2002:'s implementation modified Bernstein's published algorithm by changing the 64-bit nonce and 64-bit block counter to a 96-bit nonce and 32-bit block counter. The name was not changed when the algorithm was modified, as it is cryptographically insignificant (both form what a cryptographer would recognize as a 128-bit nonce), but the interface change could be a source of confusion for developers. Because of the reduced block counter, the maximum message length that can be safely encrypted by the IETF's variant is 2 blocks of 64 bytes (256
1036:
38:
4072:
1841:
cipher. Use the key and the first 128 bits of the nonce (in input words 12 through 15) to form a ChaCha input block, then perform the block operation (omitting the final addition). Output words 0–3 and 12–15 (those words corresponding to non-key words of the input) then form the key used for ordinary
965:
if Salsa20 is secure, but is more suitable for applications where longer nonces are desired. XSalsa20 feeds the key and the first 128 bits of the nonce into one block of Salsa20 (without the final addition, which may either be omitted, or subtracted after a standard Salsa20 block), and uses 256 bits
952:
Salsa20 performs 20 rounds of mixing on its input. However, reduced-round variants Salsa20/8 and Salsa20/12 using 8 and 12 rounds respectively have also been introduced. These variants were introduced to complement the original Salsa20, not to replace it, and perform better in the eSTREAM benchmarks
1235:
The ChaCha quarter round has the same number of adds, xors, and bit rotates as the Salsa20 quarter-round, but the fact that two of the rotates are multiples of 8 allows for a small optimization on some architectures including x86. Additionally, the input formatting has been rearranged to support an
978:
project, receiving the highest weighted voting score of any
Profile 1 algorithm at the end of Phase 2. Salsa20 had previously been selected as a Phase 2 Focus design for Profile 1 (software) and as a Phase 2 design for Profile 2 (hardware) by the eSTREAM project, but was not advanced to Phase 3 for
1231:
Notice that this version updates each word twice, while Salsa20's quarter round updates each word only once. In addition, the ChaCha quarter-round diffuses changes more quickly. On average, after changing 1 input bit the Salsa20 quarter-round will change 8 output bits while ChaCha will change 12.5
1009:
In 2008, Aumasson, Fischer, Khazaei, Meier, and
Rechberger reported a cryptanalytic attack against Salsa20/7 with a time complexity of 2, and they reported an attack against Salsa20/8 with an estimated time complexity of 2. This attack makes use of the new concept of probabilistic neutral key bits
1143:
family of ciphers, which aim to increase the diffusion per round while achieving the same or slightly better performance. The
Aumasson et al. paper also attacks ChaCha, achieving one round fewer (for 256-bit ChaCha6 with complexity 2, ChaCha7 with complexity 2, and 128-bit ChaCha6 within 2) but
211:, and a 64-bit counter to a 512-bit block of the key stream (a Salsa version with a 128-bit key also exists). This gives Salsa20 and ChaCha the unusual advantage that the user can efficiently seek to any position in the key stream in constant time. Salsa20 offers speeds of around 4–14
1307:// Odd round QR(0, 4, 8, 12) // column 1 QR(1, 5, 9, 13) // column 2 QR(2, 6, 10, 14) // column 3 QR(3, 7, 11, 15) // column 4 // Even round QR(0, 5, 10, 15) // diagonal 1 (main diagonal) QR(1, 6, 11, 12) // diagonal 2 QR(2, 7, 8, 13) // diagonal 3 QR(3, 4, 9, 14) // diagonal 4
1240:
implementation optimization discovered for Salsa20. Rather than alternating rounds down columns and across rows, they are performed down columns and along diagonals. Like Salsa20, ChaCha arranges the sixteen 32-bit words in a 4×4 matrix. If we index the matrix elements from 0 to 15
417:// Odd round QR( 0, 4, 8, 12) // column 1 QR( 5, 9, 13, 1) // column 2 QR(10, 14, 2, 6) // column 3 QR(15, 3, 7, 11) // column 4 // Even round QR( 0, 1, 2, 3) // row 1 QR( 5, 6, 7, 4) // row 2 QR(10, 11, 8, 9) // row 3 QR(15, 12, 13, 14) // row 4
2150:
Since the majority of the work consists of performing the repeated rounds, the number of rounds is inversely proportional to the performance. That is, halving the number of rounds roughly doubles the performance. Reduced-round variants are thus appreciably
966:
of the output as the key for standard Salsa20 using the last 64 bits of the nonce and the stream position. Specifically, the 256 bits of output used are those corresponding to the non-secret portions of the input: indexes 0, 5, 10, 15, 6, 7, 8 and 9.
941:. In other words, applying the reverse operations would produce the original 4×4 matrix, including the key. Adding the mixed array to the original makes it impossible to recover the input. (This same technique is widely used in hash functions from
3180:
Pfau, Johannes; Reuter, Maximilian; Harbaum, Tanja; Hofmann, Klaus; Becker, Jurgen (September 2019). "A Hardware
Perspective on the ChaCha Ciphers: Scalable Chacha8/12/20 Implementations Ranging from 476 Slices to Bitrates of 175 Gbit/s".
1005:
announced a cryptanalysis of Salsa20 which breaks 8 out of 20 rounds to recover the 256-bit secret key in 2 operations, using 2 keystream pairs. However, this attack does not seem to be competitive with the brute force attack.
993:
In 2005, Paul
Crowley reported an attack on Salsa20/5 with an estimated time complexity of 2 and won Bernstein's US$ 1000 prize for "most interesting Salsa20 cryptanalysis". This attack and all subsequent attacks are based on
184:
European Union cryptographic validation process by
Bernstein. ChaCha is a modification of Salsa20 published in 2008. It uses a new round function that increases diffusion and increases performance on some architectures.
4105:
998:. In 2006, Fischer, Meier, Berbain, Biasse, and Robshaw reported an attack on Salsa20/6 with estimated time complexity of 2, and a related-key attack on Salsa20/7 with estimated time complexity of 2.
414:
to each of the four columns in the 4×4 matrix, and even-numbered rounds apply it to each of the four rows. Two consecutive rounds (column-round and row-round) together are called a double-round:
1854:, yielding a 2.5× speedup. A compromise ChaCha12 (based on the eSTREAM recommendation of a 12-round Salsa) also sees some use. The eSTREAM benchmarking suite includes ChaCha8 and ChaCha12.
1147:
Like Salsa20, ChaCha's initial state includes a 128-bit constant, a 256-bit key, a 64-bit counter, and a 64-bit nonce (in the original version; as described later, a version of ChaCha from
4052:
3882:
937:
In the last line, the mixed array is added, word by word, to the original array to obtain its 64-byte key stream block. This is important because the mixing rounds on their own are
1829:, and its faster successors BLAKE2 and BLAKE3. It also defines a variant using sixteen 64-bit words (1024 bits of state), with correspondingly adjusted rotation constants.
1020:. (Specifically, it has no differential characteristic with higher probability than 2, so differential cryptanalysis would be more difficult than 128-bit key exhaustion.)
4115:
3735:
3353:
1013:
In 2012, the attack by
Aumasson et al. was improved by Shi et al. against Salsa20/7 (128-bit key) to a time complexity of 2 and Salsa20/8 (256-bit key) to 2.
982:
The eSTREAM committee recommends the use of Salsa20/12, the 12-round variant, for "combining very good performance with a comfortable margin of security."
3598:
3071:
3259:
Changes from regular ChaCha. The nonce: block sequence number split was changed from 64:64 to 96:32 The ChaCha20 state is initialized as follows:
1228:
a += b; d ^= a; d <<<= 16; c += d; b ^= c; b <<<= 12; a += b; d ^= a; d <<<= 8; c += d; b ^= c; b <<<= 7;
3017:
2473:
Progress in
Cryptology - INDOCRYPT 2006: 7th International Conference on Cryptology in India, Kolkata, India, December 11-13, 2006, Proceeding
3200:
2840:
2553:
2498:
995:
990:
As of 2015, there are no published attacks on Salsa20/12 or the full Salsa20/20; the best attack known breaks 8 of the 12 or 20 rounds.
