Salsa20
Salsa20 and the closely related ChaCha are stream ciphers developed by Daniel J. Bernstein. Salsa20, the original cipher, was designed in 2005, then later submitted to the eSTREAM European Union cryptographic validation process by Bernstein. ChaCha is a modification of Salsa20 published in 2008. It uses a new round function that increases diffusion and increases performance on some architectures.
The Salsa quarter-round function. Four parallel copies make a round. | |
| General | |
|---|---|
| Designers | Daniel J. Bernstein |
| First published | 2007 (designed 2005) |
| Successors | ChaCha |
| Related to | Rumba20 |
| Certification | eSTREAM portfolio |
| Cipher detail | |
| Key sizes | 128 or 256 bits |
| State size | 512 bits |
| Structure | ARX |
| Rounds | 20 |
| Speed | 3.91 cpb on an Intel Core 2 Duo |
| Best public cryptanalysis | |
| 2008 cryptanalysis breaks 8 out of 20 rounds to recover the 256-bit secret key in 2251 operations, using 231 keystream pairs. | |
Both ciphers are built on a pseudorandom function based on add-rotate-XOR (ARX) operations — 32-bit addition, bitwise addition (XOR) and rotation operations. The core function maps a 256-bit key, a 64-bit nonce, and a 64-bit counter to a 512-bit block of the key stream (a Salsa version with a 128-bit key also exists). This gives Salsa20 and ChaCha the unusual advantage that the user can efficiently seek to any position in the key stream in constant time. Salsa20 offers speeds of around 4–14 cycles per byte in software on modern x86 processors, and reasonable hardware performance. It is not patented, and Bernstein has written several public domain implementations optimized for common architectures.