cgd(4) ciphers

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

The set of ciphers supported by cgd is showing its age.  It would be
nice if cgd supported a block cipher that

(a) has high public confidence,

(b) can be easily implemented without timing side channels;

(c) has 256-bit blocks, so we don't need to worry about birthday
bounds for 128-bit block ciphers on multi-terabyte disks; and

(d) is fast in software without hardware acceleration, because cgd
can't take advantage of AES-NI at the moment and not all the world is
a modern high-end x86 system.

All of the ciphers cgd supports -- Blowfish, 3DES, and AES -- fail
(b), (c), and (d), and Blowfish and 3DES fail (c) and (d) badly, being
very slow 64-bit block ciphers.

The best two candidates that come to mind are Serpent, which fails
only (c) and (d), and Threefish, which seems like a good candidate.
Both were designed to avoid using data-dependent branches and memory
references.  Both have been subjected to thorough scrutiny and were
finalists in NIST competitions.

Thoughts?


(Side notes:
- cgd still needs renovation for MP safety and hardware acceleration,
but that's a bigger task than adding one or two new ciphers.
- We could use Threefish tweaks instead of CBC mode, but that would
leak more information, so I'd rather not do that, or at most offer it
as a separate option.
- Another possibility would be to choose a hash function and a stream
cipher and use BEAR/LION/LIONESS, but those constructions require the
stream cipher to resist related-key attacks, and I don't know of any
modern high-confidence ones that are designed to do that.)