396:
The constant words spell "expand 32-byte k" in ASCII (i.e. the 4 words are "expa", "nd 3", "2-by", and "te k"). This is an example of a
1948:
subroutine of the kernel. Starting from version 4.8, the Linux kernel uses the ChaCha20 algorithm to generate data for the nonblocking
3145:
3728:
3660:
3346:
1850:
Aumasson argues in 2020 that 8 rounds of ChaCha (ChaCha8) probably provides enough resistance to future cryptanalysis for the same
979:
Profile 2 because eSTREAM felt that it was probably not a good candidate for extremely resource-constrained hardware environments.
1155:
is slightly different), arranged as a 4×4 matrix of 32-bit words. But ChaCha re-arranges some of the words in the initial state:
2612:
2536:
Zhenqing Shi; Bin Zhang; Dengguo Feng; Wenling Wu (2012). "Improved Key
Recovery Attacks on Reduced-Round Salsa20 and ChaCha".
3931:
3655:
3645:
1826:
2865:
2630:
two of these constants are multiples of 8; this allows for a 1 instruction rotation in Core2 and later Intel CPUs using the
1878:
1010:
for probabilistic detection of a truncated differential. The attack can be adapted to break Salsa20/7 with a 128-bit key.
2739:
3721:
3339:
1960:
407:
b ^= (a + d) <<< 7; c ^= (b + a) <<< 9; d ^= (c + b) <<< 13; a ^= (d + c) <<< 18;
159:
2008 cryptanalysis breaks 8 out of 20 rounds to recover the 256-bit secret key in 2 operations, using 2 keystream pairs.
4110:
4047:
4002:
3815:
397:
239:
2 ⊞, and constant-distance rotation operations <<< on an internal state of sixteen 32-bit words. Using only
3926:
3629:
3488:
1017:
4042:
1237:
1975:-based CPUs. Specialized hardware accelerators for ChaCha20 are also less complex compared to AES accelerators.
4032:
4022:
3877:
3624:
3102:
1882:
1874:
1837:
Although not announced by
Bernstein, the security proof of XSalsa20 extends straightforwardly to an analogous
4100:
4027:
4017:
3820:
3780:
3773:
3763:
3758:
1904:
Shortly after Google's adoption for TLS, both the ChaCha20 and Poly1305 algorithms were also used for a new
3768:
2476:
1967:
for x86 processors). As a result, ChaCha20 is sometimes preferred over AES in certain use cases involving
1035:
247:
in software implementations. The internal state is made of sixteen 32-bit words arranged as a 4×4 matrix.
4075:
3921:
3867:
3696:
3670:
3523:
2218:
Jean-Philippe Aumasson; Simon Fischer; Shahram Khazaei; Willi Meier; Christian Rechberger (2008-03-14).
2081:
1822:
189:
219:
processors, and reasonable hardware performance. It is not patented, and Bernstein has written several
4037:
3961:
3691:
2886:
1116:
129:
2704:"rand_chacha: consider ChaCha12 (or possibly ChaCha8) over ChaCha20 · Issue #932 · rust-random/rand"
2481:
1221:
The constant is the same as Salsa20 ("expand 32-byte k"). ChaCha replaces the Salsa20 quarter-round
3800:
3619:
3025:
2247:
1964:
1054:
208:
177:
56:
3245:
2954:
Legacy arc4random(3) API from OpenBSD reimplemented using the ChaCha20 PRF, with per-thread state.
1016:
In 2013, Mouha and Preneel published a proof that 15 rounds of Salsa20 was 128-bit secure against
961:
In 2008, Bernstein proposed a variant of Salsa20 with 192-bit nonces called XSalsa20. XSalsa20 is
3906:
3890:
3837:
3686:
236:
3966:
3956:
3827:
3196:
2815:
2549:
2494:
2130:
1886:
2790:
2514:
Yukiyasu Tsunoo; Teruo Saito; Hiroyasu Kubo; Tomoyasu Suzaki; Hiroki Nakashima (2007-01-02).
3901:
3468:
3318:
3188:
2541:
2486:
2108:
2097:
2089:
2007:
1991:
1972:
1148:
1310:
ChaCha20 uses 10 iterations of the double round. An implementation in C/C++ appears below.
3588:
3583:
3558:
3432:
3098:
2721:
1130:
962:
212:
143:
2662:
2515:
1963:(AES) algorithm on systems where the CPU does not feature AES acceleration (such as the
3976:
3896:
3857:
3805:
3790:
3650:
3503:
3458:
3151:
2124:
1851:
3192:
3182:
3072:"Merge tag 'random_for_linus' of git.kernel.org/pub/scm/linux/kernel/git/tytso/random"
2898:
Replace the RC4 algorithm for generating in-kernel secure random numbers with Chacha20
2571:"Towards Finding Optimal Differential Characteristics for ARX: Application to Salsa20"
4094:
4057:
4012:
3971:
3951:
3847:
3810:
3785:
3603:
3563:
3543:
3533:
3498:
3362:
3319:
Implementation and Didactical Visualization of the ChaCha Cipher Family in CrypTool 2
2663:"XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305 (Expired Internet-Draft)"
1968:
1941:
244:
220:
173:
152:
2911:
2618:
2417:
2175:
37:
4007:
3852:
3842:
3832:
3795:
3744:
2468:
2434:
2403:
2384:
1978:
ChaCha20-Poly1305 (IETF version; see below) is the exclusive algorithm used by the
240:
232:
197:
193:
3303:
2360:
180:. Salsa20, the original cipher, was designed in 2005, then later submitted to the
3166:
2966:
2939:
2703:
2545:
974:
Salsa20/12 has been selected as a Phase 3 design for Profile 1 (software) by the
3986:
3538:
3396:
3313:
2765:
2112:
2101:
2093:
2011:
1995:
1906:
1152:
2996:
2333:
2305:
2006:). For applications where this is not enough, such as file or disk encryption,
3946:
3916:
3911:
3872:
3665:
2251:
2115:. RFC 8439 merges in some errata and adds additional security considerations.
1913:. Subsequently, this made it possible for OpenSSH to avoid any dependency on
3936:
3578:
3508:
3442:
2647:
2453:
1979:
3981:
3941:
3391:
3106:
2844:
2003:
1866:
1090:
204:
103:
2681:
17:
3411:
2570:
2540:. Lecture Notes in Computer Science. Vol. 7839. pp. 337–351.
2490:
2388:
2219:
1929:
1925:
1914:
1910:
975:
201:
181:
90:
3216:
2290:
2197:
1842:
ChaCha (with the last 64 bits of nonce and 64 bits of block counter).
3862:
3528:
3493:
3463:
3427:
1953:
1945:
1933:
1898:
1862:
1040:
The ChaCha quarter-round function. Four parallel copies make a round.
318:), two words of nonce (essentially additional stream position bits) (
3287:
2841:"OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein"
2475:. Lecture Notes in Computer Science. Vol. 4329. pp. 2–16.
42:
The Salsa quarter-round function. Four parallel copies make a round.
3297:
3047:
1959:
ChaCha20 usually offers better performance than the more prevalent
953:
than Salsa20, though with a correspondingly lower security margin.
3573:
3127:
2471:(2006). "Non-randomness in eSTREAM Candidates Salsa20 and TSC-4".
2085:
1315:#define ROTL(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
946:
431:#define ROTL(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
3593:
3568:
3518:
3513:
3381:
3376:
3282:
2467:
Simon Fischer; Willi Meier; Côme Berbain; Jean-François Biasse;
2454:"Truncated differential cryptanalysis of five rounds of Salsa20"
2276:
1999:
1894:
1890:
1870:
3717:
3335:
3308:
2597:
1990:
An implementation reference for ChaCha20 has been published in
196:(ARX) operations — 32-bit addition, bitwise addition (XOR) and
3553:
3548:
3401:
3291:
1937:
942:
404:
that takes a four-word input and produces a four-word output:
216:
3184:
2019 32nd IEEE International System-on-Chip Conference (SOCC)
3128:"Secure Randomness in Go 1.22 - The Go Programming Language"
3086:
random: replace non-blocking pool with a Chacha20-based CRNG
2740:"Do the ChaCha: better mobile performance with cryptography"
2839:
Murenin, Constantine A. (2013-12-11). Unknown Lamer (ed.).
