 жыл бұрын

I looked into chacha last semester for a project, ended up not using it but I'm happy our fav prof made a video on it! 😊

@Brainstorm4300 3 жыл бұрын

I have a question, on the receiver's side, since there's no guarantee that they'll receive the blocks in order, how does it determine the block number for decryption?

@andrewanyplace 3 жыл бұрын

@@Brainstorm4300 The transport layer protocol such as Transmission Control Protocol (TCP) would deal with putting the message in order before the decryption is performed.

@Brainstorm4300 3 жыл бұрын

@@andrewanyplace Ah of course! Thank you!

@andydalytube 3 жыл бұрын

Man, 'nonce' is a really unfortunate term to use for 'number used once' 😶🔫

@devildown55 3 жыл бұрын

thats exactly what i thought haha

@faielgila7375 3 жыл бұрын

Should be nuonce... oh wait

@nuthinnew3881 3 жыл бұрын

I've got a non techie friend who is really sensitive to stuff like that, when I told him he was disgusted 🙃

@LoganKearsley 3 жыл бұрын

@@nuthinnew3881 Wait, explain: what offensive thing do I not know about?

@WilcovanBeijnum 3 жыл бұрын

@@LoganKearsley According to the urban dictionary it's slang for paeophile. I did not know about this meaning of nonce either

@LightFykki 3 жыл бұрын

Great video! Was just wondering about this cipher recently and why I was seeing it often in the product description for a few embedded security modules.

@erichobbs4042 3 жыл бұрын

The ludicrousness of that... Mike so has that paper ready to publish.

@447flamethrower 3 жыл бұрын

Yes he's my favorite prof!

@victornoagbodji 3 жыл бұрын

😊 😊 🙏 thanks for sharing these videos. this series is such a delight!

@Tospaa 3 жыл бұрын

Thank you Dr Mike Pound, love your videos!

@mgancarzjr 3 жыл бұрын

Just read about it yesterday while researching AES. Neat.

@Nyawful 3 жыл бұрын

Awesome one again! Please add a playlist with only Mike videos!

@squishmastah4682 3 жыл бұрын

@3:48 ...and this concludes Mike's arm exercises for the year... 😂

@mgostIH 3 жыл бұрын

Ohh finally! This one is my favourite, far simpler than AES but even faster (without hardware acceleration), if you are implementing any symmetric cipher (or crypto RNG) yourself go for this!

@oscarsmith3942 3 жыл бұрын

Counter point: If you are implementing a symmetric cypher yourself, don't.

@mgostIH 3 жыл бұрын

@@oscarsmith3942 ChaCha is far simpler and without risks of side attacks compared to AES, it can already do wonders as a crypto quality RNG with just 8 rounds! I'm more in favour of cryptography that's simpler and harder to screw up rather than forbidding everyone from ever getting into the field, practice is important and not every project has dire consequences if gotten wrong

@filipo4114 3 жыл бұрын

Brady, a youtuber: "It's Instagram format" Smart person not knowing what's he talking about: "yeah, yeah, yeah" 10:20

@largenewbragle8138 3 жыл бұрын

A Die Hard reference. Noice, smort!

@MegaRad666 3 жыл бұрын

I think if I ever go back to school, I would love to study cryptography. Great explanation Dr. Pound!

@indiansoftwareengineer4899 3 жыл бұрын

Thanks for bringing smiles to videos, and sir you are really "SMART", Love from India.... Thanks for free sharing knowledge...

@Produkt_R 3 жыл бұрын

No Mike, we would like to see you dance.

@DJDavid98 3 жыл бұрын

This sounds like a threat lol

@bertblankenstein3738 3 жыл бұрын

"Dance" we said.

@lawrencedoliveiro9104 3 жыл бұрын

3:51 When I were a stoont, we had blackboards which were wraparound flexible sheets on rollers. So you just pulled on them to roll on to a new section. Eventually you wrapped round again to the part you previously wrote on, of course, so you had to erase it anyway, but in the meantime it could be left visible as reference.

