| ▲ | mananaysiempre 2 hours ago | |
What symmetric cryptography is there that would be reasonable on a small 8-bitter? This means - As little code as possible; - As little constant data as possible; - Little to no shifts by amounts not divisible by 8, as there may not be a barrel shifter even for bytes; - No shifts by variable amounts, including as a space-saving technique, for the same reason; - No multiplies beyond 16×16 bits, and preferably none at all, as there may not be a multiplier. Speck, mentioned in TFA, fits this very well. None of the things that came out of eSTREAM or the NIST lightweight cryptography competition even qualify, as far as I can tell, as the “lightweight” part is very keen on things that are easy in hardware but hard (slow, space-hungry, or both) in software. Gimli exists but is kind of chonky. So is Speck truly it? Is just noöne interested in the problem? | ||
| ▲ | adrian_b an hour ago | parent [-] | |
ChaCha20 satisfies your conditions. The only disadvantage of ChaCha20 vs. Speck is a bigger state, you need 128 bytes for it (64 bytes of state + 64 bytes for the intermediate computations), but that is not likely to be a problem, except in the smallest microcontrollers. The bigger state of ChaCha20 is determined by higher security requirements. The advantage of ChaCha20 is that it is supported by standard protocols, e.g. TLS 1.3 and SSH. The standard protocols mentioned above include ChaCha20 precisely for the case of communication with smaller or older CPUs, which do not have hardware AES support. | ||