2820:
Super User's BSD Cross Reference: PROTOCOL.chacha20poly1305
2133:– an AEAD scheme combining ChaCha20 with the Poly1305 MAC
2014:
proposes using the original algorithm with 64-bit nonce.
1885:
construction combining both algorithms, which is called
4106:
Cryptographically secure pseudorandom number generators
2864:
Murenin, Constantine A. (2014-04-30). Soulskill (ed.).
1144:
claims that the attack fails to break 128-bit ChaCha7.
3883:
Cryptographically secure pseudorandom number generator
2418:"eSTREAM: Short Report on the End of the Second Phase"
3146:"What's the appeal of using ChaCha20 instead of AES?"
400:. The core operation in Salsa20 is the quarter-round
3323:
2648:"ChaCha20 and Poly1305 for IETF Protocols: RFC 7539"
2096:. Standardization of its use in TLS is published in
1949:
310:
The initial state is made up of eight words of key (
223:
implementations optimized for common architectures.
3995:
3751:
3679:
3638:
3612:
3481:
3451:
3420:
3410:
3369:
1125:
1115:
1107:
1099:
1089:
1084:
1076:
1068:
1060:
1050:
1045:
150:
138:
128:
120:
112:
102:
97:
86:
78:
70:
62:
52:
47:
2614:Faster ChaCha implementations for Intel processors
2578:International Association for Cryptologic Research
2227:International Association for Cryptologic Research
2926:ChaCha based random number generator for OpenBSD.
1139:In 2008, Bernstein published the closely related
2538:Information Security and Cryptology – ICISC 2012
2334:"Extending the Salsa20 nonce (original version)"
1952:device. ChaCha8 is used for the default PRNG in
231:Internally, the cipher uses bitwise addition ⊕ (
3103:"/dev/random Seeing Improvements For Linux 4.8"
2971:Super User's BSD Cross Reference: subr_csprng.c
2938:riastradh (Taylor Campbell), ed. (2016-03-25).
2306:"Extending the Salsa20 nonce (updated in 2011)"
2277:"Snuffle 2005: the Salsa20 encryption function"
2127:– an add-rotate-xor cipher developed by the NSA
2944:Super User's BSD Cross Reference: arc4random.c
2916:Super User's BSD Cross Reference: arc4random.c
2910:guenther (Philip Guenther), ed. (2015-09-13).
2591:
2589:
2587:
3729:
3347:
3283:Snuffle 2005: the Salsa20 encryption function
2698:
2696:
2169:
2167:
1865:had selected ChaCha20 along with Bernstein's
8:
3167:"AES-NI SSL Performance Study @ Calomel.org"
2866:"OpenSSH No Longer Has To Depend On OpenSSL"
1889:. ChaCha20 and Poly1305 are now used in the
1028:
30:
3736:
3722:
3714:
3417:
3354:
3340:
3332:
3328:
3324:
3246:"ChaCha20 and Poly1305 for IETF protocols"
2764:Thomson, Martin; Turner, Sean (May 2021).
1873:, which was intended as a replacement for
420:An implementation in C/C++ appears below.
2516:"Differential Cryptanalysis of Salsa20/8"
2480:
1936:operating systems, instead of the broken
3240:
3238:
2435:"Salsa20/12, The eSTREAM portfolio page"
2242:
2240:
2238:
2236:
2016:
1243:
1157:
328:
249:
4116:Public-domain software with source code
2213:
2211:
2209:
2207:
2163:
2143:
1438:// 10 loops × 2 rounds/loop = 20 rounds
554:// 10 loops × 2 rounds/loop = 20 rounds
2661:Arciszewski, Scott (10 January 2020).
2176:"The Salsa20 family of stream ciphers"
1982:VPN system, as of protocol version 1.
1881:. In the process, they proposed a new
1318:#define QR(a, b, c, d) ( \
1027:
29:
2598:"The ChaCha family of stream ciphers"
2385:"The eSTREAM Project: End of Phase 2"
2018:Initial state of ChaCha20 (RFC 7539)
200:operations. The core function maps a
7:
996:truncated differential cryptanalysis
3386:
3309:The ChaCha family of stream ciphers
2107:In 2018, RFC 7539 was obsoleted by
2596:Daniel J. Bernstein (2008-04-25).
2569:Nicky Mouha; Bart Preneel (2013).
2275:Daniel J. Bernstein (2013-05-16).
2198:"Salsa 20 speed; Salsa20 software"
2196:Daniel J. Bernstein (2013-05-16).
2174:Daniel J. Bernstein (2007-12-24).
1327:a += b, d ^= a, d = ROTL(d, 8), \
1324:c += d, b ^= c, b = ROTL(b, 12), \
1321:a += b, d ^= a, d = ROTL(d, 16), \
1304:then a double round in ChaCha is:
25:
3193:10.1109/SOCC46988.2019.1570548289
2404:"eSTREAM PHASE 3: End of Phase 1"
314:), two words of stream position (
4071:
4070:
2789:Bishop, Mike (2 February 2021).
2680:Aumasson, Jean-Philippe (2020).
1330:c += d, b ^= c, b = ROTL(b, 7))
1034:
368:
363:
36:
2997:"ChaCha Usage & Deployment"
2816:"ssh/PROTOCOL.chacha20poly1305"
2646:Y. Nir; A. Langley (May 2015).
1956:. Rust's CSPRNG uses ChaCha12.
1869:message authentication code in
3932:Information-theoretic security
3314:Salsa20 Usage & Deployment
3126:Cox, Russ; Valsorda, Filippo.
2689:. Real World Crypto Symposium.
2220:"New Features of Latin Dances"
1920:ChaCha20 is also used for the
1827:NIST hash function competition
1:
2814:Miller, Damien (2016-05-03).
1917:, via a compile-time option.
1654:// diagonal 1 (main diagonal)
3646:block ciphers in stream mode
3304:The eSTREAM Project: Salsa20
3024:. 2014-11-16. Archived from
2611:Neves, Samuel (2009-10-07),
2546:10.1007/978-3-642-37682-5_24
2253:ChaCha, a variant of Salsa20
1961:Advanced Encryption Standard
970:eSTREAM selection of Salsa20
188:Both ciphers are built on a
4048:Message authentication code
4003:Cryptographic hash function
3816:Cryptographic hash function
3217:"Protocol and Cryptography"
2452:Paul Crowley (2006-02-09).
1924:random number generator in
1821:ChaCha is the basis of the
957:XSalsa20 with 192-bit nonce
398:nothing-up-my-sleeve number
4132:
3927:Harvest now, decrypt later
3630:alternating step generator
1018:differential cryptanalysis
434:#define QR(a, b, c, d)( \
410:Odd-numbered rounds apply
243:avoids the possibility of
4066:
4043:Post-quantum cryptography
3713:
3331:
3327:
2912:"libc/crypt/arc4random.c"
2402:Hongjun Wu (2007-03-30).
2291:"Salsa20: Software speed"
2088:has been standardized in
1893:protocol, which replaces
1033:
330:Initial state of Salsa20
322:), and four fixed words (
241:add-rotate-xor operations
158:
35:
4033:Quantum key distribution
4023:Authenticated encryption
3878:Random number generation
3625:self-shrinking generator
3298:Salsa20/8 and Salsa20/12
3076:Linux kernel source tree
3048:"Replacing /dev/urandom"
1883:authenticated encryption
1312:
1159:Initial state of ChaCha
986:Cryptanalysis of Salsa20
422:
168:and the closely related
4028:Public-key cryptography
4018:Symmetric-key algorithm
3821:Key derivation function
3781:Cryptographic primitive
3774:Authentication protocol
3764:Outline of cryptography
3759:History of cryptography
2940:"libc/gen/arc4random.c"
2791:"draft: IETF QUIC HTTP"
3769:Cryptographic protocol
2423:. eSTREAM. 2007-03-26.
