Salsa20 - Knowledge (XXG)

1991:'s implementation modified Bernstein's published algorithm by changing the 64-bit nonce and 64-bit block counter to a 96-bit nonce and 32-bit block counter. The name was not changed when the algorithm was modified, as it is cryptographically insignificant (both form what a cryptographer would recognize as a 128-bit nonce), but the interface change could be a source of confusion for developers. Because of the reduced block counter, the maximum message length that can be safely encrypted by the IETF's variant is 2 blocks of 64 bytes (256 1025: 27: 4061: 1830:

cipher. Use the key and the first 128 bits of the nonce (in input words 12 through 15) to form a ChaCha input block, then perform the block operation (omitting the final addition). Output words 0–3 and 12–15 (those words corresponding to non-key words of the input) then form the key used for ordinary

954:

if Salsa20 is secure, but is more suitable for applications where longer nonces are desired. XSalsa20 feeds the key and the first 128 bits of the nonce into one block of Salsa20 (without the final addition, which may either be omitted, or subtracted after a standard Salsa20 block), and uses 256 bits

941:

Salsa20 performs 20 rounds of mixing on its input. However, reduced-round variants Salsa20/8 and Salsa20/12 using 8 and 12 rounds respectively have also been introduced. These variants were introduced to complement the original Salsa20, not to replace it, and perform better in the eSTREAM benchmarks

1224:

The ChaCha quarter round has the same number of adds, xors, and bit rotates as the Salsa20 quarter-round, but the fact that two of the rotates are multiples of 8 allows for a small optimization on some architectures including x86. Additionally, the input formatting has been rearranged to support an

967:

project, receiving the highest weighted voting score of any Profile 1 algorithm at the end of Phase 2. Salsa20 had previously been selected as a Phase 2 Focus design for Profile 1 (software) and as a Phase 2 design for Profile 2 (hardware) by the eSTREAM project, but was not advanced to Phase 3 for

1220:

Notice that this version updates each word twice, while Salsa20's quarter round updates each word only once. In addition, the ChaCha quarter-round diffuses changes more quickly. On average, after changing 1 input bit the Salsa20 quarter-round will change 8 output bits while ChaCha will change 12.5

998:

In 2008, Aumasson, Fischer, Khazaei, Meier, and Rechberger reported a cryptanalytic attack against Salsa20/7 with a time complexity of 2, and they reported an attack against Salsa20/8 with an estimated time complexity of 2. This attack makes use of the new concept of probabilistic neutral key bits

1132:

family of ciphers, which aim to increase the diffusion per round while achieving the same or slightly better performance. The Aumasson et al. paper also attacks ChaCha, achieving one round fewer (for 256-bit ChaCha6 with complexity 2, ChaCha7 with complexity 2, and 128-bit ChaCha6 within 2) but

200:, and a 64-bit counter to a 512-bit block of the key stream (a Salsa version with a 128-bit key also exists). This gives Salsa20 and ChaCha the unusual advantage that the user can efficiently seek to any position in the key stream in constant time. Salsa20 offers speeds of around 4–14 1296:// Odd round QR(0, 4, 8, 12) // column 1 QR(1, 5, 9, 13) // column 2 QR(2, 6, 10, 14) // column 3 QR(3, 7, 11, 15) // column 4 // Even round QR(0, 5, 10, 15) // diagonal 1 (main diagonal) QR(1, 6, 11, 12) // diagonal 2 QR(2, 7, 8, 13) // diagonal 3 QR(3, 4, 9, 14) // diagonal 4 1229:

implementation optimization discovered for Salsa20. Rather than alternating rounds down columns and across rows, they are performed down columns and along diagonals. Like Salsa20, ChaCha arranges the sixteen 32-bit words in a 4×4 matrix. If we index the matrix elements from 0 to 15

406:// Odd round QR( 0, 4, 8, 12) // column 1 QR( 5, 9, 13, 1) // column 2 QR(10, 14, 2, 6) // column 3 QR(15, 3, 7, 11) // column 4 // Even round QR( 0, 1, 2, 3) // row 1 QR( 5, 6, 7, 4) // row 2 QR(10, 11, 8, 9) // row 3 QR(15, 12, 13, 14) // row 4 2139:

Since the majority of the work consists of performing the repeated rounds, the number of rounds is inversely proportional to the performance. That is, halving the number of rounds roughly doubles the performance. Reduced-round variants are thus appreciably

955:

of the output as the key for standard Salsa20 using the last 64 bits of the nonce and the stream position. Specifically, the 256 bits of output used are those corresponding to the non-secret portions of the input: indexes 0, 5, 10, 15, 6, 7, 8 and 9.

930:. In other words, applying the reverse operations would produce the original 4×4 matrix, including the key. Adding the mixed array to the original makes it impossible to recover the input. (This same technique is widely used in hash functions from 3169:

Pfau, Johannes; Reuter, Maximilian; Harbaum, Tanja; Hofmann, Klaus; Becker, Jurgen (September 2019). "A Hardware Perspective on the ChaCha Ciphers: Scalable Chacha8/12/20 Implementations Ranging from 476 Slices to Bitrates of 175 Gbit/s".

994:

announced a cryptanalysis of Salsa20 which breaks 8 out of 20 rounds to recover the 256-bit secret key in 2 operations, using 2 keystream pairs. However, this attack does not seem to be competitive with the brute force attack.

982:

In 2005, Paul Crowley reported an attack on Salsa20/5 with an estimated time complexity of 2 and won Bernstein's US$ 1000 prize for "most interesting Salsa20 cryptanalysis". This attack and all subsequent attacks are based on

173:

European Union cryptographic validation process by Bernstein. ChaCha is a modification of Salsa20 published in 2008. It uses a new round function that increases diffusion and increases performance on some architectures.

4094: 987:. In 2006, Fischer, Meier, Berbain, Biasse, and Robshaw reported an attack on Salsa20/6 with estimated time complexity of 2, and a related-key attack on Salsa20/7 with estimated time complexity of 2. 403:

to each of the four columns in the 4×4 matrix, and even-numbered rounds apply it to each of the four rows. Two consecutive rounds (column-round and row-round) together are called a double-round:

1843:, yielding a 2.5× speedup. A compromise ChaCha12 (based on the eSTREAM recommendation of a 12-round Salsa) also sees some use. The eSTREAM benchmarking suite includes ChaCha8 and ChaCha12. 1136:

Like Salsa20, ChaCha's initial state includes a 128-bit constant, a 256-bit key, a 64-bit counter, and a 64-bit nonce (in the original version; as described later, a version of ChaCha from

4041: 3871: 926:

In the last line, the mixed array is added, word by word, to the original array to obtain its 64-byte key stream block. This is important because the mixing rounds on their own are

1818:, and its faster successors BLAKE2 and BLAKE3. It also defines a variant using sixteen 64-bit words (1024 bits of state), with correspondingly adjusted rotation constants. 1009:. (Specifically, it has no differential characteristic with higher probability than 2, so differential cryptanalysis would be more difficult than 128-bit key exhaustion.) 4104: 3724: 3342: 1002:

In 2012, the attack by Aumasson et al. was improved by Shi et al. against Salsa20/7 (128-bit key) to a time complexity of 2 and Salsa20/8 (256-bit key) to 2.

971:

The eSTREAM committee recommends the use of Salsa20/12, the 12-round variant, for "combining very good performance with a comfortable margin of security."

3587: 3060: 3248:

Changes from regular ChaCha. The nonce: block sequence number split was changed from 64:64 to 96:32 The ChaCha20 state is initialized as follows:

1217:

a += b; d ^= a; d <<<= 16; c += d; b ^= c; b <<<= 12; a += b; d ^= a; d <<<= 8; c += d; b ^= c; b <<<= 7;

3006: 2462:

Progress in Cryptology - INDOCRYPT 2006: 7th International Conference on Cryptology in India, Kolkata, India, December 11-13, 2006, Proceeding

3189: 2829: 2542: 2487: 984: 979:

As of 2015, there are no published attacks on Salsa20/12 or the full Salsa20/20; the best attack known breaks 8 of the 12 or 20 rounds.

