Knowledge (XXG)

Salsa20

Source 📝

2002:'s implementation modified Bernstein's published algorithm by changing the 64-bit nonce and 64-bit block counter to a 96-bit nonce and 32-bit block counter. The name was not changed when the algorithm was modified, as it is cryptographically insignificant (both form what a cryptographer would recognize as a 128-bit nonce), but the interface change could be a source of confusion for developers. Because of the reduced block counter, the maximum message length that can be safely encrypted by the IETF's variant is 2 blocks of 64 bytes (256  1036: 38: 4072: 1841:
cipher. Use the key and the first 128 bits of the nonce (in input words 12 through 15) to form a ChaCha input block, then perform the block operation (omitting the final addition). Output words 0–3 and 12–15 (those words corresponding to non-key words of the input) then form the key used for ordinary
965:
if Salsa20 is secure, but is more suitable for applications where longer nonces are desired. XSalsa20 feeds the key and the first 128 bits of the nonce into one block of Salsa20 (without the final addition, which may either be omitted, or subtracted after a standard Salsa20 block), and uses 256 bits
952:
Salsa20 performs 20 rounds of mixing on its input. However, reduced-round variants Salsa20/8 and Salsa20/12 using 8 and 12 rounds respectively have also been introduced. These variants were introduced to complement the original Salsa20, not to replace it, and perform better in the eSTREAM benchmarks
1235:
The ChaCha quarter round has the same number of adds, xors, and bit rotates as the Salsa20 quarter-round, but the fact that two of the rotates are multiples of 8 allows for a small optimization on some architectures including x86. Additionally, the input formatting has been rearranged to support an
978:
project, receiving the highest weighted voting score of any Profile 1 algorithm at the end of Phase 2. Salsa20 had previously been selected as a Phase 2 Focus design for Profile 1 (software) and as a Phase 2 design for Profile 2 (hardware) by the eSTREAM project, but was not advanced to Phase 3 for
1231:
Notice that this version updates each word twice, while Salsa20's quarter round updates each word only once. In addition, the ChaCha quarter-round diffuses changes more quickly. On average, after changing 1 input bit the Salsa20 quarter-round will change 8 output bits while ChaCha will change 12.5
1009:
In 2008, Aumasson, Fischer, Khazaei, Meier, and Rechberger reported a cryptanalytic attack against Salsa20/7 with a time complexity of 2, and they reported an attack against Salsa20/8 with an estimated time complexity of 2. This attack makes use of the new concept of probabilistic neutral key bits
1143:
family of ciphers, which aim to increase the diffusion per round while achieving the same or slightly better performance. The Aumasson et al. paper also attacks ChaCha, achieving one round fewer (for 256-bit ChaCha6 with complexity 2, ChaCha7 with complexity 2, and 128-bit ChaCha6 within 2) but
211:, and a 64-bit counter to a 512-bit block of the key stream (a Salsa version with a 128-bit key also exists). This gives Salsa20 and ChaCha the unusual advantage that the user can efficiently seek to any position in the key stream in constant time. Salsa20 offers speeds of around 4–14 1307:// Odd round QR(0, 4, 8, 12) // column 1 QR(1, 5, 9, 13) // column 2 QR(2, 6, 10, 14) // column 3 QR(3, 7, 11, 15) // column 4 // Even round QR(0, 5, 10, 15) // diagonal 1 (main diagonal) QR(1, 6, 11, 12) // diagonal 2 QR(2, 7, 8, 13) // diagonal 3 QR(3, 4, 9, 14) // diagonal 4 1240:
implementation optimization discovered for Salsa20. Rather than alternating rounds down columns and across rows, they are performed down columns and along diagonals. Like Salsa20, ChaCha arranges the sixteen 32-bit words in a 4×4 matrix. If we index the matrix elements from 0 to 15
417:// Odd round QR( 0, 4, 8, 12) // column 1 QR( 5, 9, 13, 1) // column 2 QR(10, 14, 2, 6) // column 3 QR(15, 3, 7, 11) // column 4 // Even round QR( 0, 1, 2, 3) // row 1 QR( 5, 6, 7, 4) // row 2 QR(10, 11, 8, 9) // row 3 QR(15, 12, 13, 14) // row 4 2150:
Since the majority of the work consists of performing the repeated rounds, the number of rounds is inversely proportional to the performance. That is, halving the number of rounds roughly doubles the performance. Reduced-round variants are thus appreciably
966:
of the output as the key for standard Salsa20 using the last 64 bits of the nonce and the stream position. Specifically, the 256 bits of output used are those corresponding to the non-secret portions of the input: indexes 0, 5, 10, 15, 6, 7, 8 and 9.
941:. In other words, applying the reverse operations would produce the original 4×4 matrix, including the key. Adding the mixed array to the original makes it impossible to recover the input. (This same technique is widely used in hash functions from 3180:
Pfau, Johannes; Reuter, Maximilian; Harbaum, Tanja; Hofmann, Klaus; Becker, Jurgen (September 2019). "A Hardware Perspective on the ChaCha Ciphers: Scalable Chacha8/12/20 Implementations Ranging from 476 Slices to Bitrates of 175 Gbit/s".
1005:
announced a cryptanalysis of Salsa20 which breaks 8 out of 20 rounds to recover the 256-bit secret key in 2 operations, using 2 keystream pairs. However, this attack does not seem to be competitive with the brute force attack.
993:
In 2005, Paul Crowley reported an attack on Salsa20/5 with an estimated time complexity of 2 and won Bernstein's US$ 1000 prize for "most interesting Salsa20 cryptanalysis". This attack and all subsequent attacks are based on
184:
European Union cryptographic validation process by Bernstein. ChaCha is a modification of Salsa20 published in 2008. It uses a new round function that increases diffusion and increases performance on some architectures.
4105: 998:. In 2006, Fischer, Meier, Berbain, Biasse, and Robshaw reported an attack on Salsa20/6 with estimated time complexity of 2, and a related-key attack on Salsa20/7 with estimated time complexity of 2. 414:
to each of the four columns in the 4×4 matrix, and even-numbered rounds apply it to each of the four rows. Two consecutive rounds (column-round and row-round) together are called a double-round:
1854:, yielding a 2.5× speedup. A compromise ChaCha12 (based on the eSTREAM recommendation of a 12-round Salsa) also sees some use. The eSTREAM benchmarking suite includes ChaCha8 and ChaCha12. 1147:
Like Salsa20, ChaCha's initial state includes a 128-bit constant, a 256-bit key, a 64-bit counter, and a 64-bit nonce (in the original version; as described later, a version of ChaCha from
4052: 3882: 937:
In the last line, the mixed array is added, word by word, to the original array to obtain its 64-byte key stream block. This is important because the mixing rounds on their own are
1829:, and its faster successors BLAKE2 and BLAKE3. It also defines a variant using sixteen 64-bit words (1024 bits of state), with correspondingly adjusted rotation constants. 1020:. (Specifically, it has no differential characteristic with higher probability than 2, so differential cryptanalysis would be more difficult than 128-bit key exhaustion.) 4115: 3735: 3353: 1013:
In 2012, the attack by Aumasson et al. was improved by Shi et al. against Salsa20/7 (128-bit key) to a time complexity of 2 and Salsa20/8 (256-bit key) to 2.
982:
The eSTREAM committee recommends the use of Salsa20/12, the 12-round variant, for "combining very good performance with a comfortable margin of security."
3598: 3071: 3259:
Changes from regular ChaCha. The nonce: block sequence number split was changed from 64:64 to 96:32 The ChaCha20 state is initialized as follows:
1228:
a += b; d ^= a; d <<<= 16; c += d; b ^= c; b <<<= 12; a += b; d ^= a; d <<<= 8; c += d; b ^= c; b <<<= 7;
3017: 2473:
Progress in Cryptology - INDOCRYPT 2006: 7th International Conference on Cryptology in India, Kolkata, India, December 11-13, 2006, Proceeding
3200: 2840: 2553: 2498: 995: 990:
As of 2015, there are no published attacks on Salsa20/12 or the full Salsa20/20; the best attack known breaks 8 of the 12 or 20 rounds.