1133:on an Intel Core 2 Duo
443:d ^= ROTL(c + b,13), \
440:c ^= ROTL(b + a, 9), \
437:b ^= ROTL(a + d, 7), \
215:in software on modern
146:on an Intel Core 2 Duo
3922:End-to-end encryption
3868:Cryptojacking malware
3697:stream cipher attacks
3288:Salsa20 specification
2332:Daniel J. Bernstein.
2304:Daniel J. Bernstein.
190:pseudorandom function
4038:Quantum cryptography
3962:Trusted timestamping
3692:correlation immunity
3223:. Jason A. Donenfeld
3187:. pp. 294–299.
2983:chacha_encrypt_bytes
2967:"kern/subr_csprng.c"
2795:datatracker.ietf.org
2770:datatracker.ietf.org
1846:Reduced-round ChaCha
1825:, a finalist in the
446:a ^= ROTL(d + c,18))
66:2007 (designed 2005)
3801:Cryptographic nonce
3620:shrinking generator
3370:Widely used ciphers
3270:Header of RFC 7539.
3022:NetBSD Manual Pages
2744:The Cloudflare Blog
2726:Cryptography Primer
2250:(28 January 2008),
2080:Use of ChaCha20 in
2019:
1971:, which mostly use
1965:AES instruction set
1823:BLAKE hash function
1160:
1055:Daniel J. Bernstein
1030:
331:
235:), 32-bit addition
178:Daniel J. Bernstein
57:Daniel J. Bernstein
32:
4111:Internet Standards
3907:Subliminal channel
3891:Pseudorandom noise
3838:Key (cryptography)
3687:correlation attack
3046:Corbet, Jonathan.
2491:10.1007/11941378_2
2017:
1986:Internet standards
1158:
329:
4088:
4087:
4084:
4083:
3967:Key-based routing
3957:Trapdoor function
3828:Digital signature
3709:
3708:
3705:
3704:
3477:
3476:
3202:978-1-7281-3483-3
3052:Linux Weekly News
2887:"Revision 317015"
2555:978-3-642-37681-8
2500:978-3-540-49767-7
2439:www.ecrypt.eu.org
2248:Bernstein, Daniel
2131:ChaCha20-Poly1305
2078:
2077:
1887:ChaCha20-Poly1305
1858:ChaCha20 adoption
1333:#define ROUNDS 20
1302:
1301:
1219:
1218:
1137:
1136:
449:#define ROUNDS 20
394:
393:
308:
307:
163:
162:
16:(Redirected from
4123:
4074:
4073:
3902:Insecure channel
3738:
3731:
3724:
3715:
3418:
3356:
3349:
3342:
3333:
3329:
3325:
3271:
3268:
3262:
3261:
3256:
3255:
3250:
3242:
3233:
3232:
3230:
3228:
3213:
3207:
3206:
3177:
3171:
3170:
3163:
3157:
3156:
3142:
3136:
3135:
3123:
3117:
3116:
3114:
3113:
3095:
3089:
3088:
3083:
3082:
3068:
3062:
3061:
3059:
3058:
3043:
3037:
3036:
3034:
3033:
3014:
3008:
3007:
3005:
3004:
2993:
2987:
2986:
2984:
2979:
2978:
2963:
2957:
2956:
2951:
2950:
2935:
2929:
2928:
2923:
2922:
2907:
2901:
2900:
2895:
2894:
2883:
2877:
2876:
2874:
2873:
2861:
2855:
2854:
2852:
2851:
2836:
2830:
2829:
2827:
2826:
2811:
2805:
2804:
2802:
2801:
2786:
2780:
2779:
2777:
2776:
2761:
2755:
2754:
2752:
2751:
2736:
2730:
2729:
2718:
2712:
2711:
2700:
2691:
2690:
2688:
2677:
2671:
2670:
2667:Ietf Datatracker
2658:
2652:
2651:
2643:
2637:
2636:
2627:
2626:
2617:, archived from
2608:
2602:
2601:
2593:
2582:
2581:
2575:
2566:
2560:
2559:
2533:
2527:
2526:
2520:
2511:
2505:
2504:
2484:
2469:M. J. B. Robshaw
2464:
2458:
2457:
2449:
2443:
2442:
2431:
2425:
2424:
2422:
2414:
2408:
2407:
2399:
2393:
2392:
2381:
2375:
2374:
2372:
2371:
2357:
2351:
2350:
2348:
2347:
2338:
2329:
2323:
2322:
2320:
2319:
2310:
2301:
2295:
2294:
2287:
2281:
2280:
2272:
2266:
2265:
2264:
2263:
2258:
2244:
2231:
2230:
2224:
2215:
2202:
2201:
2193:
2187:
2186:
2180:
2171:
2152:
2148:
2020:
1923:
1908:
1817:
1814:
1811:
1808:
1805:
1802:
1799:
1796:
1793:
1790:
1787:
1784:
1781:
1778:
1775:
1772:
1769:
1766:
1763:
1760:
1757:
1754:
1751:
1748:
1745:
1742:
1739:
1736:
1733:
1730:
1727:
1724:
1721:
1718:
1715:
1712:
1709:
1706:
1703:
1700:
1697:
1694:
1691:
1688:
1685:
1682:
1679:
1676:
1673:
1670:
1667:
1664:
1661:
1658:
1655:
1652:
1649:
1646:
1643:
1640:
1637:
1634:
1631:
1628:
1625:
1622:
1619:
1616:
1613:
1610:
1607:
1604:
1601:
1598:
1595:
1592:
1589:
1586:
1583:
1580:
1577:
1574:
1571:
1568:
1565:
1562:
1559:
1556:
1553:
1550:
1547:
1544:
1541:
1538:
1535:
1532:
1529:
1526:
1523:
1520:
1517:
1514:
1511:
1508:
1505:
1502:
1499:
1496:
1493:
1490:
1487:
1484:
1481:
1478:
1475:
1472:
1469:
1466:
1463:
1460:
1457:
1454:
1451:
1448:
1445:
1442:
1439:
1436:
1433:
1430:
1427:
1424:
1421:
1418:
1415:
1412:
1409:
1406:
1403:
1400:
1397:
1394:
1391:
1388:
1385:
1382:
1379:
1376:
1373:
1370:
1367:
1364:
1361:
1358:
1355:
1352:
1349:
1346:
1343:
1340:
1337:
1334:
1331:
1328:
1325:
1322:
1319:
1316:
1244:
1224:
1161:
1038:
1031:
1001:In 2007, Tsunoo
933:
930:
927:
924:
921:
918:
915:
912:
909:
906:
903:
900:
897:
894:
891:
888:
885:
882:
879:
876:
873:
870:
867:
864:
861:
858:
855:
852:
849:
846:
843:
840:
837:
834:
831:
828:
825:
822:
819:
816:
813:
810:
807:
804:
801:
798:
795:
792:
789:
786:
783:
780:
777:
774:
771:
768:
765:
762:
759:
756:
753:
750:
747:
744:
741:
738:
735:
732:
729:
726:
723:
720:
717:
714:
711:
708:
705:
702:
699:
696:
693:
690:
687:
684:
681:
678:
675:
672:
669:
666:
663:
660:
657:
654:
651:
648:
645:
642:
639:
636:
633:
630:
627:
624:
621:
618:
615:
612:
609:
606:
603:
600:
597:
594:
591:
588:
585:
582:
579:
576:
573:
570:
567:
564:
561:
558:
555:
552:
549:
546:
543:
540:
537:
534:
531:
528:
525:
522:
519:
516:
513:
510:
507:
504:
501:
498:
495:
492:
489:
486:
483:
480:
477:
474:
471:
468:
465:
462:
459:
456:
453:
450:
447:
444:
441:
438:
435:
432:
429:
428:<stdint.h>
426:
413:
403:
370:
365:
332:
325:
321:
317:
313:
250:
40:
33:
21:
4131:
4130:
4126:
