Questions tagged [chacha]

ChaCha is a family of stream ciphers proposed by Daniel J. Bernstein, as an evolution of Salsa20 with (conjecturally) improved resistance to cryptanalysis.

ChaCha, like Salsa20, is a family of stream ciphers, with the stream generator a hash function in counter mode. It uses 32-bit Addition, Rotation, and XOR (ARX), making it fast, constant-time (thus immune to timing attack), and lean on memory (thus cache-friendly when key changes often), on virtually any 32-bit (or wider) CPU.

ChaCha differs from Salsa20 by making twice as many updates to its state during its core function, and a few other changes, leading to faster diffusion. Also, the mapping of constants and counter in the input of the core function is revised.

ChaCha8, ChaCha12 and ChaCha20 are the variants intended to replace Salsa20/8, Salsa20/12 and Salsa20/20, respectively. As seen, the naming scheme has also been changed.

163 questions

votes

5 answers

What's the appeal of using ChaCha20 instead of AES?

I read about ChaCha20 being used in TLS by Google, SSH, and towards standardization in general. What's the appeal of using something other than AES, what with AES receiving dedicated CPU instructions on various architectures to make it so efficent?

tls chacha

asked Apr 12 '16 at 07:10

JDługosz

votes

2 answers

Why should one prefer Salsa20 over ChaCha?

We are all aware of Google's approach to introduce ChaCha/Poly1305 as TLS cipher suite. The rationale seems clear: ChaCha is newer and seems to provide better security (and maybe speed?) gained from the experiences of the design of Salsa20. But in…

salsa20 chacha

asked Jul 18 '15 at 20:07

SEJPM

45,265
7
94
199

votes

3 answers

Collision or second preimage for the ChaCha core?

Daniel J. Bernstein's ChaCha core is an evolution of the Salsa20 core. Both are functions over the set of 512-bit bitstrings, partitioned as sixteen 32-bit words. Can we exhibit collisions, or second-preimages (with implies the former), for the…

collision-resistance 2nd-preimage-resistance salsa20 chacha

asked Jun 21 '15 at 20:16

fgrieu

131,696
12
284
553

votes

2 answers

Where did ChaCha20 and Salsa20 stream ciphers get their names from?

This is not a question targeted at a specific crypto implementation, but a question out of curiosity. What's the reason for calling the stream ciphers ChaCha/Salsa? I couldn't find any information about this on the Internet. Are those names somehow…

chacha salsa20

asked Mar 09 '20 at 00:09

Vivekanand V

votes

3 answers

Why is the core ChaCha primitive not good for use in a CRCF? Why create BLAKE?

Why is the core ChaCha primitive not good for use in a collision-resistant compression function (crypto hash)? Why go through the trouble to create BLAKE? What's wrong with using the core ChaCha primitive unaltered in a Merkle–Damgård like…

hash chacha blake2

asked Nov 15 '19 at 09:08

Charlie

votes

2 answers

Nonce encryption with Poly1305-Chacha20

I have seen that a couple of companies (like Google, Apple HomeKit) are adding "ChaCha20-Poly1305" as an encryption option. Poly1305 requires algorithm to encrypt the nonce. The Poly1305-AES specification uses the AES algorithm to encrypt the nonce,…

aes chacha poly1305

asked Apr 11 '16 at 18:59

rose

votes

1 answer

Why is the whole initial state used in the final addition of Salsa20 and ChaCha?

Both Salsa20 and ChaCha basically work like this: Put the key, the nonce, the sequence number and a constant into a 4x4 matrix of 32-bit words. Transform the matrix invertibly with a number of ARX rounds. Add the initial matrix into the current…

algorithm-design salsa20 chacha

asked Jul 26 '15 at 07:19

otus

31,744
5
65
159

votes

1 answer

Can I use the ChaCha core as a 256-bit to 256-bit one-way function?

I'm looking to implement Lamport signatures as a little fun project, and I need a fast one way function that maps $\{0,1\}^{256} \rightarrow \{0,1\}^{256}$. I was wondering whether I could safely use the ChaCha core for that, by setting the input as…

one-way-function chacha

asked Oct 23 '13 at 03:16

orlp

4,130
18
27

votes

0 answers

Why is BLAKE2 faster than chacha20?

Chacha20 is essentially a hash function that maps 512-bit strings to other 512-bit strings which are in turn xored with the plaintext to create the ciphertext. Of the 512-bit input 128-bit are used for the "expand 32-byte k" constant, 256-bit are…

chacha blake2

asked Aug 02 '19 at 00:43

Astolfo

votes

1 answer

Can reduced-round ChaCha be used as non-cryptographic fast PRNG to produce output indistinguishable from random data?

The fastest known attack against the Salsa20 family of stream ciphers requires 2137 simple operations against Salsa20/7, or 2244 against Salsa20/8. The 8-round version encrypts data at 1.88 cycles-per-byte on a Core2Duo, which is already extremely…

random-number-generator performance chacha

asked Mar 21 '18 at 02:42

forest

14,683
1
45
97

votes

2 answers

Where are the ChaCha20 test vectors/examples?

I see in the Salsa20 specification there are test examples throughout the document to help an implementer make sure every function works as designed. Consequently the whole algorithm would work perfectly if all the tests pass. Without these test…

algorithm-design salsa20 test-vectors chacha

asked Jan 12 '15 at 09:46

Motox

votes

1 answer

Understanding the impact of partitioning oracle attacks on stream ciphers

Yesterday I came across some conversation discussing partitioning oracle attacks, against authenticated stream ciphers like ChaCha20 and Salsa20 with poly1305 for MAC. As I understand it (though the paper is a little dense), the exploit…

chacha decryption-oracle xsalsa20

asked Mar 08 '21 at 10:23

Woodstock

1,304
1
10
20

votes

3 answers

What should the nonce value be for client-side encryption?

I am using the following chacha20poly1305 Rust library to encrypt some data in a desktop application. The user provides the key, which never leaves their device, to locally encrypt some data, and then the encrypted data is sent to a server for…

encryption symmetric chacha poly1305

asked Oct 11 '20 at 17:34

Rima Salloum

votes

2 answers

Does ChaCha20/Salsa have the same bit strength as AES for identical key sizes?

Does ChaCha20/Salsa have the same bit strength as AES for identical key sizes? In other words, does ChaCha20 with a 128-bit key theoretically require 2^128 attempts to brute force, as with AES-128? PS: Notwithstanding that ChaCha is a stream cipher.

aes symmetric chacha

asked May 29 '19 at 10:38

Woodstock

1,304
1
10
20

votes

1 answer

Is ChaCha20 safer than AES with respect to side-channel attacks?

I've already seen some topics on this matter, but I feel like my question hasn't really been answered. Given the following: AES must be implemented in hardware (i.e. using the AES-NI instruction set) to ensure the best protection against…

aes side-channel-attack cryptographic-hardware chacha norx

asked Jun 13 '17 at 21:25

Dreadlockyx

2 3

…

10 11 Next