396:
The constant words spell "expand 32-byte k" in ASCII (i.e. the 4 words are "expa", "nd 3", "2-by", and "te k"). This is an example of a
1948:
subroutine of the kernel. Starting from version 4.8, the Linux kernel uses the ChaCha20 algorithm to generate data for the nonblocking
3145: 3728: 3660: 3346: 1850:
Aumasson argues in 2020 that 8 rounds of ChaCha (ChaCha8) probably provides enough resistance to future cryptanalysis for the same
979:
Profile 2 because eSTREAM felt that it was probably not a good candidate for extremely resource-constrained hardware environments.
1155:
is slightly different), arranged as a 4×4 matrix of 32-bit words. But ChaCha re-arranges some of the words in the initial state:
2612: 2536:
Zhenqing Shi; Bin Zhang; Dengguo Feng; Wenling Wu (2012). "Improved Key Recovery Attacks on Reduced-Round Salsa20 and ChaCha".
3931: 3655: 3645: 1826: 2865: 2630:
two of these constants are multiples of 8; this allows for a 1 instruction rotation in Core2 and later Intel CPUs using the
1878: 1010:
for probabilistic detection of a truncated differential. The attack can be adapted to break Salsa20/7 with a 128-bit key.
2739: 3721: 3339: 1960: 407:
b ^= (a + d) <<< 7; c ^= (b + a) <<< 9; d ^= (c + b) <<< 13; a ^= (d + c) <<< 18;
159:
2008 cryptanalysis breaks 8 out of 20 rounds to recover the 256-bit secret key in 2 operations, using 2 keystream pairs.
4110: 4047: 4002: 3815: 397: 239:
2 ⊞, and constant-distance rotation operations <<< on an internal state of sixteen 32-bit words. Using only
3926: 3629: 3488: 1017: 4042: 1237: 1975:-based CPUs. Specialized hardware accelerators for ChaCha20 are also less complex compared to AES accelerators. 4032: 4022: 3877: 3624: 3102: 1882: 1874: 1837:
Although not announced by Bernstein, the security proof of XSalsa20 extends straightforwardly to an analogous
4100: 4027: 4017: 3820: 3780: 3773: 3763: 3758: 1904:
Shortly after Google's adoption for TLS, both the ChaCha20 and Poly1305 algorithms were also used for a new
3768: 2476: 1967:
for x86 processors). As a result, ChaCha20 is sometimes preferred over AES in certain use cases involving
1035: 247:
in software implementations. The internal state is made of sixteen 32-bit words arranged as a 4×4 matrix.
4075: 3921: 3867: 3696: 3670: 3523: 2218:
Jean-Philippe Aumasson; Simon Fischer; Shahram Khazaei; Willi Meier; Christian Rechberger (2008-03-14).
2081: 1822: 189: 219:
processors, and reasonable hardware performance. It is not patented, and Bernstein has written several
4037: 3961: 3691: 2886: 1116: 129: 2704:"rand_chacha: consider ChaCha12 (or possibly ChaCha8) over ChaCha20 · Issue #932 · rust-random/rand" 2481: 1221:
The constant is the same as Salsa20 ("expand 32-byte k"). ChaCha replaces the Salsa20 quarter-round
3800: 3619: 3025: 2247: 1964: 1054: 208: 177: 56: 3245: 2954:
Legacy arc4random(3) API from OpenBSD reimplemented using the ChaCha20 PRF, with per-thread state.
1016:
In 2013, Mouha and Preneel published a proof that 15 rounds of Salsa20 was 128-bit secure against
961:
In 2008, Bernstein proposed a variant of Salsa20 with 192-bit nonces called XSalsa20. XSalsa20 is
3906: 3890: 3837: 3686: 236: 3966: 3956: 3827: 3196: 2815: 2549: 2494: 2130: 1886: 2790: 2514:
Yukiyasu Tsunoo; Teruo Saito; Hiroyasu Kubo; Tomoyasu Suzaki; Hiroki Nakashima (2007-01-02).
3901: 3468: 3318: 3188: 2541: 2486: 2108: 2097: 2089: 2007: 1991: 1972: 1148: 1310:
ChaCha20 uses 10 iterations of the double round. An implementation in C/C++ appears below.
3588: 3583: 3558: 3432: 3098: 2721: 1130: 962: 212: 143: 2662: 2515: 1963:(AES) algorithm on systems where the CPU does not feature AES acceleration (such as the 3976: 3896: 3857: 3805: 3790: 3650: 3503: 3458: 3151: 2124: 1851: 3192: 3182: 3072:"Merge tag 'random_for_linus' of git.kernel.org/pub/scm/linux/kernel/git/tytso/random" 2898:
Replace the RC4 algorithm for generating in-kernel secure random numbers with Chacha20
2571:"Towards Finding Optimal Differential Characteristics for ARX: Application to Salsa20" 4094: 4057: 4012: 3971: 3951: 3847: 3810: 3785: 3603: 3563: 3543: 3533: 3498: 3362: 3319:
Implementation and Didactical Visualization of the ChaCha Cipher Family in CrypTool 2
2663:"XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305 (Expired Internet-Draft)" 1968: 1941: 244: 220: 173: 152: 2911: 2618: 2417: 2175: 37: 4007: 3852: 3842: 3832: 3795: 3744: 2468: 2434: 2403: 2384: 1978:
ChaCha20-Poly1305 (IETF version; see below) is the exclusive algorithm used by the
240: 232: 197: 193: 3303: 2360: 180:. Salsa20, the original cipher, was designed in 2005, then later submitted to the 3166: 2966: 2939: 2703: 2545: 974:
Salsa20/12 has been selected as a Phase 3 design for Profile 1 (software) by the
3986: 3538: 3396: 3313: 2765: 2112: 2101: 2093: 2011: 1995: 1906: 1152: 2996: 2333: 2305: 2006:). For applications where this is not enough, such as file or disk encryption, 3946: 3916: 3911: 3872: 3665: 2251: 2115:. RFC 8439 merges in some errata and adds additional security considerations. 1913:. Subsequently, this made it possible for OpenSSH to avoid any dependency on 3936: 3578: 3508: 3442: 2647: 2453: 1979: 3981: 3941: 3391: 3106: 2844: 2003: 1866: 1090: 204: 103: 2681: 17: 3411: 2570: 2540:. Lecture Notes in Computer Science. Vol. 7839. pp. 337–351. 2490: 2388: 2219: 1929: 1925: 1914: 1910: 975: 201: 181: 90: 3216: 2290: 2197: 1842:
ChaCha (with the last 64 bits of nonce and 64 bits of block counter).
3862: 3528: 3493: 3463: 3427: 1953: 1945: 1933: 1898: 1862: 1040:
The ChaCha quarter-round function. Four parallel copies make a round.
318:), two words of nonce (essentially additional stream position bits) ( 3287: 2841:"OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein" 2475:. Lecture Notes in Computer Science. Vol. 4329. pp. 2–16. 42:
The Salsa quarter-round function. Four parallel copies make a round.
3297: 3047: 1959:
ChaCha20 usually offers better performance than the more prevalent
953:
than Salsa20, though with a correspondingly lower security margin.
3573: 3127: 2471:(2006). "Non-randomness in eSTREAM Candidates Salsa20 and TSC-4". 2085: 1315:#define ROTL(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) 946: 431:#define ROTL(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) 3593: 3568: 3518: 3513: 3381: 3376: 3282: 2467:
Simon Fischer; Willi Meier; Côme Berbain; Jean-François Biasse;
2454:"Truncated differential cryptanalysis of five rounds of Salsa20" 2276: 1999: 1894: 1890: 1870: 3717: 3335: 3308: 2597: 1990:
An implementation reference for ChaCha20 has been published in
196:(ARX) operations — 32-bit addition, bitwise addition (XOR) and 3553: 3548: 3401: 3291: 1937: 942: 404:
that takes a four-word input and produces a four-word output:
216: 3184:
2019 32nd IEEE International System-on-Chip Conference (SOCC)
3128:"Secure Randomness in Go 1.22 - The Go Programming Language" 3086:
random: replace non-blocking pool with a Chacha20-based CRNG
2740:"Do the ChaCha: better mobile performance with cryptography" 2839:
Murenin, Constantine A. (2013-12-11). Unknown Lamer (ed.).
