Questions tagged [chacha]

ChaCha is a family of stream ciphers proposed by Daniel J. Bernstein, as an evolution of Salsa20 with (conjecturally) improved resistance to cryptanalysis.

ChaCha, like Salsa20, is a family of stream ciphers, with the stream generator a hash function in counter mode. It uses 32-bit Addition, Rotation, and XOR (ARX), making it fast, constant-time (thus immune to timing attack), and lean on memory (thus cache-friendly when key changes often), on virtually any 32-bit (or wider) CPU.

ChaCha differs from Salsa20 by making twice as many updates to its state during its core function, and a few other changes, leading to faster diffusion. Also, the mapping of constants and counter in the input of the core function is revised.

ChaCha8, ChaCha12 and ChaCha20 are the variants intended to replace Salsa20/8, Salsa20/12 and Salsa20/20, respectively. As seen, the naming scheme has also been changed.

187 questions

votes

5 answers

What's the appeal of using ChaCha20 instead of AES?

I read about ChaCha20 being used in TLS by Google, SSH, and towards standardization in general. What's the appeal of using something other than AES, what with AES receiving dedicated CPU instructions on various architectures to make it so efficent?

tls chacha

asked Apr 12 '16 at 07:10

JDługosz

votes

2 answers

Why should one prefer Salsa20 over ChaCha?

We are all aware of Google's approach to introduce ChaCha/Poly1305 as TLS cipher suite. The rationale seems clear: ChaCha is newer and seems to provide better security (and maybe speed?) gained from the experiences of the design of Salsa20. But in…

salsa20 chacha

asked Jul 18 '15 at 20:07

SEJPM

46,697
9
103
214

votes

3 answers

Collision or second preimage for the ChaCha core?

Daniel J. Bernstein's ChaCha core is an evolution of the Salsa20 core. Both are functions over the set of 512-bit bitstrings, partitioned as sixteen 32-bit words. Can we exhibit collisions, or second-preimages (with implies the former), for the…

collision-resistance 2nd-preimage-resistance salsa20 chacha

asked Jun 21 '15 at 20:16

fgrieu

149,326
13
324
622

votes

2 answers

Where did ChaCha20 and Salsa20 stream ciphers get their names from?

This is not a question targeted at a specific crypto implementation, but a question out of curiosity. What's the reason for calling the stream ciphers ChaCha/Salsa? I couldn't find any information about this on the Internet. Are those names somehow…

chacha salsa20

asked Mar 09 '20 at 00:09

Aravind A

1,090
13
22

votes

3 answers

Why is the core ChaCha primitive not good for use in a CRCF? Why create BLAKE?

Why is the core ChaCha primitive not good for use in a collision-resistant compression function (crypto hash)? Why go through the trouble to create BLAKE? What's wrong with using the core ChaCha primitive unaltered in a Merkle–Damgård like…

hash chacha blake2

asked Nov 15 '19 at 09:08

Charlie

votes

2 answers

Changing an Encryption scheme from AES to ChaCha20

I am using the AES cipher for my OTT platform. Almost all Chip vendors (ARM, Intel, etc) have built-in AES for faster and secure processing. Now, how feasible it is to move from AES to ChaCha20? What are the pros and cons of this? Will ChaCha20 be…

aes chacha

asked Mar 07 '21 at 10:31

SSA

votes

2 answers

Does ChaCha20/Salsa have the same bit strength as AES for identical key sizes?

Does ChaCha20/Salsa have the same bit strength as AES for identical key sizes? In other words, does ChaCha20 with a 128-bit key theoretically require 2^128 attempts to brute force, as with AES-128? PS: Notwithstanding that ChaCha is a stream cipher.

aes symmetric chacha

asked May 29 '19 at 10:38

Woodstock

1,454
1
15
26

votes

1 answer

Can reduced-round ChaCha be used as non-cryptographic fast PRNG to produce output indistinguishable from random data?

The fastest known attack against the Salsa20 family of stream ciphers requires 2137 simple operations against Salsa20/7, or 2244 against Salsa20/8. The 8-round version encrypts data at 1.88 cycles-per-byte on a Core2Duo, which is already extremely…

random-number-generator performance chacha

asked Mar 21 '18 at 02:42

forest

15,626
2
49
103

votes

2 answers

Nonce encryption with Poly1305-Chacha20

I have seen that a couple of companies (like Google, Apple HomeKit) are adding "ChaCha20-Poly1305" as an encryption option. Poly1305 requires algorithm to encrypt the nonce. The Poly1305-AES specification uses the AES algorithm to encrypt the nonce,…

aes chacha poly1305

asked Apr 11 '16 at 18:59

rose

votes

1 answer

Why is the whole initial state used in the final addition of Salsa20 and ChaCha?

Both Salsa20 and ChaCha basically work like this: Put the key, the nonce, the sequence number and a constant into a 4x4 matrix of 32-bit words. Transform the matrix invertibly with a number of ARX rounds. Add the initial matrix into the current…

algorithm-design salsa20 chacha

asked Jul 26 '15 at 07:19

otus

32,462
5
75
167

votes

1 answer

Can I use the ChaCha core as a 256-bit to 256-bit one-way function?

I'm looking to implement Lamport signatures as a little fun project, and I need a fast one way function that maps $\{0,1\}^{256} \rightarrow \{0,1\}^{256}$. I was wondering whether I could safely use the ChaCha core for that, by setting the input as…

one-way-function chacha

asked Oct 23 '13 at 03:16

orlp

4,355
21
31

votes

3 answers

Is the ChaCha20 block function reversible using known plaintext?

I've been recently implementing the chacha20 stream cipher with Poly1305. As the core operations which make up the Quarter Round of chacha20 (ARX - Addition Rotation Xor) are indeed reversible, does that make reversing the ChaCha20 possible if an…

algorithm-design stream-cipher known-plaintext-attack chacha

asked Feb 15 '20 at 09:17

Aravind A

1,090
13
22

votes

0 answers

Why is BLAKE2 faster than chacha20?

Chacha20 is essentially a hash function that maps 512-bit strings to other 512-bit strings which are in turn xored with the plaintext to create the ciphertext. Of the 512-bit input 128-bit are used for the "expand 32-byte k" constant, 256-bit are…

chacha blake2

asked Aug 02 '19 at 00:43

Astolfo

votes

2 answers

Where are the ChaCha20 test vectors/examples?

I see in the Salsa20 specification there are test examples throughout the document to help an implementer make sure every function works as designed. Consequently the whole algorithm would work perfectly if all the tests pass. Without these test…

algorithm-design salsa20 test-vectors chacha

asked Jan 12 '15 at 09:46

Motox

votes

2 answers

Fast cipher without needing hardware support (like ChaCha20) for disk encryption

On my old laptop, ChaCha20 is quite a bit faster than AES as there is no hardware acceleration for AES. But for disk encryption AES based schemes seem to be the only option, as a stream cipher like ChaCha20 cannot directly be used for disk…

chacha disk-encryption arx

asked Jan 10 '23 at 16:31

JanKanis

2 3

…

12 13 Next