5

ChaCha20 is considered 256-bit secure (no attack faster than brute force). However, the best known cryptanalysis that I know of is on ChaCha7.

That gives ChaCha20 a rather large security margin (much larger than, say, AES-256). Is ChaCha12 still considered to be 256-bit secure (as in "considered usable when top performance and 256-bit security are needed, no HW AES support, and ChaCha20 is too slow")?

Demi
  • 4,853
  • 1
  • 22
  • 40

1 Answers1

3

Yes, the best attack still seems to be on 7 rounds. Namely, "Improved Key Recovery Attacks on Reduced-Round Salsa20 and ChaCha" shows a $2^{246.5}$ time attack on the 7-round variant.

So even the 12-round variant has a decent security margin – better than AES-256 had when standardized, much less currently.

otus
  • 32,462
  • 5
  • 75
  • 167