2820:
Super User's BSD Cross Reference: PROTOCOL.chacha20poly1305
2133:– an AEAD scheme combining ChaCha20 with the Poly1305 MAC 2014:
proposes using the original algorithm with 64-bit nonce.
1885:
construction combining both algorithms, which is called
4106:
Cryptographically secure pseudorandom number generators
2864:
Murenin, Constantine A. (2014-04-30). Soulskill (ed.).
1144:
claims that the attack fails to break 128-bit ChaCha7.
3883:
Cryptographically secure pseudorandom number generator
2418:"eSTREAM: Short Report on the End of the Second Phase" 3146:"What's the appeal of using ChaCha20 instead of AES?" 400:. The core operation in Salsa20 is the quarter-round 3323: 2648:"ChaCha20 and Poly1305 for IETF Protocols: RFC 7539" 2096:. Standardization of its use in TLS is published in 1949: 310:
The initial state is made up of eight words of key (
223:
implementations optimized for common architectures.
3995: 3751: 3679: 3638: 3612: 3481: 3451: 3420: 3410: 3369: 1125: 1115: 1107: 1099: 1089: 1084: 1076: 1068: 1060: 1050: 1045: 150: 138: 128: 120: 112: 102: 97: 86: 78: 70: 62: 52: 47: 2614:Faster ChaCha implementations for Intel processors 2578:International Association for Cryptologic Research 2227:International Association for Cryptologic Research 2926:ChaCha based random number generator for OpenBSD. 1139:In 2008, Bernstein published the closely related 2538:Information Security and Cryptology – ICISC 2012 2334:"Extending the Salsa20 nonce (original version)" 1952:device. ChaCha8 is used for the default PRNG in 231:Internally, the cipher uses bitwise addition ⊕ ( 3103:"/dev/random Seeing Improvements For Linux 4.8" 2971:Super User's BSD Cross Reference: subr_csprng.c 2938:riastradh (Taylor Campbell), ed. (2016-03-25). 2306:"Extending the Salsa20 nonce (updated in 2011)" 2277:"Snuffle 2005: the Salsa20 encryption function" 2127:– an add-rotate-xor cipher developed by the NSA 2944:Super User's BSD Cross Reference: arc4random.c 2916:Super User's BSD Cross Reference: arc4random.c 2910:guenther (Philip Guenther), ed. (2015-09-13). 2591: 2589: 2587: 3729: 3347: 3283:Snuffle 2005: the Salsa20 encryption function 2698: 2696: 2169: 2167: 1865:had selected ChaCha20 along with Bernstein's 8: 3167:"AES-NI SSL Performance Study @ Calomel.org" 2866:"OpenSSH No Longer Has To Depend On OpenSSL" 1889:. ChaCha20 and Poly1305 are now used in the 1028: 30: 3736: 3722: 3714: 3417: 3354: 3340: 3332: 3328: 3324: 3246:"ChaCha20 and Poly1305 for IETF protocols" 2764:Thomson, Martin; Turner, Sean (May 2021). 1873:, which was intended as a replacement for 420:An implementation in C/C++ appears below. 2516:"Differential Cryptanalysis of Salsa20/8" 2480: 1936:operating systems, instead of the broken 3240: 3238: 2435:"Salsa20/12, The eSTREAM portfolio page" 2242: 2240: 2238: 2236: 2016: 1243: 1157: 328: 249: 4116:Public-domain software with source code 2213: 2211: 2209: 2207: 2163: 2143: 1438:// 10 loops × 2 rounds/loop = 20 rounds 554:// 10 loops × 2 rounds/loop = 20 rounds 2661:Arciszewski, Scott (10 January 2020). 2176:"The Salsa20 family of stream ciphers" 1982:VPN system, as of protocol version 1. 1881:. In the process, they proposed a new 1318:#define QR(a, b, c, d) ( \ 1027: 29: 2598:"The ChaCha family of stream ciphers" 2385:"The eSTREAM Project: End of Phase 2" 2018:Initial state of ChaCha20 (RFC 7539) 200:operations. The core function maps a 7: 996:truncated differential cryptanalysis 3386: 3309:The ChaCha family of stream ciphers 2107:In 2018, RFC 7539 was obsoleted by 2596:Daniel J. Bernstein (2008-04-25). 2569:Nicky Mouha; Bart Preneel (2013). 2275:Daniel J. Bernstein (2013-05-16). 2198:"Salsa 20 speed; Salsa20 software" 2196:Daniel J. Bernstein (2013-05-16). 2174:Daniel J. Bernstein (2007-12-24). 1327:a += b, d ^= a, d = ROTL(d, 8), \ 1324:c += d, b ^= c, b = ROTL(b, 12), \ 1321:a += b, d ^= a, d = ROTL(d, 16), \ 1304:then a double round in ChaCha is: 25: 3193:10.1109/SOCC46988.2019.1570548289 2404:"eSTREAM PHASE 3: End of Phase 1" 314:), two words of stream position ( 4071: 4070: 2789:Bishop, Mike (2 February 2021). 2680:Aumasson, Jean-Philippe (2020). 1330:c += d, b ^= c, b = ROTL(b, 7)) 1034: 368: 363: 36: 2997:"ChaCha Usage & Deployment" 2816:"ssh/PROTOCOL.chacha20poly1305" 2646:Y. Nir; A. Langley (May 2015). 1956:. Rust's CSPRNG uses ChaCha12. 1869:message authentication code in 3932:Information-theoretic security 3314:Salsa20 Usage & Deployment 3126:Cox, Russ; Valsorda, Filippo. 2689:. Real World Crypto Symposium. 2220:"New Features of Latin Dances" 1920:ChaCha20 is also used for the 1827:NIST hash function competition 1: 2814:Miller, Damien (2016-05-03). 1917:, via a compile-time option. 1654:// diagonal 1 (main diagonal) 3646:block ciphers in stream mode 3304:The eSTREAM Project: Salsa20 3024:. 2014-11-16. Archived from 2611:Neves, Samuel (2009-10-07), 2546:10.1007/978-3-642-37682-5_24 2253:ChaCha, a variant of Salsa20 1961:Advanced Encryption Standard 970:eSTREAM selection of Salsa20 188:Both ciphers are built on a 4048:Message authentication code 4003:Cryptographic hash function 3816:Cryptographic hash function 3217:"Protocol and Cryptography" 2452:Paul Crowley (2006-02-09). 