Abbreviating the stream-cipher discussions
D. J. Bernstein
2005.06.14

ECRYPT's Call for Stream Cipher Primitives has produced an astonishingly
large pool of submissions: 41 stream ciphers from 97 people. With tongue
planted only partly in cheek, I propose the following abbreviations for
some common criticisms (X*) and responses (Y*) that we're likely to hear
repeatedly in the ensuing discussions.

XBig: ``This cipher does a huge amount of work per byte. It is too slow
for most applications.''

YBig: ``Speed is irrelevant for most applications. What we care about is
security.''

XKeySetup: ``This cipher takes a long time to load a key. It is too slow
for applications where the average amount of data per key is small.''

YKeySetup: ``Most applications send a huge amount of data per key. We
don't care about short-term keys.''

XNonceSetup: ``This cipher takes a long time to load a nonce. It is too
slow for applications where the average message length is short.''

YNonceSetup: ``Most applications send very long messages. We don't care
about short messages.''

XSBox: ``This cipher relies heavily on variable-index table lookups. It
is too slow for applications that need to resist timing attacks.''

YSBox: ``Most applications don't need to resist timing attacks. We're
taking advantage of memory as an extremely fast mixer.''

XMult: ``This cipher relies heavily on multiplications. It is too slow
for applications that use dedicated hardware.''

YMult: ``Dedicated hardware is a tiny part of the cryptographic market.
What we care about is software speed.''

XBits: ``This cipher relies heavily on bit twiddling. It is too slow for
software applications.''

YBits: ``Anyone who really cares about speed will use dedicated
hardware. We don't care about software speed.''

XFlimsy: ``This cipher is easily breakable, and here's how.''

YFlimsy: ``Whoops.''