Skip to content

Salsa20

Jump to bottom
Peter edited this page May 7, 2020 · 13 revisions

Introduction

Originaly invented at 2005, evolved into ChaCha20.

Four attack papers by fourteen cryptanalysts (25, 27, 42, and 5) culminated in a 2^184-operation attack on Salsa20/7 and a 2^251-operation attack on Salsa20/8

Parameters

  • Key - secret key/passphrase using 256-bit

🔑 Secret field. The original algorithm also specified 128-bit keys.

  • Nonce - a unique non-repeating number

📢 Public field. Bitness depends on the cipher variant. Does not need to be random, can be sequential.

  • Counter - identifies a block to encipher/decipher (random access)

📢 Public field. Bitness depends on the cipher variant.

  • Rounds - tradeoff between security and speed

📢 Public field. (recommended tradeoffs: 8 = speed, 12 = balanced, 20 = security). Implementation can handle 2^32.

Variants

Currently there are three variants of Salsa20 (as of 2020)

  • Salsa20 (256-bit key, 64-bit nonce, 64-bit counter)

    🛈 First original version released by D. J. Bernstein (implemented)

  • IETF Salsa20 (256-bit key, 96-bit nonce, 32-bit counter)

    🛈 Non-IETF standardized, implemented the same way as RFC 7539 (implemented)

  • XSalsa20 (256-bit key, 192-bit nonce, 64-bit counter)

    🛈 Another version released after original by D. J. Bernstein

Usage

using(var salsa = SymmetricAlgorithm.Create("Salsa20"))
{

}

Safety

  1. Always try to use non-predictable randomly chosen key to improve security
  2. Remember that (key, nonce) pair must be unique; same nonce cannot be reused with same key and vice versa
  3. The nonce is short and thus generating it randomly can create possible collisions. It is recommended to increment the previous nonce instead of generating a random nonce every time a new stream is required. (general rule: 128-bit numbers and higher have very low to non-existent collision chance. Example)
  4. A single given pair of a (key, nonce) allows to safely de/encrypt only up to 256GB and 1ZiB (2^70 bytes) for IETF Salsa20 and Original Salsa20 respectively.

Considerations

  • ChaCha20 provides better safety and is more advanced (features a new round function that increases diffusion and increases performance on some architectures).
  • Salsa20/8 (using 8-rounds) was slightly weakened by theoretical/demonstrated attacks, however it is still considered safe (best attack difficulty: 2^251-operations, not a chance).
  • Encrypted ciphertext has same length as plaintext; (use it as advantage to pre-allocate buffers in advance, some other algorithms may require you padding the output)
Clone this wiki locally