1924:random number generator in 1821:ChaCha is the basis of the 957:XSalsa20 with 192-bit nonce 398:nothing-up-my-sleeve number 4132: 3927:Harvest now, decrypt later 3630:alternating step generator 1018:differential cryptanalysis 434:#define QR(a, b, c, d)( \ 410:Odd-numbered rounds apply 243:avoids the possibility of 4066: 4043:Post-quantum cryptography 3713: 3331: 3327: 2912:"libc/crypt/arc4random.c" 2402:Hongjun Wu (2007-03-30). 2291:"Salsa20: Software speed" 2088:has been standardized in 1893:protocol, which replaces 1033: 330:Initial state of Salsa20 322:), and four fixed words ( 241:add-rotate-xor operations 158: 35: 4033:Quantum key distribution 4023:Authenticated encryption 3878:Random number generation 3625:self-shrinking generator 3298:Salsa20/8 and Salsa20/12 3076:Linux kernel source tree 3048:"Replacing /dev/urandom" 1883:authenticated encryption 1312: 1159:Initial state of ChaCha 986:Cryptanalysis of Salsa20 422: 168:and the closely related 4028:Public-key cryptography 4018:Symmetric-key algorithm 3821:Key derivation function 3781:Cryptographic primitive 3774:Authentication protocol 3764:Outline of cryptography 3759:History of cryptography 2940:"libc/gen/arc4random.c" 2791:"draft: IETF QUIC HTTP" 3769:Cryptographic protocol 2423:. eSTREAM. 2007-03-26. 1133:on an Intel Core 2 Duo 443:d ^= ROTL(c + b,13), \ 440:c ^= ROTL(b + a, 9), \ 437:b ^= ROTL(a + d, 7), \ 215:in software on modern 146:on an Intel Core 2 Duo 3922:End-to-end encryption 3868:Cryptojacking malware 3697:stream cipher attacks 3288:Salsa20 specification 2332:Daniel J. Bernstein. 2304:Daniel J. Bernstein. 190:pseudorandom function 4038:Quantum cryptography 3962:Trusted timestamping 3692:correlation immunity 3223:. Jason A. Donenfeld 3187:. pp. 294–299. 2983:chacha_encrypt_bytes 2967:"kern/subr_csprng.c" 2795:datatracker.ietf.org 2770:datatracker.ietf.org 1846:Reduced-round ChaCha 1825:, a finalist in the 446:a ^= ROTL(d + c,18)) 66:2007 (designed 2005) 3801:Cryptographic nonce 3620:shrinking generator 3370:Widely used ciphers 3270:Header of RFC 7539. 3022:NetBSD Manual Pages 2744:The Cloudflare Blog 2726:Cryptography Primer 2250:(28 January 2008), 2080:Use of ChaCha20 in 2019: 1971:, which mostly use 1965:AES instruction set 1823:BLAKE hash function 1160: 1055:Daniel J. Bernstein 1030: 331: 235:), 32-bit addition 178:Daniel J. Bernstein 57:Daniel J. Bernstein 32: 4111:Internet Standards 3907:Subliminal channel 3891:Pseudorandom noise 3838:Key (cryptography) 3687:correlation attack 3046:Corbet, Jonathan. 2491:10.1007/11941378_2 2017: 1986:Internet standards 1158: 329: 4088: 4087: 4084: 4083: 3967:Key-based routing 3957:Trapdoor function 3828:Digital signature 3709: 3708: 3705: 3704: 3477: 3476: 3202:978-1-7281-3483-3 3052:Linux Weekly News 2887:"Revision 317015" 2555:978-3-642-37681-8 2500:978-3-540-49767-7 2439:www.ecrypt.eu.org 2248:Bernstein, Daniel 2131:ChaCha20-Poly1305 2078: 2077: 1887:ChaCha20-Poly1305 1858:ChaCha20 adoption 1333:#define ROUNDS 20 1302: 1301: 1219: 1218: 1137: 1136: 449:#define ROUNDS 20 394: 393: 308: 307: 163: 162: 16:(Redirected from 4123: 4074: 4073: 3902:Insecure channel 3738: 3731: 3724: 3715: 3418: 3356: 3349: 3342: 3333: 3329: 3325: 3271: 3268: 3262: 3261: 3256: 3255: 3250: 3242: 3233: 3232: 3230: 3228: 3213: 3207: 3206: 3177: 3171: 3170: 3163: 3157: 3156: 3142: 3136: 3135: 3123: 3117: 3116: 3114: 3113: 3095: 3089: 3088: 3083: 3082: 3068: 3062: 3061: 3059: 3058: 3043: 3037: 3036: 3034: 3033: 3014: 3008: 3007: 3005: 3004: 2993: 2987: 2986: 2984: 2979: 2978: 2963: 2957: 2956: 2951: 2950: 2935: 2929: 2928: 2923: 2922: 2907: 2901: 2900: 2895: 2894: 2883: 2877: 2876: 2874: 2873: 2861: 2855: 2854: 2852: 2851: 2836: 2830: 2829: 2827: 2826: 2811: 2805: 2804: 2802: 2801: 2786: 2780: 2779: 2777: 2776: 2761: 2755: 2754: 2752: 2751: 2736: 2730: 2729: 2718: 2712: 2711: 2700: 2691: 2690: 2688: 2677: 2671: 2670: 2667:Ietf Datatracker 2658: 2652: 2651: 2643: 2637: 2636: 2627: 2626: 2617:, archived from 2608: 2602: 2601: 2593: 2582: 2581: 2575: 2566: 2560: 2559: 2533: 2527: 2526: 2520: 2511: 2505: 2504: 2484: 2469:M. J. B. Robshaw 2464: 2458: 2457: 2449: 2443: 2442: 2431: 2425: 2424: 2422: 2414: 2408: 2407: 2399: 2393: 2392: 2381: 2375: 2374: 2372: 2371: 2357: 2351: 2350: 2348: 2347: 2338: 2329: 2323: 2322: 2320: 2319: 2310: 2301: 2295: 2294: 2287: 2281: 2280: 2272: 2266: 2265: 2264: 2263: 2258: 2244: 2231: 2230: 2224: 2215: 2202: 2201: 2193: 2187: 2186: 2180: 2171: 2152: 2148: 2020: 1923: 1908: 1817: 1814: 1811: 1808: 1805: 1802: 1799: 1796: 1793: 1790: 1787: 1784: 1781: 1778: 1775: 1772: 1769: 1766: 1763: 1760: 1757: 1754: 1751: 1748: 1745: 1742: 1739: 1736: 1733: 1730: 1727: 1724: 1721: 1718: 1715: 1712: 1709: 1706: 1703: 1700: 1697: 1694: 1691: 1688: 1685: 1682: 1679: 1676: 1673: 1670: 1667: 1664: 1661: 1658: 1655: 1652: 1649: 1646: 1643: 1640: 1637: 1634: 1631: 1628: 1625: 1622: 1619: 1616: 1613: 1610: 1607: 1604: 1601: 1598: 1595: 1592: 1589: 1586: 1583: 1580: 1577: 1574: 1571: 1568: 1565: 1562: 1559: 1556: 1553: 1550: 1547: 1544: 1541: 1538: 1535: 1532: 1529: 1526: 1523: 1520: 1517: 1514: 1511: 1508: 1505: 1502: 1499: 1496: 1493: 1490: 1487: 1484: 1481: 1478: 1475: 1472: 1469: 1466: 1463: 1460: 1457: 1454: 1451: 1448: 1445: 1442: 1439: 1436: 1433: 1430: 1427: 1424: 1421: 1418: 1415: 1412: 1409: 1406: 1403: 1400: 1397: 1394: 1391: 1388: 1385: 1382: 1379: 1376: 1373: 1370: 1367: 1364: 1361: 1358: 1355: 1352: 1349: 1346: 1343: 1340: 1337: 1334: 1331: 1328: 1325: 1322: 1319: 1316: 1244: 1224: 1161: 1038: 1031: 1001:In 