4125:
4124:
4122:
4121:
4120:
4091:
4090:
4089:
4080:
4062:
3991:
3747:
3742:
3701:
3675:
3634:
3608:
3473:
3447:
3406:
3365:
3360:
3279:
3274:
3269:
3265:
3253:
3251:
3248:
3244:
3243:
3236:
3226:
3224:
3215:
3214:
3210:
3203:
3179:
3178:
3174:
3165:
3164:
3160:
3144:
3143:
3139:
3125:
3124:
3120:
3111:
3109:
3099:Michael Larabel
3097:
3096:
3092:
3080:
3078:
3070:
3069:
3065:
3056:
3054:
3045:
3044:
3040:
3031:
3029:
3018:"arc4random(3)"
3016:
3015:
3011:
3002:
3000:
2995:
2994:
2990:
2982:
2976:
2974:
2965:
2964:
2960:
2948:
2946:
2937:
2936:
2932:
2920:
2918:
2909:
2908:
2904:
2892:
2890:
2885:
2884:
2880:
2871:
2869:
2863:
2862:
2858:
2849:
2847:
2838:
2837:
2833:
2824:
2822:
2813:
2812:
2808:
2799:
2797:
2788:
2787:
2783:
2774:
2772:
2763:
2762:
2758:
2749:
2747:
2738:
2737:
2733:
2720:
2719:
2715:
2702:
2701:
2694:
2686:
2683:Too Much Crypto
2679:
2678:
2674:
2660:
2659:
2655:
2645:
2644:
2640:
2624:
2622:
2610:
2609:
2605:
2595:
2594:
2585:
2573:
2568:
2567:
2563:
2556:
2535:
2534:
2530:
2518:
2513:
2512:
2508:
2501:
2482:10.1.1.121.7248
2466:
2465:
2461:
2451:
2450:
2446:
2433:
2432:
2428:
2420:
2416:
2415:
2411:
2401:
2400:
2396:
2383:
2382:
2378:
2369:
2367:
2359:
2358:
2354:
2345:
2343:
2336:
2331:
2330:
2326:
2317:
2315:
2308:
2303:
2302:
2298:
2289:
2288:
2284:
2274:
2273:
2269:
2261:
2259:
2256:
2246:
2245:
2234:
2222:
2217:
2216:
2205:
2195:
2194:
2190:
2178:
2173:
2172:
2165:
2161:
2156:
2155:
2149:
2145:
2140:
2121:
1988:
1921:
1905:
1897:and is used by
1860:
1848:
1835:
1819:
1818:
1815:
1812:
1809:
1806:
1803:
1800:
1797:
1794:
1791:
1788:
1785:
1782:
1779:
1776:
1773:
1770:
1767:
1764:
1761:
1758:
1755:
1752:
1749:
1746:
1743:
1740:
1737:
1734:
1731:
1728:
1725:
1722:
1719:
1716:
1713:
1710:
1707:
1704:
1701:
1698:
1695:
1692:
1689:
1686:
1683:
1680:
1677:
1674:
1671:
1668:
1665:
1662:
1659:
1656:
1653:
1650:
1647:
1644:
1641:
1638:
1635:
1632:
1629:
1626:
1623:
1620:
1617:
1614:
1611:
1608:
1605:
1602:
1599:
1596:
1593:
1590:
1587:
1584:
1581:
1578:
1575:
1572:
1569:
1566:
1563:
1560:
1557:
1554:
1551:
1548:
1545:
1542:
1539:
1536:
1533:
1530:
1527:
1524:
1521:
1518:
1515:
1512:
1509:
1506:
1503:
1500:
1497:
1494:
1491:
1488:
1485:
1482:
1479:
1476:
1473:
1470:
1467:
1464:
1461:
1458:
1455:
1452:
1449:
1446:
1443:
1440:
1437:
1434:
1431:
1428:
1425:
1422:
1419:
1416:
1413:
1410:
1407:
1404:
1401:
1398:
1395:
1392:
1389:
1386:
1383:
1380:
1377:
1374:
1371:
1368:
1365:
1362:
1359:
1356:
1353:
1350:
1347:
1344:
1341:
1338:
1335:
1332:
1329:
1326:
1323:
1320:
1317:
1314:
1308:
1229:
1222:
1095:128 or 256 bits
1077:Related to
1061:First published
1041:
1026:
988:
972:
963:provably secure
959:
935:
934:
931:
928:
925:
922:
919:
916:
913:
910:
907:
904:
901:
898:
895:
892:
889:
886:
883:
880:
877:
874:
871:
868:
865:
862:
859:
856:
853:
850:
847:
844:
841:
838:
835:
832:
829:
826:
823:
820:
817:
814:
811:
808:
805:
802:
799:
796:
793:
790:
787:
784:
781:
778:
775:
772:
769:
766:
763:
760:
757:
754:
751:
748:
745:
742:
739:
736:
733:
730:
727:
724:
721:
718:
715:
712:
709:
706:
703:
700:
697:
694:
691:
688:
685:
682:
679:
676:
673:
670:
667:
664:
661:
658:
655:
652:
649:
646:
643:
640:
637:
634:
631:
628:
625:
622:
619:
616:
613:
610:
607:
604:
601:
598:
595:
592:
589:
586:
583:
580:
577:
574:
571:
568:
565:
562:
559:
556:
553:
550:
547:
544:
541:
538:
535:
532:
529:
526:
523:
520:
517:
514:
511:
508:
505:
502:
499:
496:
493:
490:
487:
484:
481:
478:
475:
472:
469:
466:
463:
460:
457:
454:
451:
448:
445:
442:
439:
436:
433:
430:
427:
424:
418:
411:
408:
401:
323:
319:
315:
311:
229:
213:cycles per byte
108:128 or 256 bits
79:Related to
63:First published
43:
28:
23:
22:
15:
12:
11:
5:
4129:
4127:
4119:
4118:
4113:
4108:
4103:
4101:Stream ciphers
4093:
4092:
4086:
4085:
4082:
4081:
4079:
4078:
4067:
4064:
4063:
4061:
4060:
4055:
4053:Random numbers
4050:
4045:
4040:
4035:
4030:
4025:
4020:
4015:
4010:
4005:
3999:
3997:
3993:
3992:
3990:
3989:
3984:
3979:
3977:Garlic routing
3974:
3969:
3964:
3959:
3954:
3949:
3944:
3939:
3934:
3929:
3924:
3919:
3914:
3909:
3904:
3899:
3897:Secure channel
3894:
3888:
3887:
3886:
3875:
3870:
3865:
3860:
3858:Key stretching
3855:
3850:
3845:
3840:
3835:
3830:
3825:
3824:
3823:
3818:
3808:
3806:Cryptovirology
3803:
3798:
3793:
3791:Cryptocurrency
3788:
3783:
3778:
3777:
3776:
3766:
3761:
3755:
3753:
3749:
3748:
3743:
3741:
3740:
3733:
3726:
3718:
3711:
3710:
3707:
3706:
3703:
3702:
3700:
3699:
3694:
3689:
3683:
3681:
3677:
3676:
3674:
3673:
3668:
3663:
3658:
3653:
3651:shift register
3648:
3642:
3640:
3636:
3635:
3633:
3632:
3627:
3622:
3616:
3614:
3610:
3609:
3607:
3606:
3601:
3596:
3591:
3586:
3581:
3576:
3571:
3566:
3561:
3556:
3551:
3546:
3541:
3536:
3531:
3526:
3521:
3516:
3511:
3506:
3501:
3496:
3491:
3485:
3483:
3479:
3478:
3475:
3474:
3472:
3471:
3466:
3461:
3455:
3453:
3449:
3448:
3446:
3445:
3440:
3435:
3430:
3424:
3422:
3415:
3408:
3407:
3405:
3404:
3399:
3394:
3389:
3384:
3379:
3373:
3371:
3367:
3366:
3363:Stream ciphers
3361:
3359:
3358:
3351:
3344:
3336:
3322:
3321:
3316:
3311:
3306:
3301:
3295:
3285:
3278:
3277:External links
3275:
3273:
3272:
3263:
3234:
3208:
3201:
3172:
3158:
3152:Stack Exchange
3137:
3118:
3101:(2016-07-25).
