How secure is ChaCha20?

Question

I want to implement a stream cipher to encrypt very sensitive data in my Python code. I heard about the ChaCha20 algorithm and the PyCryptodome library , but how secure is it ?

score 8 · Answer 1 · edited Jun 17 '20 at 08:17

Aumasson et al. Showed that ChaCha6 can be attacked with time complexity $2^{139}$ and ChaCha7 with $2^{248}$.
Shi et al. gave an attack based on second-order differential with $2^{136}$ for ChaCha6 and $2^{246.5}$ for ChaCha7.
Maitra, chosen IV cryptoanalysis and the time complexity of the attack showed that it can be reduced to $2^{239}$ for ChaCha7.
Choudhuri and Maitra concluded ChaCha12 are sufficient for 256-bit keys against differential cryptanalysis using a hybrid model of non-linear round functions and linear approximation...

\begin{array} {|l|l|} \hline Attack & Evaluation \\ \hline \text{Differential Analysis } & \text{No attack found}\\ \text{Rotational Cryptanalysis} & \text{No attack found}\\ \text{Boomerang Attack} & \text{No attack found} \\ \text{Linear Cryptanalysis} & \text{No attack found}\\ \text{Distinguishing Attack} & \text{No attack found}\\ \text{Guess and Determine Analysis} & \text{No attack found}\\ \text{Time-Memory-Data Tradeoff Attack } & \text{Protected}\\ \text{Practically ChaCha Algebraic Attack} & \text{No attack found} \\ \text{Attacks on Initialization Process} & \text{No attack found}\\ \text{Single Power Analysis } & \text{Protected}\\ \text{Practically Difference Power Analysis } & \text{Protected Practically}\\ \text{Cache Timing Attack} & \text{No attack found}\\ \text{Fault Injection Analysis } & \text{Protected Practically}\\ \hline \end{array}

The above table and results come from KDDI Research, Inc

simple power attack; though the rotation is vulnerable to power attack, they propose masking as a countermeasure.
differential power analysis; they demonstrated that adversary can get all keys except $k_1$ which can be found in $2^{32}$, proposed masking as a countermeasure.
Fault Injection Attack; they claim that the initial matrix $X$ or matrix $X^{(20)}$ will be output if injection is performed on the addition.

A countermeasure against this sort of attacks is to separate variables; that is, distinct variables store the inputs and output of the addition. Consider an addition $z \leftarrow x+y$. The addition returns the initial value of variable z even if the addition is skipped. Thus, the adversary can get neither the value of variables $x$ and $y$. Algorithm 9 shows the implementation using countermeasure based on variable separation.

We should note that variable separation in source-code level does not work

They include all attacks upto 2017 in their document. I couldn't find one in 2018.

Stefano Palazzo · Answer 2 · 2018-10-01T16:14:26.703

ChaCha20 is a "primitive", in other words it's just one component of a secure cryptographic system (and PyCryptodome is a collection of primitives). So in a way, and from the perspective of a programmer, it's not secure at all. It's dangerous to use something so low-level.

In order to implement a secure crypto system, you need more than just encryption. Go with something like Cryptography or PyNaCl - they have already done all the work for you.

How secure is ChaCha20?

2 Answers2