2007, Tsunoo 933: 930: 927: 924: 921: 918: 915: 912: 909: 906: 903: 900: 897: 894: 891: 888: 885: 882: 879: 876: 873: 870: 867: 864: 861: 858: 855: 852: 849: 846: 843: 840: 837: 834: 831: 828: 825: 822: 819: 816: 813: 810: 807: 804: 801: 798: 795: 792: 789: 786: 783: 780: 777: 774: 771: 768: 765: 762: 759: 756: 753: 750: 747: 744: 741: 738: 735: 732: 729: 726: 723: 720: 717: 714: 711: 708: 705: 702: 699: 696: 693: 690: 687: 684: 681: 678: 675: 672: 669: 666: 663: 660: 657: 654: 651: 648: 645: 642: 639: 636: 633: 630: 627: 624: 621: 618: 615: 612: 609: 606: 603: 600: 597: 594: 591: 588: 585: 582: 579: 576: 573: 570: 567: 564: 561: 558: 555: 552: 549: 546: 543: 540: 537: 534: 531: 528: 525: 522: 519: 516: 513: 510: 507: 504: 501: 498: 495: 492: 489: 486: 483: 480: 477: 474: 471: 468: 465: 462: 459: 456: 453: 450: 447: 444: 441: 438: 435: 432: 429: 428:<stdint.h> 426: 413: 403: 370: 365: 332: 325: 321: 317: 313: 250: 40: 33: 21: 4131: 4130: 4126: 4125: 4124: 4122: 4121: 4120: 4091: 4090: 4089: 4080: 4062: 3991: 3747: 3742: 3701: 3675: 3634: 3608: 3473: 3447: 3406: 3365: 3360: 3279: 3274: 3269: 3265: 3253: 3251: 3248: 3244: 3243: 3236: 3226: 3224: 3215: 3214: 3210: 3203: 3179: 3178: 3174: 3165: 3164: 3160: 3144: 3143: 3139: 3125: 3124: 3120: 3111: 3109: 3099:Michael Larabel 3097: 3096: 3092: 3080: 3078: 3070: 3069: 3065: 3056: 3054: 3045: 3044: 3040: 3031: 3029: 3018:"arc4random(3)" 3016: 3015: 3011: 3002: 3000: 2995: 2994: 2990: 2982: 2976: 2974: 2965: 2964: 2960: 2948: 2946: 2937: 2936: 2932: 2920: 2918: 2909: 2908: 2904: 2892: 2890: 2885: 2884: 2880: 2871: 2869: 2863: 2862: 2858: 2849: 2847: 2838: 2837: 2833: 2824: 2822: 2813: 2812: 2808: 2799: 2797: 2788: 2787: 2783: 2774: 2772: 2763: 2762: 2758: 2749: 2747: 2738: 2737: 2733: 2720: 2719: 2715: 2702: 2701: 2694: 2686: 2683:Too Much Crypto 2679: 2678: 2674: 2660: 2659: 2655: 2645: 2644: 2640: 2624: 2622: 2610: 2609: 2605: 2595: 2594: 2585: 2573: 2568: 2567: 2563: 2556: 2535: 2534: 2530: 2518: 2513: 2512: 2508: 2501: 2482:10.1.1.121.7248 2466: 2465: 2461: 2451: 2450: 2446: 2433: 2432: 2428: 2420: 2416: 2415: 2411: 2401: 2400: 2396: 2383: 2382: 2378: 2369: 2367: 2359: 2358: 2354: 2345: 2343: 2336: 2331: 2330: 2326: 2317: 2315: 2308: 2303: 2302: 2298: 2289: 2288: 2284: 2274: 2273: 2269: 2261: 2259: 2256: 2246: 2245: 2234: 2222: 2217: 2216: 2205: 2195: 2194: 2190: 2178: 2173: 2172: 2165: 2161: 2156: 2155: 2149: 2145: 2140: 2121: 1988: 1921: 1905: 1897:and is used by 1860: 1848: 1835: 1819: 1818: 1815: 1812: 1809: 1806: 1803: 1800: 1797: 1794: 1791: 1788: 1785: 1782: 1779: 1776: 1773: 1770: 1767: 1764: 1761: 1758: 1755: 1752: 1749: 1746: 1743: 1740: 1737: 1734: 1731: 1728: 1725: 1722: 1719: 1716: 1713: 1710: 1707: 1704: 1701: 1698: 1695: 1692: 1689: 1686: 1683: 1680: 1677: 1674: 1671: 1668: 1665: 1662: 1659: 1656: 1653: 1650: 1647: 1644: 1641: 1638: 1635: 1632: 1629: 1626: 1623: 1620: 1617: 1614: 1611: 1608: 1605: 1602: 1599: 1596: 1593: 1590: 1587: 1584: 1581: 1578: 1575: 1572: 1569: 1566: 1563: 1560: 1557: 1554: 1551: 1548: 1545: 1542: 1539: 1536: 1533: 1530: 1527: 1524: 1521: 1518: 1515: 1512: 1509: 1506: 1503: 1500: 1497: 1494: 1491: 1488: 1485: 1482: 1479: 1476: 1473: 1470: 1467: 1464: 1461: 1458: 1455: 1452: 1449: 1446: 1443: 1440: 1437: 1434: 1431: 1428: 1425: 1422: 1419: 1416: 1413: 1410: 1407: 1404: 1401: 1398: 1395: 1392: 1389: 1386: 1383: 1380: 1377: 1374: 1371: 1368: 1365: 1362: 1359: 1356: 1353: 1350: 1347: 1344: 1341: 1338: 1335: 1332: 1329: 1326: 1323: 1320: 1317: 1314: 1308: 1229: 1222: 1095:128 or 256 bits 1077:Related to 1061:First published 1041: 1026: 988: 972: 963:provably secure 959: 935: 934: 931: 928: 925: 922: 919: 916: 913: 910: 907: 904: 901: 898: 895: 892: 889: 886: 883: 880: 877: 874: 871: 868: 865: 862: 859: 856: 853: 850: 847: 844: 841: 838: 835: 832: 829: 826: 823: 820: 817: 814: 811: 808: 805: 802: 799: 796: 793: 790: 787: 784: 781: 778: 775: 772: 769: 766: 763: 760: 757: 754: 751: 748: 745: 742: 739: 736: 733: 730: 727: 724: 721: 718: 715: 712: 709: 706: 703: 700: 697: 694: 691: 688: 685: 682: 679: 676: 673: 670: 667: 664: 661: 658: 655: 652: 649: 646: 643: 640: 637: 634: 631: 628: 625: 622: 619: 616: 613: 610: 607: 604: 601: 598: 595: 592: 589: 586: 583: 580: 577: 574: 571: 568: 565: 562: 559: 556: 553: 550: 547: 544: 541: 538: 535: 532: 529: 526: 523: 520: 517: 514: 511: 508: 505: 502: 499: 496: 493: 490: 487: 484: 481: 478: 475: 472: 469: 466: 463: 460: 457: 454: 451: 448: 445: 442: 439: 436: 433: 430: 427: 424: 418: 411: 408: 401: 323: 319: 315: 311: 229: 213:cycles per byte 108:128 or 256 bits 79:Related to 63:First published 43: 28: 23: 22: 15: 12: 11: 5: 4129: 4127: 4119: 4118: 4113: 4108: 4103: 4101:Stream ciphers 4093: 4092: 4086: 4085: 4082: 4081: 4079: 4078: 4067: 4064: 4063: 4061: 4060: 4055: 4053:Random numbers 4050: 4045: 4040: 4035: 4030: 4025: 4020: 4015: 4010: 4005: 3999: 3997: 3993: 3992: 3990: 3989: 3984: 3979: 3977:Garlic routing 3974: 3969: 3964: 3959: 3954: 3949: 3944: 3939: 3934: 3929: 3924: 3919: 3914: 3909: 3904: 3899: 3897:Secure channel 3894: 3888: 3887: 3886: 3875: 3870: 3865: 3860: 3858:Key stretching 3855: 3850: 3845: 3840: 3835: 3830: 3825: 3824: 3823: 3818: 3808: 3806:Cryptovirology 3803: 3798: 3793: 3791:Cryptocurrency 3788: 3783: 3778: 3777: 3776: 3766: 3761: 3755: 3753: 3749: 3748: 3743: 3741: 3740: 3733: 3726: 3718: 3711: 3710: 