Salsa20

Salsa20 (also Snuffle 2005 ) is a stream encryption that was developed in 2005 by Daniel J. Bernstein . In the European project eSTREAM , the version Salsa20 / 12, reduced to 12 rounds, is one of the finalists (profile 1 - software applications). Salsa20 is free from patents.

Emergence

Daniel J. Bernstein developed Snuffle in 2005 in response to earlier attempts by the US to restrict cryptographic publications. Hash functions were excluded from the restrictions ; with Snuffle 2005 it was shown that strong encryption can also be carried out using hash functions.

variants

Salsa20 Core is the core of various hash functions and stream ciphers.

Salsa20 or Snuffle 2005 is a family of 256-bit stream ciphers:
- Salsa20 / 20 with 20 rounds is intended as standard.
- Salsa20 / 12 with 12 rounds for time-critical applications was a finalist in the eSTREAM project, a European selection process for power encryption.
- Salsa20 / 8 with 8 rounds for time-critical applications is used in the key derivation function scrypt .
XSalsa20 is a variant with an extended nonce (192 bits instead of 64 bits).
ChaCha or Snuffle 2008 are variants of Salsa20. The hash function BLAKE is based on ChaCha.

Salsa10 is the forerunner of Salsa20 introduced in 2004.

Components of Salsa20 are also used in the Rumba20 compression function.

design

Salsa20 is based on a few simple operations and is therefore structured in a similar way to the encryption functions XTEA and IDEA . The conservative design achieves good and constant software performance on many CPUs and extensive resistance to some side channel attacks (time attacks) . The core consists of a function that maps the key , nonce and counter to a 64-byte block. The function consists of a long chain of only three operations: 32-bit addition, 32-bit XOR , 32-bit rotation (with constant intervals). The result of the function in counter mode is used for the stream encryption and is linked exclusively with the plain text (XOR). The recommended key length is 256 bits, but shorter keys are possible. Salsa20 has a compact implementation, is fast and memory-saving.

safety

In a new method based on probabilistic neutral bits (PNBs) , Aumasson et al. 2008 an attack on Salsa20 / 7, Salsa20 / 8, ChaCha6, ChaCha7 and Rumba3, in which Salsa20 / 7 (128-bit key) with a time complexity of 2 ¹¹¹ , a data complexity of 2 ²¹ and a success rate of 50 % could be broken. In 2012 this attack was carried out by Shi et al. once again improved. The best cryptographic analyzes for the round-reduced variants of Salsa20 and ChaCha are accordingly (as of September 2014):

Salsa20 / 7 (128-bit key): time complexity 2 ¹⁰⁹ , space complexity 2 ¹⁹ . To illustrate: the supercomputer Roadrunner would need about 20,580,831,662 years for this and would also have to have access to the corresponding ciphertexts for freely selected plaintexts ( chosen plaintext attack ). However, the possibility of parallelization is not taken into account; Daniel J. Bernstein, the inventor of Salsa20, therefore considers 128-bit keys to be “uncomfortably risky” (“worryingly risky”) .
ChaCha6 (128-bit key): time complexity 2 ¹⁰⁵ , space complexity 2 ²⁸ .

Web links

DJ Bernstein's page on Salsa20 (English)
eSTREAM portfolio for Salsa20 / 12 (English)
S. Josefsson: The Salsa20 Stream Cipher for Transport Layer Security draft-josefsson-salsa20-tls-02 (English)

Individual evidence

↑ The eSTREAM Portfolio (PDF, 118 kB).
↑ DJ Bernstein: Snuffle 2005: the Salsa20 encryption function (PDF, 98 kB).
↑ DJ Bernstein: The Salsa20 family of stream ciphers (PDF, 176 kB).
↑ Colin Percival: Stronger Key Derivation via Sequential Memory-Hard Functions (PDF, 207 kB).
↑ DJ Bernstein: Extending the Salsa20 nonce (PDF, 349 kB).
↑ DJ Bernstein: ChaCha, a variant of Salsa20 .
↑ SHA-3 proposal BLAKE .
↑ DJ Bernstein The Salsa10 hash function .
↑ DJ Bernstein: The Rumba20 compression function (PDF, 168 kB).
Jump up ↑ Jean-Philippe Aumasson, Simon Fischer, Shahram Khazaei, Willi Meier, and Christian Rechberger: New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba . Cryptology ePrint Archive: Report 2007/472 (English).
↑ Zhenqing Shi, Bin Zhang, Dengguo Feng, Wenling Wu: Improved Key Recovery Attacks on Reduced-Round Salsa20 and ChaCha. In: Information Security and Cryptology - ICISC 2012. Springer Berlin Heidelberg 2013. ISBN 978-3-642-37681-8 , pp. 337-351.
↑ Daniel J. Bernstein: Notes on the Salsa20 key size p. 2 (PDF, 32 kB).

[1] The eSTREAM Portfolio (PDF, 118 kB).

[2] DJ Bernstein: Snuffle 2005: the Salsa20 encryption function (PDF, 98 kB).

[3] DJ Bernstein: The Salsa20 family of stream ciphers (PDF, 176 kB).

[4] Colin Percival: Stronger Key Derivation via Sequential Memory-Hard Functions (PDF, 207 kB).

[5] DJ Bernstein: Extending the Salsa20 nonce (PDF, 349 kB).

[6] DJ Bernstein: ChaCha, a variant of Salsa20 .

[7] SHA-3 proposal BLAKE .

[8] DJ Bernstein The Salsa10 hash function .

[9] DJ Bernstein: The Rumba20 compression function (PDF, 168 kB).

[10] Jump up ↑ Jean-Philippe Aumasson, Simon Fischer, Shahram Khazaei, Willi Meier, and Christian Rechberger: New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba . Cryptology ePrint Archive: Report 2007/472 (English).

[11] Zhenqing Shi, Bin Zhang, Dengguo Feng, Wenling Wu: Improved Key Recovery Attacks on Reduced-Round Salsa20 and ChaCha. In: Information Security and Cryptology - ICISC 2012. Springer Berlin Heidelberg 2013. ISBN 978-3-642-37681-8 , pp. 337-351.

[12] Daniel J. Bernstein: Notes on the Salsa20 key size p. 2 (PDF, 32 kB).