3090:
3063:
3038:
3009:
2988:
2958:
2930:
2902:
2878:
2856:
2831:
2806:
2781:
2756:
2731:
2713:
2692:
2672:
2653:
2638:
2603:
2583:
2561:
2554:
2528:
2506:
2499:
2459:
2444:
2426:
2409:
2394:
2376:
2352:
2324:
2296:
2282:
2267:
2232:
2203:
2188:
2162:
2160:
2157:
2154:
2153:
2142:
2141:
2139:
2136:
2135:
2134:
2128:
2120:
2117:
2076:
2075:
2072:
2069:
2066:
2062:
2061:
2058:
2055:
2052:
2048:
2047:
2044:
2041:
2038:
2034:
2033:
2030:
2027:
2024:
1987:
1984:
1969:mobile devices
1859:
1856:
1852:security level
1847:
1844:
1834:
1831:
1313:
1306:
1300:
1299:
1296:
1293:
1290:
1286:
1285:
1282:
1279:
1276:
1272:
1271:
1268:
1265:
1262:
1258:
1257:
1254:
1251:
1248:
1227:
1223:QR(a, b, c, d)
1217:
1216:
1213:
1210:
1207:
1203:
1202:
1199:
1196:
1193:
1189:
1188:
1185:
1182:
1179:
1175:
1174:
1171:
1168:
1165:
1135:
1134:
1127:
1123:
1122:
1119:
1113:
1112:
1109:
1105:
1104:
1101:
1097:
1096:
1093:
1087:
1086:
1082:
1081:
1078:
1074:
1073:
1070:
1066:
1065:
1062:
1058:
1057:
1052:
1048:
1047:
1043:
1042:
1039:
1025:
1024:ChaCha variant
1022:
987:
984:
971:
968:
958:
955:
423:
416:
412:QR(a, b, c, d)
406:
402:QR(a, b, c, d)
392:
391:
388:
385:
382:
378:
377:
374:
371:
366:
360:
359:
356:
353:
350:
346:
345:
342:
339:
336:
306:
305:
302:
299:
296:
292:
291:
288:
285:
282:
278:
277:
274:
271:
268:
264:
263:
260:
257:
254:
245:timing attacks
228:
225:
194:add–rotate–XOR
174:stream ciphers
161:
160:
156:
155:
148:
147:
140:
136:
135:
132:
126:
125:
122:
118:
117:
114:
110:
109:
106:
100:
99:
95:
94:
88:
84:
83:
80:
76:
75:
72:
68:
67:
64:
60:
59:
54:
50:
49:
45:
44:
41:
27:Stream ciphers
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
4128:
4117:
4114:
4112:
4109:
4107:
4104:
4102:
4099:
4098:
4096:
4077:
4069:
4068:
4065:
4059:
4058:Steganography
4056:
4054:
4051:
4049:
4046:
4044:
4041:
4039:
4036:
4034:
4031:
4029:
4026:
4024:
4021:
4019:
4016:
4014:
4013:Stream cipher
4011:
4009:
4006:
4004:
4001:
4000:
3998:
3994:
3988:
3985:
3983:
3980:
3978:
3975:
3973:
3972:Onion routing
3970:
3968:
3965:
3963:
3960:
3958:
3955:
3953:
3952:Shared secret
3950:
3948:
3945:
3943:
3940:
3938:
3935:
3933:
3930:
3928:
3925:
3923:
3920:
3918:
3915:
3913:
3910:
3908:
3905:
3903:
3900:
3898:
3895:
3892:
3889:
3884:
3881:
3880:
3879:
3876:
3874:
3871:
3869:
3866:
3864:
3861:
3859:
3856:
3854:
3851:
3849:
3848:Key generator
3846:
3844:
3841:
3839:
3836:
3834:
3831:
3829:
3826:
3822:
3819:
3817:
3814:
3813:
3812:
3811:Hash function
3809:
3807:
3804:
3802:
3799:
3797:
3794:
3792:
3789:
3787:
3786:Cryptanalysis
3784:
3782:
3779:
3775:
3772:
3771:
3770:
3767:
3765:
3762:
3760:
3757:
3756:
3754:
3750:
3746:
3739:
3734:
3732:
3727:
3725:
3720:
3719:
3716:
3712:
3698:
3695:
3693:
3690:
3688:
3685:
3684:
3682:
3678:
3672:
3669:
3667:
3664:
3662:
3659:
3657:
3654:
3652:
3649:
3647:
3644:
3643:
3641:
3637:
3631:
3628:
3626:
3623:
3621:
3618:
3617:
3615:
3611:
3605:
3602:
3600:
3597:
3595:
3592:
3590:
3587:
3585:
3582:
3580:
3577:
3575:
3572:
3570:
3567:
3565:
3562:
3560:
3557:
3555:
3552:
3550:
3547:
3545:
3542:
3540:
3537:
3535:
3532:
3530:
3527:
3525:
3522:
3520:
3517:
3515:
3512:
3510:
3507:
3505:
3502:
3500:
3497:
3495:
3492:
3490:
3487:
3486:
3484:
3482:Other ciphers
3480:
3470:
3467:
3465:
3462:
3460:
3457:
3456:
3454:
3450:
3444:
3441:
3439:
3436:
3434:
3431:
3429:
3426:
3425:
3423:
3419:
3416:
3413:
3409:
3403:
3400:
3398:
3395:
3393:
3390:
3388:
3385:
3383:
3380:
3378:
3375:
3374:
3372:
3368:
3364:
3357:
3352:
3350:
3345:
3343:
3338:
3337:
3334:
3330:
3326:
3320:
3317:
3315:
3312:
3310:
3307:
3305:
3302:
3299:
3296:
3293:
3289:
3286:
3284:
3281:
3280:
3276:
3267:
3264:
3260:
3247:
3241:
3239:
3235:
3222:
3218:
3212:
3209:
3204:
3198:
3194:
3190:
3186:
3185:
3176:
3173:
3168:
3162:
3159:
3155:. 2016-04-12.
3154:
3153:
3150:Cryptography
3147:
3141:
3138:
3133:
3129:
3122:
3119:
3108:
3104:
3100:
3094:
3091:
3087:
3077:
3073:
3067:
3064:
3053:
3049:
3042:
3039:
3028:on 2020-07-06
3027:
3023:
3019:
3013:
3010:
2998:
2992:
2989:
2985:
2972:
2968:
2962:
2959:
2955:
2945:
2941:
2934:
2931:
2927:
2917:
2913:
2906:
2903:
2899:
2888:
2882:
2879:
2867:
2860:
2857:
2846:
2842:
2835:
2832:
2821:
2817:
2810:
2807:
2796:
2792:
2785:
2782:
2771:
2767:
2760:
2757:
2745:
2741:
2735:
2732:
2727:
2723:
2717:
2714:
2709:
2705:
2699:
2697:
2693:
2685:
2684:
2676:
2673:
2668:
2664:
2657:
2654:
2649:
2642:
2639:
2635:
2633:
2621:on 2017-03-28
2620:
2616:
2615:
2607:
2604:
2599:
2592:
2590:
2588:
2584:
2579:
2572:
2565:
2562:
2557:
2551:
2547:
2543:
2539:
2532:
2529:
2524:
2517:
2510:
2507:
2502:
2496:
2492:
2488:
2483:
2478:
2474:
2470:
2463:
2460:
2455:
2448:
2445:
2440:
2436:
2430:
2427:
2419:
2413:
2410:
2405:
2398:
2395:
2391:. 2008-04-29.
2390:
2386:
2380:
2377:
2366:
2362:
2356:
2353:
2342:
2335:
2328:
2325:
2314:
2307:
2300:
2297:
2293:. 2007-05-11.