3707: 3706: 3703: 3702: 3700: 3699: 3694: 3689: 3683: 3681: 3677: 3676: 3674: 3673: 3668: 3663: 3658: 3653: 3651:shift register 3648: 3642: 3640: 3636: 3635: 3633: 3632: 3627: 3622: 3616: 3614: 3610: 3609: 3607: 3606: 3601: 3596: 3591: 3586: 3581: 3576: 3571: 3566: 3561: 3556: 3551: 3546: 3541: 3536: 3531: 3526: 3521: 3516: 3511: 3506: 3501: 3496: 3491: 3485: 3483: 3479: 3478: 3475: 3474: 3472: 3471: 3466: 3461: 3455: 3453: 3449: 3448: 3446: 3445: 3440: 3435: 3430: 3424: 3422: 3415: 3408: 3407: 3405: 3404: 3399: 3394: 3389: 3384: 3379: 3373: 3371: 3367: 3366: 3363:Stream ciphers 3361: 3359: 3358: 3351: 3344: 3336: 3322: 3321: 3316: 3311: 3306: 3301: 3295: 3285: 3278: 3277:External links 3275: 3273: 3272: 3263: 3234: 3208: 3201: 3172: 3158: 3152:Stack Exchange 3137: 3118: 3101:(2016-07-25). 3090: 3063: 3038: 3009: 2988: 2958: 2930: 2902: 2878: 2856: 2831: 2806: 2781: 2756: 2731: 2713: 2692: 2672: 2653: 2638: 2603: 2583: 2561: 2554: 2528: 2506: 2499: 2459: 2444: 2426: 2409: 2394: 2376: 2352: 2324: 2296: 2282: 2267: 2232: 2203: 2188: 2162: 2160: 2157: 2154: 2153: 2142: 2141: 2139: 2136: 2135: 2134: 2128: 2120: 2117: 2076: 2075: 2072: 2069: 2066: 2062: 2061: 2058: 2055: 2052: 2048: 2047: 2044: 2041: 2038: 2034: 2033: 2030: 2027: 2024: 1987: 1984: 1969:mobile devices 1859: 1856: 1852:security level 1847: 1844: 1834: 1831: 1313: 1306: 1300: 1299: 1296: 1293: 1290: 1286: 1285: 1282: 1279: 1276: 1272: 1271: 1268: 1265: 1262: 1258: 1257: 1254: 1251: 1248: 1227: 1223:QR(a, b, c, d) 1217: 1216: 1213: 1210: 1207: 1203: 1202: 1199: 1196: 1193: 1189: 1188: 1185: 1182: 1179: 1175: 1174: 1171: 1168: 1165: 1135: 1134: 1127: 1123: 1122: 1119: 1113: 1112: 1109: 1105: 1104: 1101: 1097: 1096: 1093: 1087: 1086: 1082: 1081: 1078: 1074: 1073: 1070: 1066: 1065: 1062: 1058: 1057: 1052: 1048: 1047: 1043: 1042: 1039: 1025: 1024:ChaCha variant 1022: 987: 984: 971: 968: 958: 955: 423: 416: 412:QR(a, b, c, d) 406: 402:QR(a, b, c, d) 392: 391: 388: 385: 382: 378: 377: 374: 371: 366: 360: 359: 356: 353: 350: 346: 345: 342: 339: 336: 306: 305: 302: 299: 296: 292: 291: 288: 285: 282: 278: 277: 274: 271: 268: 264: 263: 260: 257: 254: 245:timing attacks 228: 225: 194:add–rotate–XOR 174:stream ciphers 161: 160: 156: 155: 148: 147: 140: 136: 135: 132: 126: 125: 122: 118: 117: 114: 110: 109: 106: 100: 99: 95: 94: 88: 84: 83: 80: 76: 75: 72: 68: 67: 64: 60: 59: 54: 50: 49: 45: 44: 41: 27:Stream ciphers 26: 24: 14: 13: 10: 9: 6: 4: 3: 2: 4128: 4117: 4114: 4112: 4109: 4107: 4104: 4102: 4099: 4098: 4096: 4077: 4069: 4068: 4065: 4059: 4058:Steganography 4056: 4054: 4051: 4049: 4046: 4044: 4041: 4039: 4036: 4034: 4031: 4029: 4026: 4024: 4021: 4019: 4016: 4014: 4013:Stream cipher 4011: 4009: 4006: 4004: 4001: 4000: 3998: 3994: 3988: 3985: 3983: 3980: 3978: 3975: 3973: 3972:Onion routing 3970: 3968: 3965: 3963: 3960: 3958: 3955: 3953: 3952:Shared secret 3950: 3948: 3945: 3943: 3940: 3938: 3935: 3933: 3930: 3928: 3925: 3923: 3920: 3918: 3915: 3913: 3910: 3908: 3905: 3903: 3900: 3898: 3895: 3892: 3889: 3884: 3881: 3880: 3879: 3876: 3874: 3871: 3869: 3866: 3864: 3861: 3859: 3856: 3854: 3851: 3849: 3848:Key generator 3846: 3844: 3841: 3839: 3836: 3834: 3831: 3829: 3826: 3822: 3819: 3817: 3814: 3813: 3812: 3811:Hash function 3809: 3807: 3804: 3802: 3799: 3797: 3794: 3792: 3789: 3787: 3786:Cryptanalysis 3784: 3782: 3779: 3775: 3772: 3771: 3770: 3767: 3765: 3762: 3760: 3757: 3756: 3754: 3750: 3746: 3739: 3734: 3732: 3727: 3725: 3720: 3719: 3716: 3712: 3698: 3695: 3693: 3690: 3688: 3685: 3684: 3682: 3678: 3672: 3669: 3667: 3664: 3662: 3659: 3657: 3654: 3652: 3649: 3647: 3644: 3643: 3641: 3637: 3631: 3628: 3626: 3623: 3621: 3618: 3617: 3615: 3611: 3605: 3602: 3600: 3597: 3595: 3592: 3590: 3587: 3585: 3582: 3580: 3577: 3575: 3572: 3570: 3567: 3565: 3562: 3560: 3557: 3555: 3552: 3550: 3547: 3545: 3542: 3540: 3537: 3535: 3532: 3530: 3527: 3525: 3522: 3520: 3517: 3515: 3512: 3510: 3507: 3505: 3502: 3500: 3497: 3495: 3492: 3490: 3487: 3486: 3484: 3482:Other ciphers 3480: 3470: 3467: 3465: 3462: 3460: 3457: 3456: 3454: 3450: 3444: 3441: 3439: 3436: 3434: 3431: 3429: 3426: 3425: 3423: 3419: 3416: 3413: 3409: 3403: 3400: 3398: 3395: 3393: 3390: 3388: 3385: 3383: 3380: 3378: 3375: 3374: 3372: 3368: 3364: 3357: 3352: 3350: 3345: 3343: 3338: 3337: 3334: 3330: 3326: 3320: 3317: 3315: 3312: 3310: 3307: 3305: 3302: 3299: 3296: 3293: 3289: 3286: 3284: 3281: 3280: 3276: 3267: 3264: 3260: 3247: 3241: 3239: 3235: 3222: 3218: 3212: 3209: 3204: 3198: 3194: 3190: 3186: 3185: 3176: 3173: 3168: 3162: 3159: 3155:. 2016-04-12. 3154: 3153: 3150:Cryptography 3147: 3141: 3138: 3133: 3129: 3122: 3119: 3108: 3104: 3100: 3094: 3091: 3087: 3077: 3073: 3067: 3064: 3053: 3049: 3042: 3039: 3028:on 2020-07-06 3027: 3023: 3019: 3013: 3010: 2998: 2992: 2989: 2985: 2972: 2968: 2962: 2959: 2955: 2945: 2941: 2934: 2931: 2927: 2917: 2913: 2906: 2903: 2899: 2888: 2882: 2879: 2867: 2860: 2857: 2846: 2842: 2835: 2832: 2821: 2817: 2810: 2807: 2796: 2792: 2785: 2782: 2771: 2767: 2760: 2757: 2745: 2741: 2735: 2732: 2727: 2723: 2717: 2714: 2709: 2705: 2699: 2697: 2693: 2685: 2684: 2676: 2673: 2668: 2664: 2657: 2654: 2649: 2642: 2639: 2635: 2633: 2621:on 2017-03-28 2620: 2616: 2615: 2607: 2604: 2599: 2592: 2590: 2588: 2584: 2579: 2572: 2565: 2562: 2557: 2551: 2547: 2543: 2539: 2532: 2529: 2524: 2517: 2510: 2507: 2502: 2496: 2492: 2488: 2483: 2478: 2474: 2470: 2463: 2460: 2455: 2448: 2445: 2440: 2436: 2430: 2427: 2419: 2413: 2410: 2405: 2398: 2395: 2391:. 