385:

The constant words spell "expand 32-byte k" in ASCII (i.e. the 4 words are "expa", "nd 3", "2-by", and "te k"). This is an example of a

1937:

subroutine of the kernel. Starting from version 4.8, the Linux kernel uses the ChaCha20 algorithm to generate data for the nonblocking

3134: 3717: 3649: 3335: 1839:

Aumasson argues in 2020 that 8 rounds of ChaCha (ChaCha8) probably provides enough resistance to future cryptanalysis for the same

968:

Profile 2 because eSTREAM felt that it was probably not a good candidate for extremely resource-constrained hardware environments.

1144:

is slightly different), arranged as a 4×4 matrix of 32-bit words. But ChaCha re-arranges some of the words in the initial state:

2601: 2525:

Zhenqing Shi; Bin Zhang; Dengguo Feng; Wenling Wu (2012). "Improved Key Recovery Attacks on Reduced-Round Salsa20 and ChaCha".

3920: 3644: 3634: 1815: 2854: 2619:

two of these constants are multiples of 8; this allows for a 1 instruction rotation in Core2 and later Intel CPUs using the

1867: 999:

for probabilistic detection of a truncated differential. The attack can be adapted to break Salsa20/7 with a 128-bit key.

2728: 3710: 3328: 1949: 396:

b ^= (a + d) <<< 7; c ^= (b + a) <<< 9; d ^= (c + b) <<< 13; a ^= (d + c) <<< 18;

148:

2008 cryptanalysis breaks 8 out of 20 rounds to recover the 256-bit secret key in 2 operations, using 2 keystream pairs.

4099: 4036: 3991: 3804: 386: 228:

2 ⊞, and constant-distance rotation operations <<< on an internal state of sixteen 32-bit words. Using only

3915: 3618: 3477: 1006: 4031: 1226: 1964:-based CPUs. Specialized hardware accelerators for ChaCha20 are also less complex compared to AES accelerators. 4021: 4011: 3866: 3613: 3091: 1871: 1863: 1826:

Although not announced by Bernstein, the security proof of XSalsa20 extends straightforwardly to an analogous

4089: 4016: 4006: 3809: 3769: 3762: 3752: 3747: 1893:

Shortly after Google's adoption for TLS, both the ChaCha20 and Poly1305 algorithms were also used for a new

3757: 2465: 1956:

for x86 processors). As a result, ChaCha20 is sometimes preferred over AES in certain use cases involving

1024: 236:

in software implementations. The internal state is made of sixteen 32-bit words arranged as a 4×4 matrix.

4064: 3910: 3856: 3685: 3659: 3512: 2207:

Jean-Philippe Aumasson; Simon Fischer; Shahram Khazaei; Willi Meier; Christian Rechberger (2008-03-14).

2070: 1811: 178: 208:

processors, and reasonable hardware performance. It is not patented, and Bernstein has written several

4026: 3950: 3680: 2875: 1105: 118: 2693:"rand_chacha: consider ChaCha12 (or possibly ChaCha8) over ChaCha20 · Issue #932 · rust-random/rand" 2470: 1210:

The constant is the same as Salsa20 ("expand 32-byte k"). ChaCha replaces the Salsa20 quarter-round

3789: 3608: 3014: 2236: 1953: 1043: 197: 166: 45: 3234: 2943:

Legacy arc4random(3) API from OpenBSD reimplemented using the ChaCha20 PRF, with per-thread state.

1005:

In 2013, Mouha and Preneel published a proof that 15 rounds of Salsa20 was 128-bit secure against

950:

In 2008, Bernstein proposed a variant of Salsa20 with 192-bit nonces called XSalsa20. XSalsa20 is

3895: 3879: 3826: 3675: 225: 3955: 3945: 3816: 3185: 2804: 2538: 2483: 2119: 1875: 2779: 2503:

Yukiyasu Tsunoo; Teruo Saito; Hiroyasu Kubo; Tomoyasu Suzaki; Hiroki Nakashima (2007-01-02).

3890: 3457: 3307: 3177: 2530: 2475: 2097: 2086: 2078: 1996: 1980: 1961: 1137: 1299:

ChaCha20 uses 10 iterations of the double round. An implementation in C/C++ appears below.

3577: 3572: 3547: 3421: 3087: 2710: 1119: 951: 201: 132: 2651: 2504: 1952:(AES) algorithm on systems where the CPU does not feature AES acceleration (such as the 3965: 3885: 3846: 3794: 3779: 3639: 3492: 3447: 3140: 2113: 1840: 3181: 3171: 3061:"Merge tag 'random_for_linus' of git.kernel.org/pub/scm/linux/kernel/git/tytso/random" 2887:

Replace the RC4 algorithm for generating in-kernel secure random numbers with Chacha20

2560:"Towards Finding Optimal Differential Characteristics for ARX: Application to Salsa20" 4083: 4046: 4001: 3960: 3940: 3836: 3799: 3774: 3592: 3552: 3532: 3522: 3487: 3351: 3308:

Implementation and Didactical Visualization of the ChaCha Cipher Family in CrypTool 2

2652:"XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305 (Expired Internet-Draft)" 1957: 1930: 233: 209: 162: 141: 2900: 2607: 2406: 2164: 26: 3996: 3841: 3831: 3821: 3784: 3733: 2457: 2423: 2392: 2373: 1967:

ChaCha20-Poly1305 (IETF version; see below) is the exclusive algorithm used by the

229: 221: 186: 182: 3292: 2349: 169:. Salsa20, the original cipher, was designed in 2005, then later submitted to the 3155: 2955: 2928: 2692: 2534: 963:

Salsa20/12 has been selected as a Phase 3 design for Profile 1 (software) by the

3975: 3527: 3385: 3302: 2754: 2101: 2090: 2082: 2000: 1984: 1895: 1141: 2985: 2322: 2294: 1995:). For applications where this is not enough, such as file or disk encryption, 3935: 3905: 3900: 3861: 3654: 2240: 2104:. RFC 8439 merges in some errata and adds additional security considerations. 1902:. Subsequently, this made it possible for OpenSSH to avoid any dependency on 3925: 3567: 3497: 3431: 2636: 2442: 1968: 3970: 3930: 3380: 3095: 2833: 1992: 1855: 1079: 193: 92: 2670: 3400: 2559: 2529:. Lecture Notes in Computer Science. Vol. 7839. pp. 337–351. 2479: 2377: 2208: 1918: 1914: 1903: 1899: 964: 190: 170: 79: 3205: 2279: 2186: 1831:

ChaCha (with the last 64 bits of nonce and 64 bits of block counter).

3851: 3517: 3482: 3452: 3416: 1942: 1934: 1922: 1887: 1851: 1029:

The ChaCha quarter-round function. Four parallel copies make a round.

307:), two words of nonce (essentially additional stream position bits) ( 3276: 2830:"OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein" 2464:. Lecture Notes in Computer Science. Vol. 4329. pp. 2–16. 31:

The Salsa quarter-round function. Four parallel copies make a round.

3286: 3036: 1948:

ChaCha20 usually offers better performance than the more prevalent

942:

than Salsa20, though with a correspondingly lower security margin.

3562: 3116: 2460:(2006). "Non-randomness in eSTREAM Candidates Salsa20 and TSC-4". 2074: 1304:#define ROTL(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) 935: 420:#define ROTL(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) 3582: 3557: 3507: 3502: 3370: 3365: 3271: 2456:

Simon Fischer; Willi Meier; Côme Berbain; Jean-François Biasse;

2443:"Truncated differential cryptanalysis of five rounds of Salsa20" 2265: 1988: 1883: 1879: 1859: 3706: 3324: 3297: 2586: 1979:

An implementation reference for ChaCha20 has been published in

185:(ARX) operations — 32-bit addition, bitwise addition (XOR) and 3542: 3537: 3390: 3280: 1926: 931: 393:

that takes a four-word input and produces a four-word output:

205: 3173:

2019 32nd IEEE International System-on-Chip Conference (SOCC)

3117:"Secure Randomness in Go 1.22 - The Go Programming Language" 3075:

random: replace non-blocking pool with a Chacha20-based CRNG

2729:"Do the ChaCha: better mobile performance with cryptography" 2828:

Murenin, Constantine A. (2013-12-11). Unknown Lamer (ed.).