2292:
2286:
2283:
2278:
2271:
2268:
2255:
2254:
2249:
2243:
2241:
2239:
2237:
2233:
2228:
2221:
2214:
2212:
2210:
2208:
2204:
2199:
2192:
2189:
2184:
2177:
2170:
2168:
2164:
2158:
2147:
2144:
2137:
2132:
2129:
2126:
2123:
2122:
2118:
2116:
2114:
2110:
2105:
2103:
2099:
2095:
2091:
2087:
2083:
2073:
2070:
2067:
2064:
2063:
2059:
2056:
2053:
2050:
2049:
2045:
2042:
2039:
2036:
2035:
2031:
2028:
2025:
2022:
2021:
2015:
2013:
2009:
2005:
2001:
1997:
1993:
1985:
1983:
1981:
1976:
1974:
1970:
1966:
1962:
1957:
1955:
1951:
1947:
1943:
1942:DragonFly BSD
1939:
1935:
1931:
1927:
1918:
1916:
1912:
1907:
1902:
1900:
1896:
1892:
1888:
1884:
1880:
1876:
1872:
1868:
1864:
1857:
1855:
1853:
1845:
1843:
1840:
1832:
1830:
1828:
1824:
1753:// diagonal 4
1720:// diagonal 3
1687:// diagonal 2
1621:// Even round
1311:
1305:
1297:
1294:
1291:
1288:
1287:
1283:
1280:
1277:
1274:
1273:
1269:
1266:
1263:
1260:
1259:
1255:
1252:
1249:
1246:
1245:
1242:
1239:
1233:
1232:output bits.
1226:
1214:
1211:
1208:
1205:
1204:
1200:
1197:
1194:
1191:
1190:
1186:
1183:
1180:
1177:
1176:
1172:
1169:
1166:
1163:
1162:
1156:
1154:
1150:
1145:
1142:
1132:
1128:
1124:
1120:
1118:
1114:
1110:
1106:
1102:
1098:
1094:
1092:
1088:
1085:Cipher detail
1083:
1079:
1075:
1071:
1067:
1063:
1059:
1056:
1053:
1049:
1044:
1037:
1032:
1023:
1021:
1019:
1014:
1011:
1007:
1004:
999:
997:
991:
985:
983:
980:
977:
969:
967:
964:
956:
954:
950:
948:
944:
940:
737:// Even round
455:salsa20_block
421:
415:
405:
399:
389:
386:
383:
380:
379:
375:
372:
367:
362:
361:
357:
354:
351:
348:
347:
343:
340:
337:
334:
333:
327:
303:
300:
297:
294:
293:
289:
286:
283:
280:
279:
275:
272:
269:
266:
265:
261:
258:
255:
252:
251:
248:
246:
242:
238:
234:
226:
224:
222:
221:public domain
218:
214:
210:
206:
203:
199:
195:
191:
186:
183:
179:
176:developed by
175:
171:
167:
157:
154:
153:cryptanalysis
149:
145:
141:
137:
133:
131:
127:
123:
119:
115:
111:
107:
105:
101:
98:Cipher detail
96:
92:
89:
87:Certification
85:
81:
77:
73:
69:
65:
61:
58:
55:
51:
46:
39:
34:
19:
4008:Block cipher
3853:Key schedule
3843:Key exchange
3833:Kleptography
3796:Cryptosystem
3745:Cryptography
3437:
3266:
3258:
3252:. Retrieved
3225:. Retrieved
3220:
3211:
3183:
3175:
3161:
3149:
3140:
3131:
3121:
3110:. Retrieved
3093:
3085:
3079:. Retrieved
3075:
3066:
3055:. Retrieved
3051:
3041:
3030:. Retrieved
3026:the original
3021:
3012:
3001:. Retrieved
2999:. 2016-09-07
2991:
2981:
2975:. Retrieved
2973:. 2015-11-04
2970:
2961:
2953:
2947:. Retrieved
2943:
2933:
2925:
2919:. Retrieved
2915:
2905:
2897:
2891:. Retrieved
2889:. 2017-04-16
2881:
2870:. Retrieved
2859:
2848:. Retrieved
2834:
2823:. Retrieved
2819:
2809:
2798:. Retrieved
2794:
2784:
2773:. Retrieved
2769:
2759:
2748:. Retrieved
2746:. 2015-02-23
2743:
2734:
2725:
2716:
2707:
2682:
2675:
2666:
2656:
2641:
2631:
2629:
2623:, retrieved
2619:the original
2613:
2606:
2577:
2564:
2537:
2531:
2522:
2509:
2472:
2462:
2447:
2438:
2429:
2412:
2397:
2379:
2368:. Retrieved
2364:
2361:"Salsa20/12"
2355:
2344:. Retrieved
2340:
2327:
2316:. Retrieved
2312:
2299:
2285:
2270:
2260:, retrieved
2252:
2226:
2191:
2182:
2146:
2106:
2079:
1989:
1977:
1958:
1950:/dev/urandom
1919:
1903:
1861:
1849:
1838:
1836:
1820:
1486:// Odd round
1339:chacha_block
1309:
1303:
1234:
1230:
1220:
1146:
1140:
1138:
1069:Derived from
1015:
1012:
1008:
1002:
1000:
992:
989:
981:
973:
960:
951:
938:
936:
602:// Odd round
419:
409:
395:
309:
233:exclusive OR
230:
187:
169:
165:
164:
151:Best public
3996:Mathematics
3987:Mix network
2634:instruction
1618:// column 4
1585:// column 3
1552:// column 2
1519:// column 1
734:// column 4
701:// column 3
668:// column 2
635:// column 1
207:, a 64-bit
4095:Categories
3947:Ciphertext
3917:Decryption
3912:Encryption
3873:Ransomware
3666:T-function
3613:Generators
3489:Achterbahn
3254:2017-08-07
3112:2016-10-03
3081:2016-09-20
3057:2016-09-20
3032:2016-09-07
3003:2016-09-07
2977:2016-09-07
2949:2016-09-07
2921:2016-09-07
2893:2018-03-16
2872:2016-09-07
2868:. Slashdot
2850:2016-09-07
2825:2016-09-07
2800:2021-07-13
2775:2021-07-13
2766:"RFC 9001"
2750:2021-07-13
2625:2016-09-07
2406:. eSTREAM.
2370:2017-08-22
2346:2022-08-18
2318:2022-08-18
2262:2018-06-03
2159:References
1922:arc4random
1909:cipher in
1236:efficient
1100:State size
939:invertible
113:State size
71:Successors
3937:Plaintext
3579:SOBER-128
3509:KCipher-2
3443:SOSEMANUK
3414:Portfolio
3221:WireGuard
2477:CiteSeerX
2365:ECRYPT II
1980:WireGuard
1940:, and in
1108:Structure
1091:Key sizes
1051:Designers
227:Structure
192:based on
121:Structure
104:Key sizes
93:portfolio
53:Designers
4076:Category
3982:Kademlia
3942:Codetext
3885:(CSPRNG)
3452:Hardware
3421:Software
3392:Crypto-1
3107:Phoronix
2845:Slashdot
2722:"ChaCha"
2341:cr.yp.to
2313:cr.yp.to
2183:cr.yp.to
2119:See also
2065:Counter
1944:for the
1867:Poly1305
1378:uint32_t
1354:uint32_t
1345:uint32_t
1209:Counter
1206:Counter
1103:512 bits
945:through
869:// row 4
836:// row 3
803:// row 2
770:// row 1
494:uint32_t
470:uint32_t
461:uint32_t
425:#include
198:rotation
116:512 bits
18:ChaCha20
3752:General
3680:Attacks
3469:Trivium
3438:Salsa20
3412:eSTREAM
2389:eSTREAM
2151:faster.