@RedstoneNinja99 3 жыл бұрын

Have you seen the peer to peer software Briar? Looks pretty cool for digital privacy especially journalists in the field because it supports communication over bluetooth and wifi, its all end to end encrypted and when connected to internet everything is routed through tor. I would really love to see Mike do a video on that to signal boost it hopefully to people that really need it!

@av2678 Жыл бұрын

Wow this cipher is real smooth

@korpos8833 3 жыл бұрын

The man, the legend ...

@suncrafterspielt9479 3 жыл бұрын

He is back

@tamrix 2 жыл бұрын

"and it has a cool name" I'm sold.

@makatron 3 жыл бұрын

Pound for pound, great explanation

@shahriyarnasim3757 3 жыл бұрын

Welcome back Legend.😘

@dawnstudios7813 3 жыл бұрын

"Chacha" in Hindi means "dad's younger brother" ("dad's elder brother" is a different word). So when I first read the title, I thought about my uncle.

@qm3ster 2 жыл бұрын

> *complains the board is vertical aspect* > *runs out of hight*

@AminBashiri28 Ай бұрын

Amazing content!!!

@Jahus 3 жыл бұрын

Please, do a video to explain BIP-32 deterministic key derivation process. Would be amazing!

@Rob9 3 жыл бұрын

Loved the editing in this. Made me laugh

@shivam.kumar.the.boy. 3 жыл бұрын

Welcome back Mike 😌

@williamlingenfelter4989 3 жыл бұрын

Woo hoo going to Pound Town!!

@chexo3 3 жыл бұрын

This seems like it’d be very easy to implement in digital logic, which might be the point.

@neumdeneuer1890 3 жыл бұрын

Nice explanation. Suggestion: a video about the general pros and cons of stream and block ciphers.

@jkmicha 2 жыл бұрын

Nowadays, people mostly use block ciphers in CTR (or GCM) mode, which is basically the same as stream ciphers. So there's no big difference anymore.

@JustAnotherAlchemist 6 ай бұрын

I have RFC 8439 compliant Chacha20 written in hand tuned PIC assembler. When run on a 64Mhz (16M C/s) PIC18 it hits the mid to high hundreds of KB/s throughput, almost 1MB/s. So I concur, it's very lightweight.

@hassansyed5661 11 күн бұрын

Every cipher which is using look up tables for example AES (Rijndael) are suspectable to side channel timing attacks because they take variable time when doing look up however this is not the case with Chacha 20 because it takes constant time for XOR, Addition and Rotate

@moxi299 3 жыл бұрын

Could you make a video about "ecs" or "Entity component Systems"? I wonder what the benefits of ecs are in compare to standard computing. I heard ecs is using a data oriented Architecture instead of an object oriented.

@hcblue 2 жыл бұрын

don't be a coward. we ABSOLUTELY need a video of Dr Pound dancing on the internet. :D

@RealAnonymousse 3 жыл бұрын

Imagine having Mike as your university teacher!

@elsharkio 3 жыл бұрын

I like this Pound guy

@manfriedschmidt5953 3 жыл бұрын

Man like Mike!

@holthuizenoemoet591 3 жыл бұрын

Cool, so how does the skipping of blocks work? because with a stream cipher you normally initialize "ksg" once right?

@xyz2112zyx 3 жыл бұрын

I have a background in Computer Science, but "oh, man", those operation diagrams are difficult to follow when programming. But, anyway, we wait for another episode of Dr. Mike and his outstanding topics about number and computing. Thanks, Computerphile and Dr. Mike!

@franatrturcech8484 3 жыл бұрын

Thank you! Gonna jump in to the editor and try to program this in JavaScript or Python idk

@dembro27 2 жыл бұрын

Fitting the process on one whiteboard is a real cha-cha-challenge.

@ranierialthoff7372 3 жыл бұрын

I'll be here the entire day waiting for that paper

@johnchessant3012 3 жыл бұрын

Yes it's Mike!!

@thealliedhacker 3 жыл бұрын

Most of this seems like it's just describing the process for converting any hash function into a stream cipher. The question becomes why use this as the hash function over something like SHA-256. This seems like it needs to be just as secure as any hash algorithm, because I assume one of the attacks we're protecting against is a known-plaintext block giving await the key for the rest of the stream, which would be possible if you reversed the hash... I assume this is faster than SHA-256, but speed can be a bad thing for hash algorithms, since it makes brute force reversal easier.