2809:

Super User's BSD Cross Reference: PROTOCOL.chacha20poly1305

2122:– an AEAD scheme combining ChaCha20 with the Poly1305 MAC 2003:

proposes using the original algorithm with 64-bit nonce.

1874:

construction combining both algorithms, which is called

4095:

Cryptographically secure pseudorandom number generators

2853:

Murenin, Constantine A. (2014-04-30). Soulskill (ed.).

1133:

claims that the attack fails to break 128-bit ChaCha7.

3872:

Cryptographically secure pseudorandom number generator

2407:"eSTREAM: Short Report on the End of the Second Phase" 3135:"What's the appeal of using ChaCha20 instead of AES?" 389:. The core operation in Salsa20 is the quarter-round 3312: 2637:"ChaCha20 and Poly1305 for IETF Protocols: RFC 7539" 2085:. Standardization of its use in TLS is published in 1938: 299:

The initial state is made up of eight words of key (

212:

implementations optimized for common architectures.

3984: 3740: 3668: 3627: 3601: 3470: 3440: 3409: 3399: 3358: 1114: 1104: 1096: 1088: 1078: 1073: 1065: 1057: 1049: 1039: 1034: 139: 127: 117: 109: 101: 91: 86: 75: 67: 59: 51: 41: 36: 2603:Faster ChaCha implementations for Intel processors 2567:International Association for Cryptologic Research 2216:International Association for Cryptologic Research 2915:ChaCha based random number generator for OpenBSD. 1128:In 2008, Bernstein published the closely related 2527:Information Security and Cryptology – ICISC 2012 2323:"Extending the Salsa20 nonce (original version)" 1941:device. ChaCha8 is used for the default PRNG in 220:Internally, the cipher uses bitwise addition ⊕ ( 3092:"/dev/random Seeing Improvements For Linux 4.8" 2960:Super User's BSD Cross Reference: subr_csprng.c 2927:riastradh (Taylor Campbell), ed. (2016-03-25). 2295:"Extending the Salsa20 nonce (updated in 2011)" 2266:"Snuffle 2005: the Salsa20 encryption function" 2116:– an add-rotate-xor cipher developed by the NSA 2933:Super User's BSD Cross Reference: arc4random.c 2905:Super User's BSD Cross Reference: arc4random.c 2899:guenther (Philip Guenther), ed. (2015-09-13). 2580: 2578: 2576: 3718: 3336: 3272:Snuffle 2005: the Salsa20 encryption function 2687: 2685: 2158: 2156: 1854:had selected ChaCha20 along with Bernstein's 8: 3156:"AES-NI SSL Performance Study @ Calomel.org" 2855:"OpenSSH No Longer Has To Depend On OpenSSL" 1878:. ChaCha20 and Poly1305 are now used in the 1017: 19: 3725: 3711: 3703: 3406: 3343: 3329: 3321: 3317: 3313: 3235:"ChaCha20 and Poly1305 for IETF protocols" 2753:Thomson, Martin; Turner, Sean (May 2021). 1862:, which was intended as a replacement for 409:An implementation in C/C++ appears below. 2505:"Differential Cryptanalysis of Salsa20/8" 2469: 1925:operating systems, instead of the broken 3229: 3227: 2424:"Salsa20/12, The eSTREAM portfolio page" 2231: 2229: 2227: 2225: 2005: 1232: 1146: 317: 238: 4105:Public-domain software with source code 2202: 2200: 2198: 2196: 2152: 2132: 1427:// 10 loops × 2 rounds/loop = 20 rounds 543:// 10 loops × 2 rounds/loop = 20 rounds 2650:Arciszewski, Scott (10 January 2020). 2165:"The Salsa20 family of stream ciphers" 1971:VPN system, as of protocol version 1. 1870:. In the process, they proposed a new 1307:#define QR(a, b, c, d) ( \ 1016: 18: 2587:"The ChaCha family of stream ciphers" 2374:"The eSTREAM Project: End of Phase 2" 2007:Initial state of ChaCha20 (RFC 7539) 189:operations. The core function maps a 7: 985:truncated differential cryptanalysis 3375: 3298:The ChaCha family of stream ciphers 2096:In 2018, RFC 7539 was obsoleted by 2585:Daniel J. Bernstein (2008-04-25). 2558:Nicky Mouha; Bart Preneel (2013). 2264:Daniel J. Bernstein (2013-05-16). 2187:"Salsa 20 speed; Salsa20 software" 2185:Daniel J. Bernstein (2013-05-16). 2163:Daniel J. Bernstein (2007-12-24). 1316:a += b, d ^= a, d = ROTL(d, 8), \ 1313:c += d, b ^= c, b = ROTL(b, 12), \ 1310:a += b, d ^= a, d = ROTL(d, 16), \ 1293:then a double round in ChaCha is: 14: 3182:10.1109/SOCC46988.2019.1570548289 2393:"eSTREAM PHASE 3: End of Phase 1" 303:), two words of stream position ( 4060: 4059: 2778:Bishop, Mike (2 February 2021). 2669:Aumasson, Jean-Philippe (2020). 1319:c += d, b ^= c, b = ROTL(b, 7)) 1023: 357: 352: 25: 2986:"ChaCha Usage & Deployment" 2805:"ssh/PROTOCOL.chacha20poly1305" 2635:Y. Nir; A. Langley (May 2015). 1945:. Rust's CSPRNG uses ChaCha12. 1858:message authentication code in 3921:Information-theoretic security 3303:Salsa20 Usage & Deployment 3115:Cox, Russ; Valsorda, Filippo. 2678:. Real World Crypto Symposium. 2209:"New Features of Latin Dances" 1909:ChaCha20 is also used for the 1816:NIST hash function competition 1: 2803:Miller, Damien (2016-05-03). 1906:, via a compile-time option. 1643:// diagonal 1 (main diagonal) 3635:block ciphers in stream mode 3293:The eSTREAM Project: Salsa20 3013:. 2014-11-16. Archived from 2600:Neves, Samuel (2009-10-07), 2535:10.1007/978-3-642-37682-5_24 2242:ChaCha, a variant of Salsa20 1950:Advanced Encryption Standard 959:eSTREAM selection of Salsa20 177:Both ciphers are built on a 4037:Message authentication code 3992:Cryptographic hash function 3805:Cryptographic hash function 3206:"Protocol and Cryptography" 2441:Paul Crowley (2006-02-09). 