2032:"te k"
2029:"2-by"
2026:"nd 3"
2023:"expa"
1930:OpenBSD
1926:FreeBSD
1915:OpenSSL
1911:OpenSSH
1839:XChaCha
1833:XChaCha
1173:"te k"
1170:"2-by"
1167:"nd 3"
1164:"expa"
1080:Rumba20
1072:Salsa20
1046:General
976:eSTREAM
390:"te k"
373:"2-by"
352:"nd 3"
335:"expa"
202:256-bit
182:eSTREAM
166:Salsa20
91:eSTREAM
82:Rumba20
48:General
31:Salsa20
3863:Keygen
3639:Theory
3589:Turing
3584:Spritz
3559:Scream
3529:Phelix
3524:Panama
3494:F-FCSR
3464:MICKEY
3433:Rabbit
3428:HC-128
3387:ChaCha
3227:4 July
3199:
3132:go.dev
2708:GitHub
2632:pshufb
2552:
2523:ECRYPT
2497:
2479:
2111:
2100:
2092:
2074:Nonce
2071:Nonce
2068:Nonce
2010:
1998:. The
1994:
1954:Golang
1946:CSPRNG
1934:NetBSD
1932:, and
1899:HTTP/3
1863:Google
1465:ROUNDS
1225:with:
1215:Nonce
1212:Nonce
1151:
1141:ChaCha
1117:Rounds
1029:ChaCha
1003:et al.
581:ROUNDS
358:Nonce
355:Nonce
324:
320:
316:
312:
170:ChaCha
130:Rounds
74:ChaCha
3893:(PRN)
3661:NLFSR
3574:SOBER
3504:ISAAC
3459:Grain
3300:(PDF)
3249:(PDF)
2687:(PDF)
2574:(PDF)
2519:(PDF)
2421:(PDF)
2337:(PDF)
2309:(PDF)
2257:(PDF)
2223:(PDF)
2179:(PDF)
2138:Notes
2125:Speck
2086:IPsec
1877:over
1357:const
1129:3.95
1126:Speed
947:SHA-2
473:const
209:nonce
142:3.91
139:Speed
3656:LFSR
3604:WAKE
3599:VMPC
3594:VEST
3569:SNOW
3564:SEAL
3554:RC4A
3549:RC4+
3544:QUAD
3534:Pike
3519:ORYX
3514:MUGI
3499:FISH
3382:A5/2
3377:A5/1
3229:2018
3197:ISBN
2550:ISBN
2495:ISBN
2113:8439
2102:7905
2094:7634
2084:and
2060:Key
2057:Key
2054:Key
2051:Key
2046:Key
2043:Key
2040:Key
2037:Key
2012:7539
2000:IETF
1996:7539
1895:SPDY
1891:QUIC
1871:SPDY
1780:<
1462:<
1408:<
1336:void
1201:Key
1198:Key
1195:Key
1192:Key
1187:Key
1184:Key
1181:Key
1178:Key
1153:7539
1064:2008
896:<
578:<
524:<
452:void
387:Key
384:Key
381:Key
376:Key
369:Pos.
364:Pos.
349:Key
344:Key
341:Key
338:Key
172:are
3402:RC4
3292:PDF
3189:doi
2542:doi
2487:doi
2109:RFC
2098:RFC
2090:RFC
2082:IKE
2008:RFC
2004:GiB
1992:RFC
1973:ARM
1938:RC4
1879:TCP
1875:TLS
1798:out
1759:for
1441:for
1387:for
1369:int
1348:out
1298:15
1284:11
1238:SSE
1149:RFC
1131:cpb
1111:ARX
949:.)
943:MD4
914:out
875:for
557:for
503:for
485:int
464:out
326:):
304:15
290:11
237:mod
217:x86
205:key
144:cpb
124:ARX
4097::
3671:IV
3539:Py
3397:E0
3257:.
3237:^
3219:.
3195:.
3148:.
3130:.
3105:.
3084:.
3074:.
3050:.
3020:.
2980:.
2969:.
2952:.
2942:.
2924:.
2914:.
2896:.
2843:.
2818:.
2793:.
2768:.
2742:.
2724:.
2706:.
2695:^
2665:.
2628:,
2586:^
2576:.
2548:.
2521:.
2493:.
2485:.
2437:.
2387:.
2363:.
2339:.
2311:.
2235:^
2225:.
2206:^
2181:.
2166:^
2104:.
1928:,
1901:.
1810:in
1789:++
1783:16
1750:);
1723:QR
1717:);
1690:QR
1684:);
1657:QR
1651:);
1624:QR
1615:);
1588:QR
1582:);
1555:QR
1549:);
1522:QR
1516:);
1489:QR
1474:+=
1432:in
1417:++
1411:16
1360:in
1295:14
1292:13
1289:12
1281:10
1270:7
1256:3
1121:20
926:in
905:++
899:16
866:);
839:QR
833:);
806:QR
800:);
773:QR
767:);
740:QR
731:);
704:QR
698:);
671:QR
665:);
638:QR
632:);
605:QR
590:+=
548:in
533:++
527:16
476:in
301:14
298:13
295:12
287:10
276:7
262:3
134:20
3737:e
3730:t
3723:v
3355:e
3348:t
3341:v
3294:)
3290:(
3231:.
3205:.
3191::
3169:.
3134:.
3115:.
3060:.
3035:.
3006:.
2875:.
2853:.
2828:.
2803:.
2778:.
2753:.
2728:.
2710:.
2669:.
2650:.
2600:.
2580:.
2558:.
2544::
2525:.
2503:.
2489::
2456:.
2441:.
2373:.
2349:.
2321:.
2279:.
2229:.
2200:.
2185:.
1816:}
1813:;
1807:+
1804:x
1801:=
1795:)
1792:i
1786:;
1777:i
1774:;
1771:0
1768:=
1765:i
1762:(
1756:}
1747:x
1744:,
1741:x
1738:,
1735:x
1732:,
1729:x
1726:(
1714:x
1711:,
1708:x
1705:,
1702:x
1699:,
1696:x
1693:(
1681:x
1678:,
1675:x
1672:,
1669:x
1666:,
1663:x
1660:(
1648:x
1645:,
1642:x
1639:,
1636:x
1633:,
1630:x
1627:(
1612:x
1609:,
1606:x
1603:,
1600:x
1597:,
1594:x
1591:(
1579:x
1576:,
1573:x
1570:,
1567:x
1564:,
1561:x
1558:(
1546:x
1543:,
1540:x
1537:,
1534:x
1531:,
1528:x
1525:(
1513:x
1510:,
1507:x
1504:,
1501:x
1498:,
1495:x
1492:(
1483:{
1480:)
1477:2
1471:i
1468:;
1459:i
1456:;
1453:0
1450:=
1447:i
1444:(
1435:;
1429:=
1426:x
1423:)
1420:i
1414:;
1405:i
1402:;
1399:0
1396:=
1393:i
1390:(
1384:;
1381:x
1375:;
1372:i
1366:{
1363:)
1351:,
1342:(
1278:9
1275:8
1267:6
1264:5
1261:4
1253:2
1250:1
1247:0
932:}
929:;
923:+
920:x
917:=
911:)
908:i
902:;
893:i
890:;
887:0
884:=
881:i
878:(
872:}
863:x
860:,
857:x
854:,
851:x
848:,
845:x
842:(
830:x
827:,
824:x
821:,
818:x
815:,
812:x
809:(
797:x
794:,
791:x
788:,
785:x
782:,
779:x
776:(
764:x
761:,
758:x
755:,
752:x
749:,
746:x
743:(
728:x
725:,
722:x
719:,
716:x
713:,
710:x
707:(
695:x
692:,
689:x
686:,
683:x
680:,
677:x
674:(
662:x
659:,
656:x
653:,
650:x
647:,
644:x
641:(
629:x
626:,
623:x
620:,
617:x
614:,
611:x
608:(
599:{
596:)
593:2
587:i
584:;
575:i
572:;
569:0
566:=
563:i
560:(
551:;
545:=
542:x
539:)
536:i
530:;
521:i
518:;
515:0
512:=
509:i
506:(
500:;
497:x
491:;
488:i
482:{
479:)
467:,
458:(
284:9
281:8
273:6
270:5
267:4
259:2
256:1
253:0
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.