{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreibmf65xe6tgvb76piako7vu3ozhpyzrcyyucmajwnglofyhs2leb4",
"uri": "at://did:plc:haakkg7y3xdghcdmprxeexso/app.bsky.feed.post/3mmj7sivdfsx2"
},
"path": "/t/recommending-an-encryption-software-by-paranoia-works/38091#post_2",
"publishedAt": "2026-05-23T08:55:07.000Z",
"site": "https://discuss.privacyguides.net",
"textContent": "JohnDose:\n\n> FYI, the software supports the following algorithms for file and text encryption: AES(256), RC6(256), Serpent(256), Twofish(256), GOST28147(256), Blowfish(448), Threefish(1024), SHACAL-2(512), and the Paranoia C4(cascade of 4 algorithms).\n\nThe algorithm choice is not job of the user. Any modern tool needs opinionated cryptography, i.e. the author shows their expertise and pick the most secure option\n\nSerpent and Rijndael I.e. AES are both SP-network ciphers. While Serpent was slightly stronger than Rijndael on paper, the latter has seen MUCH more cryptanalysis over the past two decades. That’s why you’d want to trust AES instead.\n\nWhat matters more is how you deploy your AES, e.g. ECB is broken, and GCM is best practice.\n\nBut AES requires hardware acceleration / native instructions to protect from cache timing attacks. Serpent also has its own S-box but no CPU can run it efficiently (if at all) in constant time.\n\nSo if the platform support includes devices without AES-NI, using ciphers that don’t require native instructions, like ChaCha20-poly1305 make much more sense.\n\nThreefish uses 512 bit keys but unless you deploy pre-shared keys, the key exchange\nlike ML-KEM1024 will set the security margin as the weakest link. It actually gets worse, more about that below.\n\nPlus we don’t really need 256-bit security margin against Grover, AES-256 has more than 128 bits of security against Grover in practice (see Valsorda’s recent blog posts). Also with it’s minimal cryptanalysis, it makes less sense to use threefish even when I trust Schneier and his expertise. It’s unfortunately not up for him at this point.\n\nRC6, Twofish, Blowfish and SHACAL are also much more obscure and less reviewed.\n\nGOST is a Russian cipher, you don’t want to even offer it.\n\nThe cascading ciphers make no sense, as all ciphers will use a key that in the best case come from your OS kernel CSPRNG. For Windows that’s AES, for Linux that’s Chacha20.\n\nSince both are 256-bit algorithms, that will cap the security of bigger keys like Threefish, where you need to force user to wait 301 seconds on Linux for the OS to reseed the CSPRNG, to generate second half of the key from independent entropy.\n\nIf the cipher used in the random number generator has a vulnerability, that’s enough to break all four distinct ciphers. Even if the RNG is fine, and you use different cipher from the CSPRNG, you now have second point of failure that can fail independently.\n\nThis is why I prefer to minimize trust in primitives: Linux RNG is ChaCha20 based, so I need to use and trust ChaCha anyway.\n\nSo I use XChaCha20-poly1305 as cipher, and ChaCha based hash function (BLAKE2b) and BLAKE2-based PHF (Argon2id).\n\nThese are considered high end primitives and due to their popularity they receive majority of the attention.\n\nAlso, poly1305 is a Wegman-Carter MAC so it’s probably secure if ChaCha20 is secure, which is much better than AES-GCM’s GMAC that has a paper about it’s fragility which means trouble when implementing.\n\nDont get me wrong, I’ve also been where you stand, unable to decide, implementing cascading encryption and robust combiners for hash functions, but none of that is needed.\n\nYour main problem will be key management, correctness of implementation, and software security in general.\n\nCipher choice is best left as “boring but best practice” because they already provide an abstraction to the “super duper extra ultra high security”, it’s just not called that by reserved academics who prefer to use the term “computationally secure”.\n\nAlso like Snowden said, NSA won’t break ciphertexts. They will hack your computer and bypass the encryption.",
"title": "Recommending an encryption software by Paranoia Works"
}