1913:random number generator in 1810:ChaCha is the basis of the 946:XSalsa20 with 192-bit nonce 387:nothing-up-my-sleeve number 4121: 3916:Harvest now, decrypt later 3619:alternating step generator 1007:differential cryptanalysis 423:#define QR(a, b, c, d)( \ 399:Odd-numbered rounds apply 232:avoids the possibility of 4055: 4032:Post-quantum cryptography 3702: 3320: 3316: 2901:"libc/crypt/arc4random.c" 2391:Hongjun Wu (2007-03-30). 2280:"Salsa20: Software speed" 2077:has been standardized in 1882:protocol, which replaces 1022: 319:Initial state of Salsa20 311:), and four fixed words ( 230:add-rotate-xor operations 147: 24: 4022:Quantum key distribution 4012:Authenticated encryption 3867:Random number generation 3614:self-shrinking generator 3287:Salsa20/8 and Salsa20/12 3065:Linux kernel source tree 3037:"Replacing /dev/urandom" 1872:authenticated encryption 1301: 1148:Initial state of ChaCha 975:Cryptanalysis of Salsa20 411: 157:and the closely related 4017:Public-key cryptography 4007:Symmetric-key algorithm 3810:Key derivation function 3770:Cryptographic primitive 3763:Authentication protocol 3753:Outline of cryptography 3748:History of cryptography 2929:"libc/gen/arc4random.c" 2780:"draft: IETF QUIC HTTP" 3758:Cryptographic protocol 2412:. eSTREAM. 2007-03-26. 1122:on an Intel Core 2 Duo 432:d ^= ROTL(c + b,13), \ 429:c ^= ROTL(b + a, 9), \ 426:b ^= ROTL(a + d, 7), \ 204:in software on modern 135:on an Intel Core 2 Duo 3911:End-to-end encryption 3857:Cryptojacking malware 3686:stream cipher attacks 3277:Salsa20 specification 2321:Daniel J. Bernstein. 2293:Daniel J. Bernstein. 179:pseudorandom function 4027:Quantum cryptography 3951:Trusted timestamping 3681:correlation immunity 3212:. Jason A. Donenfeld 3176:. pp. 294–299. 2972:chacha_encrypt_bytes 2956:"kern/subr_csprng.c" 2784:datatracker.ietf.org 2759:datatracker.ietf.org 1835:Reduced-round ChaCha 1814:, a finalist in the 435:a ^= ROTL(d + c,18)) 55:2007 (designed 2005) 3790:Cryptographic nonce 3609:shrinking generator 3359:Widely used ciphers 3259:Header of RFC 7539. 3011:NetBSD Manual Pages 2733:The Cloudflare Blog 2715:Cryptography Primer 2239:(28 January 2008), 2069:Use of ChaCha20 in 2008: 1960:, which mostly use 1954:AES instruction set 1812:BLAKE hash function 1149: 1044:Daniel J. Bernstein 1019: 320: 224:), 32-bit addition 167:Daniel J. Bernstein 46:Daniel J. Bernstein 21: 4100:Internet Standards 3896:Subliminal channel 3880:Pseudorandom noise 3827:Key (cryptography) 3676:correlation attack 3035:Corbet, Jonathan. 2480:10.1007/11941378_2 2006: 1975:Internet standards 1147: 318: 4077: 4076: 4073: 4072: 3956:Key-based routing 3946:Trapdoor function 3817:Digital signature 3698: 3697: 3694: 3693: 3466: 3465: 3191:978-1-7281-3483-3 3041:Linux Weekly News 2876:"Revision 317015" 2544:978-3-642-37681-8 2489:978-3-540-49767-7 2428:www.ecrypt.eu.org 2237:Bernstein, Daniel 2120:ChaCha20-Poly1305 2067: 2066: 1876:ChaCha20-Poly1305 1847:ChaCha20 adoption 1322:#define ROUNDS 20 1291: 1290: 1208: 1207: 1126: 1125: 438:#define ROUNDS 20 383: 382: 297: 296: 152: 151: 4112: 4063: 4062: 3891:Insecure channel 3727: 3720: 3713: 3704: 3407: 3345: 3338: 3331: 3322: 3318: 3314: 3260: 3257: 3251: 3250: 3245: 3244: 3239: 3231: 3222: 3221: 3219: 3217: 3202: 3196: 3195: 3166: 3160: 3159: 3152: 3146: 3145: 3131: 3125: 3124: 3112: 3106: 3105: 3103: 3102: 3084: 3078: 3077: 3072: 3071: 3057: 3051: 3050: 3048: 3047: 3032: 3026: 3025: 3023: 3022: 3003: 2997: 2996: 2994: 2993: 2982: 2976: 2975: 2973: 2968: 2967: 2952: 2946: 2945: 2940: 2939: 2924: 2918: 2917: 2912: 2911: 2896: 2890: 2889: 2884: 2883: 2872: 2866: 2865: 2863: 2862: 2850: 2844: 2843: 2841: 2840: 2825: 2819: 2818: 2816: 2815: 2800: 2794: 2793: 2791: 2790: 2775: 2769: 2768: 2766: 2765: 2750: 2744: 2743: 2741: 2740: 2725: 2719: 2718: 2707: 2701: 2700: 2689: 2680: 2679: 2677: 2666: 2660: 2659: 2656:Ietf Datatracker 2647: 2641: 2640: 2632: 2626: 2625: 2616: 2615: 2606:, archived from 2597: 2591: 2590: 2582: 2571: 2570: 2564: 2555: 2549: 2548: 2522: 2516: 2515: 2509: 2500: 2494: 2493: 2473: 2458:M. J. B. Robshaw 2453: 2447: 2446: 2438: 2432: 2431: 2420: 2414: 2413: 2411: 2403: 2397: 2396: 2388: 2382: 2381: 2370: 2364: 2363: 2361: 2360: 2346: 2340: 2339: 2337: 2336: 2327: 2318: 2312: 2311: 2309: 2308: 2299: 2290: 2284: 2283: 2276: 2270: 2269: 2261: 2255: 2254: 2253: 2252: 2247: 2233: 2220: 2219: 2213: 2204: 2191: 2190: 2182: 2176: 2175: 2169: 2160: 2141: 2137: 2009: 1912: 1897: 1806: 1803: 1800: 1797: 1794: 1791: 1788: 1785: 1782: 1779: 1776: 1773: 1770: 1767: 1764: 1761: 1758: 1755: 1752: 1749: 1746: 1743: 1740: 1737: 1734: 1731: 1728: 1725: 1722: 1719: 1716: 1713: 1710: 1707: 1704: 1701: 1698: 1695: 1692: 1689: 1686: 1683: 1680: 1677: 1674: 1671: 1668: 1665: 1662: 1659: 1656: 1653: 1650: 1647: 1644: 1641: 1638: 1635: 1632: 1629: 1626: 1623: 1620: 1617: 1614: 1611: 1608: 1605: 1602: 1599: 1596: 1593: 1590: 1587: 1584: 1581: 1578: 1575: 1572: 1569: 1566: 1563: 1560: 1557: 1554: 1551: 1548: 1545: 1542: 1539: 1536: 1533: 1530: 1527: 1524: 1521: 1518: 1515: 1512: 1509: 1506: 1503: 1500: 1497: 1494: 1491: 1488: 1485: 1482: 1479: 1476: 1473: 1470: 1467: 1464: 1461: 1458: 1455: 1452: 1449: 1446: 1443: 1440: 1437: 1434: 1431: 1428: 1425: 1422: 1419: 1416: 1413: 1410: 1407: 1404: 1401: 1398: 1395: 1392: 1389: 1386: 1383: 1380: 1377: 1374: 1371: 1368: 1365: 1362: 1359: 