@espadrine 3 жыл бұрын

A few misconceptions: 1. A hash function has multiple meanings. In a hash table, for instance, all you expect is diffusion. The construct you expect for a *cryptographic* hash function is called a collision-resistant compression function. In the case of ChaCha, you don’t need that, because you don’t care about compression nor about collision resistance. Just diffusion. 2. Cryptographic hashes do try to be as fast as possible (while offering collision resistance). But their properties are only useful when the input is random. Thus hashes cannot be used for low-entropy inputs (less than 1 bit of entropy per bit), such as passwords. For those, we need to purposefully slow down a brute-force attack, by using a specific KDF such as Argon2.

@jeeukko 3 жыл бұрын

Real smooth

@GeorgeBratley 3 жыл бұрын

Featuring Dr Mike Pound and the last whiteboard marker in Nottingham

@Furiends 3 жыл бұрын

Besides "its shuffled around" its really obvious why this actually works. To understand cryptography first is to understand the importance of XOR. If you combine two bits you cant bias either without revealing information and the opposite of XOR is the same as the input. Put another way XOR given a random key and non-random plaintext givens the same distribution as the random key. You cant glean any information without the key. So with just XOR and a random key that is intractable (the key cant be easily brute forced.) You have a robust cipher. The problem is sharing random data is hard. The key needs to be predictable to trusted parties and appear completely random to everyone else.

@CaiodeAlmeida 3 жыл бұрын

Read Captcha on the title, came in and ended up staying haha

@RustyTube 3 жыл бұрын

Yes, but Cha-Cha almost brought the Umbrella Academy to its knees.

@nmstoker 3 жыл бұрын

Thanks for the video Mike. One point: is there anything to know regarding deciphering it? You talked a lot about how it enciphers but didn't seem to get to turning ciphertext back into plaintext

@franatrturcech8484 3 жыл бұрын

to get the plaintext you generate the keystream again and xor it with the encrypted data. (3:34)

@Seibertnr90 2 жыл бұрын

@@franatrturcech8484 The receiver needs to know the key anyways, but how does it get the nonce?

@softwarelivre2389 2 жыл бұрын

@@franatrturcech8484 Only if you use something like CTR or GCM modes

@franatrturcech8484 2 жыл бұрын

@@softwarelivre2389 These modes have nothing to do with the chacha cipher, they might be used with block ciphers like AES.

@softwarelivre2389 2 жыл бұрын

@@franatrturcech8484 I assumed the OP was talking about symmetric encryption in general, and not only about ChaCha. But you are correct.

@user-iu1xg6jv6e 3 жыл бұрын

13:27 Is there some kind of filter?

@honpaul2203 3 жыл бұрын

this is an awesome video and an awesome comment for the algorithm.

@INT41O 3 жыл бұрын

The main advantage over salsa20 is, that it runs very efficiently using SSE (2 of the bit rotates can be replaced by byte shuffles, since multiples of 8 are used): void round(m128i &a, m128i &b, m128i &c, m128i &d) { m128i R8 = {3, 0, 1, 2, 7, 4, 5, 6, 11, 8, 9, 10, 15, 12, 13, 14}; m128i R16 = {2, 3, 0, 1, 6, 7, 4, 5, 10, 11, 8, 9, 14, 15, 12, 13}; m128i e; a = paddd(a, b); d = pxor(d, a); d = pshufb(d, R16); // rol 16 c = paddd(c, d); b = pxor(b, c); e = pslld(b); // rol 12 b = psrld(b); // rol 12 b = por(b, e); // rol 12 a = paddd(a, b); d = pxor(d, a); d = pshufb(d, R8); // rol 8 c = paddd(c, d); b = pxor(b, c); e = pslld(b); // rol 7 b = psrld(b); // rol 7 b = por(b, e); // rol 7 }

@locbuinhien1360 3 жыл бұрын

Will you talk also SVD (singular value decomposition)?

@yon2004 2 жыл бұрын

Can we get a video about how a nonce works? Like do you need to keep a list of all previous numbers used so you don't use it again?

