23

We are all aware of Google's approach to introduce ChaCha/Poly1305 as TLS cipher suite. The rationale seems clear: ChaCha is newer and seems to provide better security (and maybe speed?) gained from the experiences of the design of Salsa20.

But in his "recent" paper McBits: fast constant-time code-based cryptography (basically code-based ECIES) Bernstein (the inventor of Salsa20 and ChaCha), Chou and Schwabe used Salsa20 as standard primitive for McBits and not ChaCha.

So what are the reasons to prefer Salsa20 over ChaCha?

SEJPM
  • 46,697
  • 9
  • 103
  • 214

2 Answers2

16

I agree that conservatism is the likely reason for the choice in McBits.

ChaCha was published while eSTREAM was still running. Salsa20/12 is now in the final eSTREAM portfolio. Even in the XSalsa paper on constructing a larger nonce, Bernstein makes no mention of ChaCha.

So what are the reasons to prefer Salsa20 over ChaCha?

Wanting to use a standardized algorithm is one reason. Choosing the more exhaustively studied algorithm is another good one.

If you have your tinfoil hat on, you might also prefer to avoid any tweaks in the absence of real breaks. After all, tweaking the cipher would be an opportunity to introduce new back doors.

otus
  • 32,462
  • 5
  • 75
  • 167
6

Salsa20 saw lots of cryptanalysis. If I recall correctly Chacha20 was only analyzed by two papers prior to getting into TLS. Some people may think that this was a bit hasty even given its heritage. I wouldn't be surprised if DJB (Daniel J. Bernstein) is simply being conservative.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Thomas M. DuBuisson
  • 1,894
  • 15
  • 20