1356: 1353: 1350: 1347: 1344: 1341: 1338: 1335: 1332: 1329: 1326: 1323: 1320: 1317: 1314: 1311: 1308: 1305: 1233: 1213: 1150: 1027: 1020: 990:In 2007, Tsunoo 922: 919: 916: 913: 910: 907: 904: 901: 898: 895: 892: 889: 886: 883: 880: 877: 874: 871: 868: 865: 862: 859: 856: 853: 850: 847: 844: 841: 838: 835: 832: 829: 826: 823: 820: 817: 814: 811: 808: 805: 802: 799: 796: 793: 790: 787: 784: 781: 778: 775: 772: 769: 766: 763: 760: 757: 754: 751: 748: 745: 742: 739: 736: 733: 730: 727: 724: 721: 718: 715: 712: 709: 706: 703: 700: 697: 694: 691: 688: 685: 682: 679: 676: 673: 670: 667: 664: 661: 658: 655: 652: 649: 646: 643: 640: 637: 634: 631: 628: 625: 622: 619: 616: 613: 610: 607: 604: 601: 598: 595: 592: 589: 586: 583: 580: 577: 574: 571: 568: 565: 562: 559: 556: 553: 550: 547: 544: 541: 538: 535: 532: 529: 526: 523: 520: 517: 514: 511: 508: 505: 502: 499: 496: 493: 490: 487: 484: 481: 478: 475: 472: 469: 466: 463: 460: 457: 454: 451: 448: 445: 442: 439: 436: 433: 430: 427: 424: 421: 418: 417:<stdint.h> 415: 402: 392: 359: 354: 321: 314: 310: 306: 302: 239: 29: 22: 4120: 4119: 4115: 4114: 4113: 4111: 4110: 4109: 4080: 4079: 4078: 4069: 4051: 3980: 3736: 3731: 3690: 3664: 3623: 3597: 3462: 3436: 3395: 3354: 3349: 3268: 3263: 3258: 3254: 3242: 3240: 3237: 3233: 3232: 3225: 3215: 3213: 3204: 3203: 3199: 3192: 3168: 3167: 3163: 3154: 3153: 3149: 3133: 3132: 3128: 3114: 3113: 3109: 3100: 3098: 3088:Michael Larabel 3086: 3085: 3081: 3069: 3067: 3059: 3058: 3054: 3045: 3043: 3034: 3033: 3029: 3020: 3018: 3007:"arc4random(3)" 3005: 3004: 3000: 2991: 2989: 2984: 2983: 2979: 2971: 2965: 2963: 2954: 2953: 2949: 2937: 2935: 2926: 2925: 2921: 2909: 2907: 2898: 2897: 2893: 2881: 2879: 2874: 2873: 2869: 2860: 2858: 2852: 2851: 2847: 2838: 2836: 2827: 2826: 2822: 2813: 2811: 2802: 2801: 2797: 2788: 2786: 2777: 2776: 2772: 2763: 2761: 2752: 2751: 2747: 2738: 2736: 2727: 2726: 2722: 2709: 2708: 2704: 2691: 2690: 2683: 2675: 2672:Too Much Crypto 2668: 2667: 2663: 2649: 2648: 2644: 2634: 2633: 2629: 2613: 2611: 2599: 2598: 2594: 2584: 2583: 2574: 2562: 2557: 2556: 2552: 2545: 2524: 2523: 2519: 2507: 2502: 2501: 2497: 2490: 2471:10.1.1.121.7248 2455: 2454: 2450: 2440: 2439: 2435: 2422: 2421: 2417: 2409: 2405: 2404: 2400: 2390: 2389: 2385: 2372: 2371: 2367: 2358: 2356: 2348: 2347: 2343: 2334: 2332: 2325: 2320: 2319: 2315: 2306: 2304: 2297: 2292: 2291: 2287: 2278: 2277: 2273: 2263: 2262: 2258: 2250: 2248: 2245: 2235: 2234: 2223: 2211: 2206: 2205: 2194: 2184: 2183: 2179: 2167: 2162: 2161: 2154: 2150: 2145: 2144: 2138: 2134: 2129: 2110: 1977: 1910: 1894: 1886:and is used by 1849: 1837: 1824: 1808: 1807: 1804: 1801: 1798: 1795: 1792: 1789: 1786: 1783: 1780: 1777: 1774: 1771: 1768: 1765: 1762: 1759: 1756: 1753: 1750: 1747: 1744: 1741: 1738: 1735: 1732: 1729: 1726: 1723: 1720: 1717: 1714: 1711: 1708: 1705: 1702: 1699: 1696: 1693: 1690: 1687: 1684: 1681: 1678: 1675: 1672: 1669: 1666: 1663: 1660: 1657: 1654: 1651: 1648: 1645: 1642: 1639: 1636: 1633: 1630: 1627: 1624: 1621: 1618: 1615: 1612: 1609: 1606: 1603: 1600: 1597: 1594: 1591: 1588: 1585: 1582: 1579: 1576: 1573: 1570: 1567: 1564: 1561: 1558: 1555: 1552: 1549: 1546: 1543: 1540: 1537: 1534: 1531: 1528: 1525: 1522: 1519: 1516: 1513: 1510: 1507: 1504: 1501: 1498: 1495: 1492: 1489: 1486: 1483: 1480: 1477: 1474: 1471: 1468: 1465: 1462: 1459: 1456: 1453: 1450: 1447: 1444: 1441: 1438: 1435: 1432: 1429: 1426: 1423: 1420: 1417: 1414: 1411: 1408: 1405: 1402: 1399: 1396: 1393: 1390: 1387: 1384: 1381: 1378: 1375: 1372: 1369: 1366: 1363: 1360: 1357: 1354: 1351: 1348: 1345: 1342: 1339: 1336: 1333: 1330: 1327: 1324: 1321: 1318: 1315: 1312: 1309: 1306: 1303: 1297: 1218: 1211: 1084:128 or 256 bits 1066:Related to 1050:First published 1030: 1015: 977: 961: 952:provably secure 948: 924: 923: 920: 917: 914: 911: 908: 905: 902: 899: 896: 893: 890: 887: 884: 881: 878: 875: 872: 869: 866: 863: 860: 857: 854: 851: 848: 845: 842: 839: 836: 833: 830: 827: 824: 821: 818: 815: 812: 809: 806: 803: 800: 797: 794: 791: 788: 785: 782: 779: 776: 773: 770: 767: 764: 761: 758: 755: 752: 749: 746: 743: 740: 737: 734: 731: 728: 725: 722: 719: 716: 713: 710: 707: 704: 701: 698: 695: 692: 689: 686: 683: 680: 677: 674: 671: 668: 665: 662: 659: 656: 653: 650: 647: 644: 641: 638: 635: 632: 629: 626: 623: 620: 617: 614: 611: 608: 605: 602: 599: 596: 593: 590: 587: 584: 581: 578: 575: 572: 569: 566: 563: 560: 557: 554: 551: 548: 545: 542: 539: 536: 533: 530: 527: 524: 521: 518: 515: 512: 509: 506: 503: 500: 497: 494: 491: 488: 485: 482: 479: 476: 473: 470: 467: 464: 461: 458: 455: 452: 449: 446: 443: 440: 437: 434: 431: 428: 425: 422: 419: 416: 413: 407: 400: 397: 390: 312: 308: 304: 300: 218: 202:cycles per byte 97:128 or 256 bits 68:Related to 52:First published 32: 17: 12: 11: 5: 4118: 4116: 4108: 4107: 4102: 4097: 4092: 4090:Stream ciphers 4082: 4081: 4075: 4074: 4071: 4070: 4068: 4067: 4056: 4053: 4052: 4050: 4049: 4044: 4042:Random numbers 4039: 4034: 4029: 4024: 4019: 4014: 4009: 4004: 3999: 3994: 3988: 3986: 3982: 3981: 3979: 3978: 3973: 3968: 3966:Garlic routing 3963: 3958: 3953: 3948: 3943: 3938: 3933: 3928: 3923: 3918: 3913: 3908: 3903: 3898: 3893: 3888: 3886:Secure channel 3883: 3877: 3876: 3875: 3864: 3859: 3854: 3849: 3847:Key stretching 3844: 3839: 3834: 3829: 3824: 