After years of cryptanalysis, reduced round variants of Salsa20 (specifically, Salsa20/7 with a 128-bit key) were found to be breakable. [17] The Aumasson et al. Why should one prefer Salsa20 over ChaCha? If you have to decide between the two, and you have a robust extended-nonce key-splitting scheme in place, opt for AES-CTR. (MAC then Encrypt). Thanks janm- adding ECRYPT_ivsetup(&ctx, IV); right before ECRYPT_decrypt_bytes() did the trick. Sea creatures (not fish) that have the suffix 'fish'? How do you set, clear, and toggle a single bit? ChaCha20: is this a potentially safe way of using nonce derived from private key if the key/nonce pair is never reused, for a given plaintext? [4]:4 Like Salsa20, ChaCha arranges the sixteen 32-bit words in a 4×4 matrix. On average, after changing 1 input bit the Salsa20 quarter-round will change 8 output bits while ChaCha will change 12.5 output bits. How are you supposing to implement such an application in C/C++ if you C knowledge is rusty? Is it appropriate for peer-reviewer to look for possible plagiarism? Here's my best attempt so far, starting with one small string of plaintext (my C is rusty... it's possible I've made some basic mistake, though I can't see it): Encrypting [THIS IS A TEST] using random 256 bit key and 64 bit IV: [12] This attack, and all subsequent attacks are based on truncated differential cryptanalysis. Here are speed benchmarks for some of the most commonly used cryptographic algorithms. [7][8] XSalsa20 is provably secure if Salsa20 is secure, but is more suitable for applications where longer nonces are desired. Salsa20, the original cipher, was designed in 2005, then later submitted to eSTREAM by Bernstein. Crypto++ 5.6.0 Benchmarks. When we calculate mean and variance, do we assume data are normally distributed? [4], The ChaCha quarter round has the same number of adds, xors, and bit rotates as the Salsa20 quarter-round, but the fact that two of the rotates are multiples of 8 allows for a small optimization on some architectures including x86. Which theoretical propulsion system has the highest specific impulse? Internally, the cipher uses bitwise addition ⊕ (exclusive OR), 32-bit addition mod 232 ⊞, and constant-distance rotation operations (<<<) on an internal state of sixteen 32-bit words. By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy. The encrypt/decrypt functions increment the offset, giving your code a different IV for the encryption and decryption functions. Security engineer with a fursona. If we index the matrix elements from 0 to 15. Adding the mixed array to the original makes it impossible to recover the input. The initial state is made up of .mw-parser-output .legend{page-break-inside:avoid;break-inside:avoid-column}.mw-parser-output .legend-color{display:inline-block;min-width:1.25em;height:1.25em;line-height:1.25;margin:1px 0;text-align:center;border:1px solid black;background-color:transparent;color:black}.mw-parser-output .legend-text{}  eight words of key,   two words of stream position,   two words of nonce (essentially additional stream position bits), and   four fixed words: The constant words spell "expand 32-byte k" in ASCII (i.e. (It calso also be argued that GCM is simply a combination of CTR with GMAC). Can one extend the nonce of ChaCha/Salsa20 by XORing the extra bits with the key? [20], Google has selected ChaCha20 along with Bernstein's Poly1305 message authentication code as a replacement for RC4 in TLS, which is used for Internet security.