2008-04-29. 2390: 2386: 2380: 2377: 2366: 2362: 2356: 2353: 2342: 2335: 2328: 2325: 2314: 2307: 2300: 2297: 2293:. 2007-05-11. 2292: 2286: 2283: 2278: 2271: 2268: 2255: 2254: 2249: 2243: 2241: 2239: 2237: 2233: 2228: 2221: 2214: 2212: 2210: 2208: 2204: 2199: 2192: 2189: 2184: 2177: 2170: 2168: 2164: 2158: 2147: 2144: 2137: 2132: 2129: 2126: 2123: 2122: 2118: 2116: 2114: 2110: 2105: 2103: 2099: 2095: 2091: 2087: 2083: 2073: 2070: 2067: 2064: 2063: 2059: 2056: 2053: 2050: 2049: 2045: 2042: 2039: 2036: 2035: 2031: 2028: 2025: 2022: 2021: 2015: 2013: 2009: 2005: 2001: 1997: 1993: 1985: 1983: 1981: 1976: 1974: 1970: 1966: 1962: 1957: 1955: 1951: 1947: 1943: 1942:DragonFly BSD 1939: 1935: 1931: 1927: 1918: 1916: 1912: 1907: 1902: 1900: 1896: 1892: 1888: 1884: 1880: 1876: 1872: 1868: 1864: 1857: 1855: 1853: 1845: 1843: 1840: 1832: 1830: 1828: 1824: 1753:// diagonal 4 1720:// diagonal 3 1687:// diagonal 2 1621:// Even round 1311: 1305: 1297: 1294: 1291: 1288: 1287: 1283: 1280: 1277: 1274: 1273: 1269: 1266: 1263: 1260: 1259: 1255: 1252: 1249: 1246: 1245: 1242: 1239: 1233: 1232:output bits. 1226: 1214: 1211: 1208: 1205: 1204: 1200: 1197: 1194: 1191: 1190: 1186: 1183: 1180: 1177: 1176: 1172: 1169: 1166: 1163: 1162: 1156: 1154: 1150: 1145: 1142: 1132: 1128: 1124: 1120: 1118: 1114: 1110: 1106: 1102: 1098: 1094: 1092: 1088: 1085:Cipher detail 1083: 1079: 1075: 1071: 1067: 1063: 1059: 1056: 1053: 1049: 1044: 1037: 1032: 1023: 1021: 1019: 1014: 1011: 1007: 1004: 999: 997: 991: 985: 983: 980: 977: 969: 967: 964: 956: 954: 950: 948: 944: 940: 737:// Even round 455:salsa20_block 421: 415: 405: 399: 389: 386: 383: 380: 379: 375: 372: 367: 362: 361: 357: 354: 351: 348: 347: 343: 340: 337: 334: 333: 327: 303: 300: 297: 294: 293: 289: 286: 283: 280: 279: 275: 272: 269: 266: 265: 261: 258: 255: 252: 251: 248: 246: 242: 238: 234: 226: 224: 222: 221:public domain 218: 214: 210: 206: 203: 199: 195: 191: 186: 183: 179: 176:developed by 175: 171: 167: 157: 154: 153:cryptanalysis 149: 145: 141: 137: 133: 131: 127: 123: 119: 115: 111: 107: 105: 101: 98:Cipher detail 96: 92: 89: 87:Certification 85: 81: 77: 73: 69: 65: 61: 58: 55: 51: 46: 39: 34: 19: 4008:Block cipher 3853:Key schedule 3843:Key exchange 3833:Kleptography 3796:Cryptosystem 3745:Cryptography 3437: 3266: 3258: 3252:. Retrieved 3225:. Retrieved 3220: 3211: 3183: 3175: 3161: 3149: 3140: 3131: 3121: 3110:. Retrieved 3093: 3085: 3079:. Retrieved 3075: 3066: 3055:. Retrieved 3051: 3041: 3030:. Retrieved 3026:the original 3021: 3012: 3001:. Retrieved 2999:. 2016-09-07 2991: 2981: 2975:. Retrieved 2973:. 2015-11-04 2970: 2961: 2953: 2947:. Retrieved 2943: 2933: 2925: 2919:. Retrieved 2915: 2905: 2897: 2891:. Retrieved 2889:. 2017-04-16 2881: 2870:. Retrieved 2859: 2848:. Retrieved 2834: 2823:. Retrieved 2819: 2809: 2798:. Retrieved 2794: 2784: 2773:. Retrieved 2769: 2759: 2748:. Retrieved 2746:. 2015-02-23 2743: 2734: 2725: 2716: 2707: 2682: 2675: 2666: 2656: 2641: 2631: 2629: 2623:, retrieved 2619:the original 2613: 2606: 2577: 2564: 2537: 2531: 2522: 2509: 2472: 2462: 2447: 2438: 2429: 2412: 2397: 2379: 2368:. Retrieved 2364: 2361:"Salsa20/12" 2355: 2344:. Retrieved 2340: 2327: 2316:. Retrieved 2312: 2299: 2285: 2270: 2260:, retrieved 2252: 2226: 2191: 2182: 2146: 2106: 2079: 1989: 1977: 1958: 1950:/dev/urandom 1919: 1903: 1861: 1849: 1838: 1836: 1820: 1486:// Odd round 1339:chacha_block 1309: 1303: 1234: 1230: 1220: 1146: 1140: 1138: 1069:Derived from 1015: 1012: 1008: 1002: 1000: 992: 989: 981: 973: 960: 951: 938: 936: 602:// Odd round 419: 409: 395: 309: 233:exclusive OR 230: 187: 169: 165: 164: 151:Best public 3996:Mathematics 3987:Mix network 2634:instruction 1618:// column 4 1585:// column 3 1552:// column 2 1519:// column 1 734:// column 4 701:// column 3 668:// column 2 635:// column 1 207:, a 64-bit 4095:Categories 3947:Ciphertext 3917:Decryption 3912:Encryption 3873:Ransomware 3666:T-function 3613:Generators 3489:Achterbahn 3254:2017-08-07 3112:2016-10-03 3081:2016-09-20 3057:2016-09-20 3032:2016-09-07 3003:2016-09-07 2977:2016-09-07 2949:2016-09-07 2921:2016-09-07 2893:2018-03-16 2872:2016-09-07 2868:. Slashdot 2850:2016-09-07 2825:2016-09-07 2800:2021-07-13 2775:2021-07-13 2766:"RFC 9001" 2750:2021-07-13 2625:2016-09-07 2406:. eSTREAM. 2370:2017-08-22 2346:2022-08-18 2318:2022-08-18 2262:2018-06-03 2159:References 1922:arc4random 1909:cipher in 1236:efficient 1100:State size 939:invertible 113:State size 71:Successors 3937:Plaintext 3579:SOBER-128 3509:KCipher-2 3443:SOSEMANUK 3414:Portfolio 3221:WireGuard 2477:CiteSeerX 2365:ECRYPT II 1980:WireGuard 1940:, and in 1108:Structure 1091:Key sizes 1051:Designers 227:Structure 192:based on 121:Structure 104:Key sizes 93:portfolio 53:Designers 4076:Category 3982:Kademlia 3942:Codetext 3885:(CSPRNG) 3452:Hardware 3421:Software 3392:Crypto-1 3107:Phoronix 2845:Slashdot 2722:"ChaCha" 2341:cr.yp.to 2313:cr.yp.to 2183:cr.yp.to 2119:See also 2065:Counter 1944:for the 1867:Poly1305 1378:uint32_t 1354:uint32_t 1345:uint32_t 1209:Counter 1206:Counter 1103:512 bits 945:through 869:// row 4 836:// row 3 803:// row 2 770:// row 1 494:uint32_t 470:uint32_t 461:uint32_t 425:#include 198:rotation 116:512 bits 18:ChaCha20 3752:General 3680:Attacks 3469:Trivium 3438:Salsa20 3412:eSTREAM 2389:eSTREAM 2151:faster. 