3819: 3814: 3813: 3812: 3807: 3797: 3795:Cryptovirology 3792: 3787: 3782: 3780:Cryptocurrency 3777: 3772: 3767: 3766: 3765: 3755: 3750: 3744: 3742: 3738: 3737: 3732: 3730: 3729: 3722: 3715: 3707: 3700: 3699: 3696: 3695: 3692: 3691: 3689: 3688: 3683: 3678: 3672: 3670: 3666: 3665: 3663: 3662: 3657: 3652: 3647: 3642: 3640:shift register 3637: 3631: 3629: 3625: 3624: 3622: 3621: 3616: 3611: 3605: 3603: 3599: 3598: 3596: 3595: 3590: 3585: 3580: 3575: 3570: 3565: 3560: 3555: 3550: 3545: 3540: 3535: 3530: 3525: 3520: 3515: 3510: 3505: 3500: 3495: 3490: 3485: 3480: 3474: 3472: 3468: 3467: 3464: 3463: 3461: 3460: 3455: 3450: 3444: 3442: 3438: 3437: 3435: 3434: 3429: 3424: 3419: 3413: 3411: 3404: 3397: 3396: 3394: 3393: 3388: 3383: 3378: 3373: 3368: 3362: 3360: 3356: 3355: 3352:Stream ciphers 3350: 3348: 3347: 3340: 3333: 3325: 3311: 3310: 3305: 3300: 3295: 3290: 3284: 3274: 3267: 3266:External links 3264: 3262: 3261: 3252: 3223: 3197: 3190: 3161: 3147: 3141:Stack Exchange 3126: 3107: 3090:(2016-07-25). 3079: 3052: 3027: 2998: 2977: 2947: 2919: 2891: 2867: 2845: 2820: 2795: 2770: 2745: 2720: 2702: 2681: 2661: 2642: 2627: 2592: 2572: 2550: 2543: 2517: 2495: 2488: 2448: 2433: 2415: 2398: 2383: 2365: 2341: 2313: 2285: 2271: 2256: 2221: 2192: 2177: 2151: 2149: 2146: 2143: 2142: 2131: 2130: 2128: 2125: 2124: 2123: 2117: 2109: 2106: 2065: 2064: 2061: 2058: 2055: 2051: 2050: 2047: 2044: 2041: 2037: 2036: 2033: 2030: 2027: 2023: 2022: 2019: 2016: 2013: 1976: 1973: 1958:mobile devices 1848: 1845: 1841:security level 1836: 1833: 1823: 1820: 1302: 1295: 1289: 1288: 1285: 1282: 1279: 1275: 1274: 1271: 1268: 1265: 1261: 1260: 1257: 1254: 1251: 1247: 1246: 1243: 1240: 1237: 1216: 1212:QR(a, b, c, d) 1206: 1205: 1202: 1199: 1196: 1192: 1191: 1188: 1185: 1182: 1178: 1177: 1174: 1171: 1168: 1164: 1163: 1160: 1157: 1154: 1124: 1123: 1116: 1112: 1111: 1108: 1102: 1101: 1098: 1094: 1093: 1090: 1086: 1085: 1082: 1076: 1075: 1071: 1070: 1067: 1063: 1062: 1059: 1055: 1054: 1051: 1047: 1046: 1041: 1037: 1036: 1032: 1031: 1028: 1014: 1013:ChaCha variant 1011: 976: 973: 960: 957: 947: 944: 412: 405: 401:QR(a, b, c, d) 395: 391:QR(a, b, c, d) 381: 380: 377: 374: 371: 367: 366: 363: 360: 355: 349: 348: 345: 342: 339: 335: 334: 331: 328: 325: 295: 294: 291: 288: 285: 281: 280: 277: 274: 271: 267: 266: 263: 260: 257: 253: 252: 249: 246: 243: 234:timing attacks 217: 214: 183:add–rotate–XOR 163:stream ciphers 150: 149: 145: 144: 137: 136: 129: 125: 124: 121: 115: 114: 111: 107: 106: 103: 99: 98: 95: 89: 88: 84: 83: 77: 73: 72: 69: 65: 64: 61: 57: 56: 53: 49: 48: 43: 39: 38: 34: 33: 30: 16:Stream ciphers 15: 13: 10: 9: 6: 4: 3: 2: 4117: 4106: 4103: 4101: 4098: 4096: 4093: 4091: 4088: 4087: 4085: 4066: 4058: 4057: 4054: 4048: 4047:Steganography 4045: 4043: 4040: 4038: 4035: 4033: 4030: 4028: 4025: 4023: 4020: 4018: 4015: 4013: 4010: 4008: 4005: 4003: 4002:Stream cipher 4000: 3998: 3995: 3993: 3990: 3989: 3987: 3983: 3977: 3974: 3972: 3969: 3967: 3964: 3962: 3961:Onion routing 3959: 3957: 3954: 3952: 3949: 3947: 3944: 3942: 3941:Shared secret 3939: 3937: 3934: 3932: 3929: 3927: 3924: 3922: 3919: 3917: 3914: 3912: 3909: 3907: 3904: 3902: 3899: 3897: 3894: 3892: 3889: 3887: 3884: 3881: 3878: 3873: 3870: 3869: 3868: 3865: 3863: 3860: 3858: 3855: 3853: 3850: 3848: 3845: 3843: 3840: 3838: 3837:Key generator 3835: 3833: 3830: 3828: 3825: 3823: 3820: 3818: 3815: 3811: 3808: 3806: 3803: 3802: 3801: 3800:Hash function 3798: 3796: 3793: 3791: 3788: 3786: 3783: 3781: 3778: 3776: 3775:Cryptanalysis 3773: 3771: 3768: 3764: 3761: 3760: 3759: 3756: 3754: 3751: 3749: 3746: 3745: 3743: 3739: 3735: 3728: 3723: 3721: 3716: 3714: 3709: 3708: 3705: 3701: 3687: 3684: 3682: 3679: 3677: 3674: 3673: 3671: 3667: 3661: 3658: 3656: 3653: 3651: 3648: 3646: 3643: 3641: 3638: 3636: 3633: 3632: 3630: 3626: 3620: 3617: 3615: 3612: 3610: 3607: 3606: 3604: 3600: 3594: 3591: 3589: 3586: 3584: 3581: 3579: 3576: 3574: 3571: 3569: 3566: 3564: 3561: 3559: 3556: 3554: 3551: 3549: 3546: 3544: 3541: 3539: 3536: 3534: 3531: 3529: 3526: 3524: 3521: 3519: 3516: 3514: 3511: 3509: 3506: 3504: 3501: 3499: 3496: 3494: 3491: 3489: 3486: 3484: 3481: 3479: 3476: 3475: 3473: 3471:Other ciphers 3469: 3459: 3456: 3454: 3451: 3449: 3446: 3445: 3443: 3439: 3433: 3430: 3428: 3425: 3423: 3420: 3418: 3415: 3414: 3412: 3408: 3405: 3402: 3398: 3392: 3389: 3387: 3384: 3382: 3379: 3377: 3374: 3372: 3369: 3367: 3364: 3363: 3361: 3357: 3353: 3346: 3341: 3339: 3334: 3332: 3327: 3326: 3323: 3319: 3315: 3309: 3306: 3304: 3301: 3299: 3296: 3294: 3291: 3288: 3285: 3282: 3278: 3275: 3273: 3270: 3269: 3265: 3256: 3253: 3249: 3236: 3230: 3228: 3224: 3211: 3207: 3201: 3198: 3193: 3187: 3183: 3179: 3175: 3174: 3165: 3162: 3157: 3151: 3148: 3144:. 2016-04-12. 3143: 3142: 3139:Cryptography 3136: 3130: 3127: 3122: 3118: 3111: 3108: 3097: 3093: 3089: 3083: 3080: 3076: 3066: 3062: 3056: 3053: 3042: 3038: 3031: 3028: 3017:on 2020-07-06 3016: 3012: 3008: 3002: 2999: 2987: 2981: 2978: 2974: 2961: 2957: 2951: 2948: 2944: 2934: 2930: 2923: 2920: 2916: 2906: 2902: 2895: 2892: 2888: 2877: 2871: 2868: 2856: 2849: 2846: 2835: 2831: 2824: 2821: 2810: 2806: 2799: 2796: 2785: 2781: 2774: 2771: 2760: 2756: 2749: 2746: 2734: 2730: 2724: 2721: 2716: 2712: 2706: 2703: 2698: 2694: 2688: 2686: 2682: 2674: 2673: 2665: 2662: 2657: 2653: 2646: 2643: 2638: 2631: 2628: 2624: 2622: 2610:on 2017-03-28 2609: 2605: 2604: 2596: 2593: 2588: 2581: 2579: 2577: 2573: 2568: 2561: 2554: 2551: 2546: 2540: 2536: 2532: 2528: 2521: 2518: 2513: 2506: 2499: 2496: 2491: 2485: 2481: 2477: 2472: 2467: 2463: 2459: 2452: 2449: 2444: 2437: 2434: 2429: 2425: 2419: 2416: 2408: 2402: 2399: 2394: 2387: 2384: 2380:. 