@Mr.Beauregarde 3 жыл бұрын

Close up of face check, But where will we find an arrow? Brady, rhymes with brilliancy

@CubicSpline7713 3 жыл бұрын

Smarter than the average bear!

@figloalds 2 жыл бұрын

I made a system similar to this one but with a 256-long byte array and using each value as a pointer to an index in the array, so that changing the data changes where in the data will be changed next

@djdamagedome 3 жыл бұрын

7:12 Yeah... Nakatomi Plaza...

@derbyspcollie 3 жыл бұрын

Welcome back to the best presenter by far. Please go back to the printer paper - the whiteboard is useless for viewers.

@paulw987 3 жыл бұрын

Especially with the anemic marker!

@wassollderscheiss33 3 жыл бұрын

Well, I like your Dr. Mike, of course! But you can watch this thing only for entertainment, if you don't go and put it to use afterwards. I know because while watching I remember having watched the bit on AES when it came out and although I completely understood it that time, I don't remember anything of it now. (disclaimer: I own the Schneier book for more then 20 years now)

@stromboli183 3 жыл бұрын

What’s the reason for using the 4 constant blocks, and using 2 blocks for both the index (stream position) and nonce? Why not just use 4 blocks for the index and nonce each? Considering the 20 rounds of shuffling, it shouldn’t matter that most of the index (position) bits will initially be zero in most cases?

@kice 3 жыл бұрын

I am little bit confused about how NONCE works and how to use them in AES or ChaCha in this case. Right now, I used the key as a seed for RNG, thus I could get same output for both side. Or should I set this "seed for NONCE" up during key-exchange process?

@franatrturcech8484 3 жыл бұрын

The nonce is not a secret (unlike the 256bit key), just a source of randomness in the process, so that you can use the same 256bit key for more messages. so you randomly generate a nonce, use it during encryption, and send it along with the encrypted data.

@softwarelivre2389 2 жыл бұрын

@@franatrturcech8484 the way CTR and GCM modes work seems a bit weird to me. You should be able to reuse the IVs if your message is different if you encrypt the message too, but they only encrypt the iv+counter and then XOR the message, which is a problem.

@FalcoGer 3 жыл бұрын

Most processors, even RISC processors have AES instructions, making it very, very fast to execute. It's easy to implement in hardware. Anything else will have a very high computing overhead. AES is literally 16 cpu instructions after loading the key and message into the registers.

@eLBehmo 3 жыл бұрын

Where do we save the nonce?? It is part of the key input. So we have to know it if we want to decrypt an encrypted stream! Is it saved with the output stream?

@franatrturcech8484 3 жыл бұрын

i think you would just send it along with the encrypted data, as nonce is generally not a secret (unlike the key).

@matshoemolsen4868 3 жыл бұрын

A video about Dr Mike Pound dancing.... I'll watch that.

@AndersonSilva-dg4mg 3 жыл бұрын

Thank you!

@Ziferten 3 жыл бұрын

I FINALLY KNOW WHAT NONCE MEANS!

@superscatboy 3 жыл бұрын

Besides the other, less savoury meaning...

@chexo3 3 жыл бұрын

It seems to me like this would be very easy to implement in digital logic.

@saeeddessouky1680 3 жыл бұрын

hey. I know it's out of scope but why do not get someone professional to talk about TDD (testing technique), and advanced topics in embedded systems because I really love your channel. thanks in advance

@albertrenshaw4252 3 жыл бұрын

1:36 - why does this sound like he actually did break AES and is about to release the paper and this isn't hypothetical.... ☹️

@maxmustsleep 3 жыл бұрын

I mean quantum computers are simply ripping through our current encryption algorithms so it's not hard to believe it will be cracked at some point in the future

@olusegun4388 3 жыл бұрын

I definitely got that feeling too. I guess we'll wait and see.

@phillips2400 3 жыл бұрын

Since you mentioned the paper: do you actually use this paper for printing or is it left over stock from 30 years ago? Cause it looks like the paper I used on my needle printer in the 90‘s :-)

@RahulAhire 3 жыл бұрын

There's also coloured paper available in markets. It's a wood colour dye coated on it