2032:"te k" 2029:"2-by" 2026:"nd 3" 2023:"expa" 1930:OpenBSD 1926:FreeBSD 1915:OpenSSL 1911:OpenSSH 1839:XChaCha 1833:XChaCha 1173:"te k" 1170:"2-by" 1167:"nd 3" 1164:"expa" 1080:Rumba20 1072:Salsa20 1046:General 976:eSTREAM 390:"te k" 373:"2-by" 352:"nd 3" 335:"expa" 202:256-bit 182:eSTREAM 166:Salsa20 91:eSTREAM 82:Rumba20 48:General 31:Salsa20 3863:Keygen 3639:Theory 3589:Turing 3584:Spritz 3559:Scream 3529:Phelix 3524:Panama 3494:F-FCSR 3464:MICKEY 3433:Rabbit 3428:HC-128 3387:ChaCha 3227:4 July 3199:  3132:go.dev 2708:GitHub 2632:pshufb 2552:  2523:ECRYPT 2497:  2479:  2111:  2100:  2092:  2074:Nonce 2071:Nonce 2068:Nonce 2010:  1998:. The 1994:  1954:Golang 1946:CSPRNG 1934:NetBSD 1932:, and 1899:HTTP/3 1863:Google 1465:ROUNDS 1225:with: 1215:Nonce 1212:Nonce 1151:  1141:ChaCha 1117:Rounds 1029:ChaCha 1003:et al. 581:ROUNDS 358:Nonce 355:Nonce 324:  320:  316:  312:  170:ChaCha 130:Rounds 74:ChaCha 3893:(PRN) 3661:NLFSR 3574:SOBER 3504:ISAAC 3459:Grain 3300:(PDF) 3249:(PDF) 2687:(PDF) 2574:(PDF) 2519:(PDF) 2421:(PDF) 2337:(PDF) 2309:(PDF) 2257:(PDF) 2223:(PDF) 2179:(PDF) 2138:Notes 2125:Speck 2086:IPsec 1877:over 1357:const 1129:3.95 1126:Speed 947:SHA-2 473:const 209:nonce 142:3.91 139:Speed 3656:LFSR 3604:WAKE 3599:VMPC 3594:VEST 3569:SNOW 3564:SEAL 3554:RC4A 3549:RC4+ 3544:QUAD 3534:Pike 3519:ORYX 3514:MUGI 3499:FISH 3382:A5/2 3377:A5/1 3229:2018 3197:ISBN 2550:ISBN 2495:ISBN 2113:8439 2102:7905 2094:7634 2084:and 2060:Key 2057:Key 2054:Key 2051:Key 2046:Key 2043:Key 2040:Key 2037:Key 2012:7539 2000:IETF 1996:7539 1895:SPDY 1891:QUIC 1871:SPDY 1780:< 1462:< 1408:< 1336:void 1201:Key 1198:Key 1195:Key 1192:Key 1187:Key 1184:Key 1181:Key 1178:Key 1153:7539 1064:2008 896:< 578:< 524:< 452:void 387:Key 384:Key 381:Key 376:Key 369:Pos. 364:Pos. 349:Key 344:Key 341:Key 338:Key 172:are 3402:RC4 3292:PDF 3189:doi 2542:doi 2487:doi 2109:RFC 2098:RFC 2090:RFC 2082:IKE 2008:RFC 2004:GiB 1992:RFC 1973:ARM 1938:RC4 1879:TCP 1875:TLS 1798:out 1759:for 1441:for 1387:for 1369:int 1348:out 1298:15 1284:11 1238:SSE 1149:RFC 1131:cpb 1111:ARX 949:.) 943:MD4 914:out 875:for 557:for 503:for 485:int 464:out 326:): 304:15 290:11 237:mod 217:x86 205:key 144:cpb 124:ARX 4097:: 3671:IV 3539:Py 3397:E0 3257:. 3237:^ 3219:. 3195:. 3148:. 3130:. 3105:. 3084:. 3074:. 3050:. 3020:. 2980:. 2969:. 2952:. 2942:. 2924:. 2914:. 2896:. 2843:. 2818:. 2793:. 2768:. 2742:. 2724:. 2706:. 2695:^ 2665:. 2628:, 2586:^ 2576:. 2548:. 2521:. 2493:. 2485:. 2437:. 2387:. 2363:. 2339:. 2311:. 2235:^ 2225:. 2206:^ 2181:. 2166:^ 2104:. 1928:, 1901:. 1810:in 1789:++ 1783:16 1750:); 1723:QR 1717:); 1690:QR 1684:); 1657:QR 1651:); 1624:QR 1615:); 1588:QR 1582:); 1555:QR 1549:); 1522:QR 1516:); 1489:QR 1474:+= 1432:in 1417:++ 1411:16 1360:in 1295:14 1292:13 1289:12 1281:10 1270:7 1256:3 1121:20 926:in 905:++ 899:16 866:); 839:QR 833:); 806:QR 800:); 773:QR 767:); 740:QR 731:); 704:QR 698:); 671:QR 665:); 638:QR 632:); 605:QR 590:+= 548:in 533:++ 527:16 476:in 301:14 298:13 295:12 287:10 276:7 262:3 134:20 3737:e 3730:t 3723:v 3355:e 3348:t 3341:v 3294:) 3290:( 3231:. 3205:. 3191:: 3169:. 3134:. 3115:. 3060:. 3035:. 3006:. 2875:. 2853:. 2828:. 2803:. 2778:. 2753:. 2728:. 2710:. 2669:. 2650:. 2600:. 2580:. 2558:. 2544:: 2525:. 2503:. 2489:: 2456:. 2441:. 2373:. 2349:. 2321:. 2279:. 2229:. 2200:. 2185:. 1816:} 1813:; 1807:+ 1804:x 1801:= 1795:) 1792:i 1786:; 1777:i 1774:; 1771:0 1768:= 1765:i 1762:( 1756:} 1747:x 1744:, 1741:x 1738:, 1735:x 1732:, 1729:x 1726:( 1714:x 1711:, 1708:x 1705:, 1702:x 1699:, 1696:x 1693:( 1681:x 1678:, 1675:x 1672:, 1669:x 1666:, 1663:x 1660:( 1648:x 1645:, 1642:x 1639:, 1636:x 1633:, 1630:x 1627:( 1612:x 1609:, 1606:x 1603:, 1600:x 1597:, 1594:x 1591:( 1579:x 1576:, 1573:x 1570:, 1567:x 1564:, 1561:x 1558:( 1546:x 1543:, 1540:x 1537:, 1534:x 1531:, 1528:x 1525:( 1513:x 1510:, 1507:x 1504:, 1501:x 1498:, 1495:x 1492:( 1483:{ 1480:) 1477:2 1471:i 1468:; 1459:i 1456:; 1453:0 1450:= 1447:i 1444:( 1435:; 1429:= 1426:x 1423:) 1420:i 1414:; 1405:i 1402:; 1399:0 1396:= 1393:i 1390:( 1384:; 1381:x 1375:; 1372:i 1366:{ 1363:) 1351:, 1342:( 1278:9 1275:8 1267:6 1264:5 1261:4 1253:2 1250:1 1247:0 932:} 929:; 923:+ 920:x 917:= 911:) 908:i 902:; 893:i 890:; 887:0 884:= 881:i 878:( 872:} 863:x 860:, 857:x 854:, 851:x 848:, 845:x 842:( 830:x 827:, 824:x 821:, 818:x 815:, 812:x 809:( 797:x 794:, 791:x 788:, 785:x 782:, 779:x 776:( 764:x 761:, 758:x 755:, 752:x 749:, 746:x 743:( 728:x 725:, 722:x 719:, 716:x 713:, 710:x 707:( 695:x 692:, 689:x 686:, 683:x 680:, 677:x 674:( 662:x 659:, 656:x 653:, 650:x 647:, 644:x 641:( 629:x 626:, 623:x 620:, 617:x 614:, 611:x 608:( 599:{ 596:) 593:2 587:i 584:; 575:i 572:; 569:0 566:= 563:i 560:( 551:; 545:= 542:x 539:) 536:i 530:; 521:i 518:; 515:0 512:= 509:i 506:( 500:; 497:x 491:; 488:i 482:{ 479:) 467:, 458:( 284:9 281:8 273:6 270:5 267:4 259:2 256:1 253:0 20:)

Index

ChaCha20

Daniel J. Bernstein
eSTREAM
Key sizes
Rounds
cpb
cryptanalysis
stream ciphers
Daniel J. Bernstein
eSTREAM
pseudorandom function
add–rotate–XOR
rotation
256-bit
key
nonce
cycles per byte
x86
public domain
exclusive OR
mod
add-rotate-xor operations
timing attacks
nothing-up-my-sleeve number
MD4
SHA-2
provably secure
eSTREAM
truncated differential cryptanalysis

Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.