2008-04-29. 2379: 2375: 2369: 2366: 2355: 2351: 2345: 2342: 2331: 2324: 2317: 2314: 2303: 2296: 2289: 2286: 2282:. 2007-05-11. 2281: 2275: 2272: 2267: 2260: 2257: 2244: 2243: 2238: 2232: 2230: 2228: 2226: 2222: 2217: 2210: 2203: 2201: 2199: 2197: 2193: 2188: 2181: 2178: 2173: 2166: 2159: 2157: 2153: 2147: 2136: 2133: 2126: 2121: 2118: 2115: 2112: 2111: 2107: 2105: 2103: 2099: 2094: 2092: 2088: 2084: 2080: 2076: 2072: 2062: 2059: 2056: 2053: 2052: 2048: 2045: 2042: 2039: 2038: 2034: 2031: 2028: 2025: 2024: 2020: 2017: 2014: 2011: 2010: 2004: 2002: 1998: 1994: 1990: 1986: 1982: 1974: 1972: 1970: 1965: 1963: 1959: 1955: 1951: 1946: 1944: 1940: 1936: 1932: 1931:DragonFly BSD 1928: 1924: 1920: 1916: 1907: 1905: 1901: 1896: 1891: 1889: 1885: 1881: 1877: 1873: 1869: 1865: 1861: 1857: 1853: 1846: 1844: 1842: 1834: 1832: 1829: 1821: 1819: 1817: 1813: 1742:// diagonal 4 1709:// diagonal 3 1676:// diagonal 2 1610:// Even round 1300: 1294: 1286: 1283: 1280: 1277: 1276: 1272: 1269: 1266: 1263: 1262: 1258: 1255: 1252: 1249: 1248: 1244: 1241: 1238: 1235: 1234: 1231: 1228: 1222: 1221:output bits. 1215: 1203: 1200: 1197: 1194: 1193: 1189: 1186: 1183: 1180: 1179: 1175: 1172: 1169: 1166: 1165: 1161: 1158: 1155: 1152: 1151: 1145: 1143: 1139: 1134: 1131: 1121: 1117: 1113: 1109: 1107: 1103: 1099: 1095: 1091: 1087: 1083: 1081: 1077: 1074:Cipher detail 1072: 1068: 1064: 1060: 1056: 1052: 1048: 1045: 1042: 1038: 1033: 1026: 1021: 1012: 1010: 1008: 1003: 1000: 996: 993: 988: 986: 980: 974: 972: 969: 966: 958: 956: 953: 945: 943: 939: 937: 933: 929: 726:// Even round 444:salsa20_block 410: 404: 394: 388: 378: 375: 372: 369: 368: 364: 361: 356: 351: 350: 346: 343: 340: 337: 336: 332: 329: 326: 323: 322: 316: 292: 289: 286: 283: 282: 278: 275: 272: 269: 268: 264: 261: 258: 255: 254: 250: 247: 244: 241: 240: 237: 235: 231: 227: 223: 215: 213: 211: 210:public domain 207: 203: 199: 195: 192: 188: 184: 180: 175: 172: 168: 165:developed by 164: 160: 156: 146: 143: 142:cryptanalysis 138: 134: 130: 126: 122: 120: 116: 112: 108: 104: 100: 96: 94: 90: 87:Cipher detail 85: 81: 78: 76:Certification 74: 70: 66: 62: 58: 54: 50: 47: 44: 40: 35: 28: 23: 3997:Block cipher 3842:Key schedule 3832:Key exchange 3822:Kleptography 3785:Cryptosystem 3734:Cryptography 3426: 3255: 3247: 3241:. Retrieved 3214:. Retrieved 3209: 3200: 3172: 3164: 3150: 3138: 3129: 3120: 3110: 3099:. Retrieved 3082: 3074: 3068:. Retrieved 3064: 3055: 3044:. Retrieved 3040: 3030: 3019:. Retrieved 3015:the original 3010: 3001: 2990:. Retrieved 2988:. 2016-09-07 2980: 2970: 2964:. Retrieved 2962:. 2015-11-04 2959: 2950: 2942: 2936:. Retrieved 2932: 2922: 2914: 2908:. Retrieved 2904: 2894: 2886: 2880:. Retrieved 2878:. 2017-04-16 2870: 2859:. Retrieved 2848: 2837:. Retrieved 2823: 2812:. Retrieved 2808: 2798: 2787:. Retrieved 2783: 2773: 2762:. Retrieved 2758: 2748: 2737:. Retrieved 2735:. 2015-02-23 2732: 2723: 2714: 2705: 2696: 2671: 2664: 2655: 2645: 2630: 2620: 2618: 2612:, retrieved 2608:the original 2602: 2595: 2566: 2553: 2526: 2520: 2511: 2498: 2461: 2451: 2436: 2427: 2418: 2401: 2386: 2368: 2357:. Retrieved 2353: 2350:"Salsa20/12" 2344: 2333:. Retrieved 2329: 2316: 2305:. Retrieved 2301: 2288: 2274: 2259: 2249:, retrieved 2241: 2215: 2180: 2171: 2135: 2095: 2068: 1978: 1966: 1947: 1939:/dev/urandom 1908: 1892: 1850: 1838: 1827: 1825: 1809: 1475:// Odd round 1328:chacha_block 1298: 1292: 1223: 1219: 1209: 1135: 1129: 1127: 1058:Derived from 1004: 1001: 997: 991: 989: 981: 978: 970: 962: 949: 940: 927: 925: 591:// Odd round 408: 398: 384: 298: 222:exclusive OR 219: 176: 158: 154: 153: 140:Best public 3985:Mathematics 3976:Mix network 2623:instruction 1607:// column 4 1574:// column 3 1541:// column 2 1508:// column 1 723:// column 4 690:// column 3 657:// column 2 624:// column 1 196:, a 64-bit 4084:Categories 3936:Ciphertext 3906:Decryption 3901:Encryption 3862:Ransomware 3655:T-function 3602:Generators 3478:Achterbahn 3243:2017-08-07 3101:2016-10-03 3070:2016-09-20 3046:2016-09-20 3021:2016-09-07 2992:2016-09-07 2966:2016-09-07 2938:2016-09-07 2910:2016-09-07 2882:2018-03-16 2861:2016-09-07 2857:. Slashdot 2839:2016-09-07 2814:2016-09-07 2789:2021-07-13 2764:2021-07-13 2755:"RFC 9001" 2739:2021-07-13 2614:2016-09-07 2395:. eSTREAM. 2359:2017-08-22 2335:2022-08-18 2307:2022-08-18 2251:2018-06-03 2148:References 1911:arc4random 1898:cipher in 1225:efficient 1089:State size 928:invertible 102:State size 60:Successors 3926:Plaintext 3568:SOBER-128 3498:KCipher-2 3432:SOSEMANUK 3403:Portfolio 3210:WireGuard 2466:CiteSeerX 2354:ECRYPT II 1969:WireGuard 1929:, and in 1097:Structure 1080:Key sizes 1040:Designers 216:Structure 181:based on 110:Structure 93:Key sizes 82:portfolio 42:Designers 4065:Category 3971:Kademlia 3931:Codetext 3874:(CSPRNG) 3441:Hardware 3410:Software 3381:Crypto-1 3096:Phoronix 2834:Slashdot 2711:"ChaCha" 2330:cr.yp.to 2302:cr.yp.to 2172:cr.yp.to 2108:See also 2054:Counter 1933:for the 1856:Poly1305 1367:uint32_t 1343:uint32_t 1334:uint32_t 1198:Counter 1195:Counter 1092:512 bits 934:through 858:// row 4 825:// row 3 792:// row 2 759:// row 1 483:uint32_t 459:uint32_t 450:uint32_t 414:#include 187:rotation 105:512 bits 3741:General 3669:Attacks 3458:Trivium 3427:Salsa20 3401:eSTREAM 2378:eSTREAM 2140:faster. 2021:"te k" 2018:"2-by" 2015:"nd 3" 2012:"expa" 1919:OpenBSD 1915:FreeBSD 1904:OpenSSL 1900:OpenSSH 1828:XChaCha 1822:XChaCha 1162:"te k" 1159:"2-by" 1156:"nd 3" 1153:"expa" 1069:Rumba20 1061:Salsa20 1035:General 965:eSTREAM 379:"te k" 362:"2-by" 341:"nd 3" 324:"expa" 191:256-bit 171:eSTREAM 155:Salsa20 80:eSTREAM 71:Rumba20 37:General 20:Salsa20 3852:Keygen 3628:Theory 3578:Turing 3573:Spritz 3548:Scream 3518:Phelix 3513:Panama 3483:F-FCSR 3453:MICKEY 3422:Rabbit 3417:HC-128 3376:ChaCha 3216:4 July 3188: 3121:go.dev 2697:GitHub 2621:pshufb 2541: 2512:ECRYPT 2486: 2468: 2100: 2089: 2081: 2063:Nonce 2060:Nonce 2057:Nonce 1999: 1987:. The 1983: 1943:Golang 1935:CSPRNG 1923:NetBSD 1921:, and 1888:HTTP/3 1852:Google 1454:ROUNDS 1214:with: 1204:Nonce 1201:Nonce 1140: 1130:ChaCha 1106:Rounds 1018:ChaCha 992:et al. 570:ROUNDS 347:Nonce 344:Nonce 313: 309: 305: 301: 159:ChaCha 119:Rounds 63:ChaCha 3882:(PRN) 3650:NLFSR 3563:SOBER 3493:ISAAC 3448:Grain 3289:(PDF) 3238:(PDF) 2676:(PDF) 2563:(PDF) 2508:(PDF) 2410:(PDF) 2326:(PDF) 2298:(PDF) 2246:(PDF) 2212:(PDF) 2168:(PDF) 2127:Notes 2114:Speck 2075:IPsec 1866:over 1346:const 1118:3.95 1115:Speed 936:SHA-2 462:const 198:nonce 131:3.91 128:Speed 3645:LFSR 3593:WAKE 3588:VMPC 3583:VEST 3558:SNOW 3553:SEAL 3543:RC4A 3538:RC4+ 3533:QUAD 3523:Pike 3508:ORYX 3503:MUGI 3488:FISH 3371:A5/2 3366:A5/1 3218:2018 3186:ISBN 2539:ISBN 2484:ISBN 2102:8439 2091:7905 2083:7634 2073:and 2049:Key 2046:Key 2043:Key 2040:Key 2035:Key 2032:Key 2029:Key 2026:Key 2001:7539 1989:IETF 1985:7539 1884:SPDY 1880:QUIC 1860:SPDY 1769:< 1451:< 1397:< 1325:void 1190:Key 1187:Key 1184:Key 1181:Key 1176:Key 1173:Key 1170:Key 1167:Key 1142:7539 1053:2008 885:< 567:< 513:< 441:void 376:Key 373:Key 370:Key 365:Key 358:Pos. 353:Pos. 338:Key 333:Key 330:Key 327:Key 161:are 3391:RC4 3281:PDF 3178:doi 2531:doi 2476:doi 2098:RFC 2087:RFC 2079:RFC 2071:IKE 1997:RFC 1993:GiB 1981:RFC 1962:ARM 1927:RC4 1868:TCP 1864:TLS 1787:out 1748:for 1430:for 1376:for 1358:int 1337:out 1287:15 1273:11 1227:SSE 1138:RFC 1120:cpb 1100:ARX 938:.) 932:MD4 903:out 864:for 546:for 492:for 474:int 453:out 315:): 293:15 279:11 226:mod 206:x86 194:key 133:cpb 113:ARX 4086:: 3660:IV 3528:Py 3386:E0 3246:. 3226:^ 3208:. 3184:. 3137:. 3119:. 3094:. 3073:. 3063:. 3039:. 3009:. 2969:. 2958:. 2941:. 2931:. 2913:. 2903:. 2885:. 2832:. 2807:. 2782:. 2757:. 2731:. 2713:. 2695:. 2684:^ 2654:. 2617:, 2575:^ 2565:. 2537:. 2510:. 2482:. 2474:. 2426:. 2376:. 2352:. 2328:. 2300:. 2224:^ 2214:. 2195:^ 2170:. 2155:^ 2093:. 1917:, 1890:. 1799:in 1778:++ 1772:16 1739:); 1712:QR 1706:); 1679:QR 1673:); 1646:QR 1640:); 1613:QR 1604:); 1577:QR 1571:); 1544:QR 1538:); 1511:QR 1505:); 1478:QR 1463:+= 1421:in 1406:++ 1400:16 1349:in 1284:14 1281:13 1278:12 1270:10 1259:7 1245:3 1110:20 915:in 894:++ 888:16 855:); 828:QR 822:); 795:QR 789:); 762:QR 756:); 729:QR 720:); 693:QR 687:); 660:QR 654:); 627:QR 621:); 594:QR 579:+= 537:in 522:++ 516:16 465:in 290:14 287:13 284:12 276:10 265:7 251:3 123:20 3726:e 3719:t 3712:v 3344:e 3337:t 3330:v 3283:) 3279:( 3220:. 3194:. 3180:: 3158:. 3123:. 3104:. 3049:. 3024:. 2995:. 2864:. 2842:. 2817:. 2792:. 2767:. 2742:. 2717:. 2699:. 2658:. 2639:. 2589:. 2569:. 2547:. 2533:: 2514:. 2492:. 2478:: 2445:. 2430:. 2362:. 2338:. 2310:. 2268:. 2218:. 2189:. 2174:. 1805:} 1802:; 1796:+ 1793:x 1790:= 1784:) 1781:i 1775:; 1766:i 1763:; 1760:0 1757:= 1754:i 1751:( 1745:} 1736:x 1733:, 1730:x 1727:, 1724:x 1721:, 1718:x 1715:( 1703:x 1700:, 1697:x 1694:, 1691:x 1688:, 1685:x 1682:( 1670:x 1667:, 1664:x 1661:, 1658:x 1655:, 1652:x 1649:( 1637:x 1634:, 1631:x 1628:, 1625:x 1622:, 1619:x 1616:( 1601:x 1598:, 1595:x 1592:, 1589:x 1586:, 1583:x 1580:( 1568:x 1565:, 1562:x 1559:, 1556:x 1553:, 1550:x 1547:( 1535:x 1532:, 1529:x 1526:, 1523:x 1520:, 1517:x 1514:( 1502:x 1499:, 1496:x 1493:, 1490:x 1487:, 1484:x 1481:( 1472:{ 1469:) 1466:2 1460:i 1457:; 1448:i 1445:; 1442:0 1439:= 1436:i 1433:( 1424:; 1418:= 1415:x 1412:) 1409:i 1403:; 1394:i 1391:; 1388:0 1385:= 1382:i 1379:( 1373:; 1370:x 1364:; 1361:i 1355:{ 1352:) 1340:, 1331:( 1267:9 1264:8 1256:6 1253:5 1250:4 1242:2 1239:1 1236:0 921:} 918:; 912:+ 909:x 906:= 900:) 897:i 891:; 882:i 879:; 876:0 873:= 870:i 867:( 861:} 852:x 849:, 846:x 843:, 840:x 837:, 834:x 831:( 819:x 816:, 813:x 810:, 807:x 804:, 801:x 798:( 786:x 783:, 780:x 777:, 774:x 771:, 768:x 765:( 753:x 750:, 747:x 744:, 741:x 738:, 735:x 732:( 717:x 714:, 711:x 708:, 705:x 702:, 699:x 696:( 684:x 681:, 678:x 675:, 672:x 669:, 666:x 663:( 651:x 648:, 645:x 642:, 639:x 636:, 633:x 630:( 618:x 615:, 612:x 609:, 606:x 603:, 600:x 597:( 588:{ 585:) 582:2 576:i 573:; 564:i 561:; 558:0 555:= 552:i 549:( 540:; 534:= 531:x 528:) 525:i 519:; 510:i 507:; 504:0 501:= 498:i 495:( 489:; 486:x 480:; 477:i 471:{ 468:) 456:, 447:( 273:9 270:8 262:6 259:5 256:4 248:2 245:1 242:0

Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.

Index