Salsa20

Salsa20
	The Salsa quarter-round function. Four parallel copies make a round.
General
Designers	Daniel J. Bernstein
First published	2007 (designed 2005)
Successors	ChaCha
Related to	Rumba20
Certification	eSTREAM portfolio
Cipher detail
Key sizes	128 or 256 bits
State size	512 bits
Structure	ARX
Rounds	20
Speed	3.91 cpb on an Intel Core 2 Duo
Best public cryptanalysis
	2008 cryptanalysis breaks 8 out of 20 rounds to recover the 256-bit secret key in 2251 operations, using 231 keystream pairs.

Salsa20 and the closely related ChaCha are stream ciphers developed by Daniel J. Bernstein. Salsa20, the original cipher, was designed in 2005, then later submitted to the eSTREAM European Union cryptographic validation process by Bernstein. ChaCha is a modification of Salsa20 published in 2008. It uses a new round function that increases diffusion and increases performance on some architectures.^[4]

Both ciphers are built on a pseudorandom function based on add–rotate–XOR (ARX) operations — 32-bit addition, bitwise addition (XOR) and rotation operations. The core function maps a 256-bit key, a 64-bit nonce, and a 64-bit counter to a 512-bit block of the key stream (a Salsa version with a 128-bit key also exists). This gives Salsa20 and ChaCha the unusual advantage that the user can efficiently seek to any position in the key stream in constant time. Salsa20 offers speeds of around 4–14 cycles per byte in software on modern x86 processors,^[5] and reasonable hardware performance. It is not patented, and Bernstein has written several public domain implementations optimized for common architectures.^[6]

^ Cite error: The named reference sn-20071225 was invoked but never defined (see the help page).
^ Daniel J. Bernstein (2013-05-16). "Salsa 20 speed; Salsa20 software".
^ Jean-Philippe Aumasson; Simon Fischer; Shahram Khazaei; Willi Meier; Christian Rechberger (2008-03-14). "New Features of Latin Dances" (PDF). International Association for Cryptologic Research.
^ Bernstein, Daniel (28 January 2008), ChaCha, a variant of Salsa20 (PDF), retrieved 2018-06-03
^ Daniel J. Bernstein (2013-05-16). "Snuffle 2005: the Salsa20 encryption function".
^ "Salsa20: Software speed". 2007-05-11.

[sn-20071225-1] Cite error: The named reference sn-20071225 was invoked but never defined (see the help page).

[2] Daniel J. Bernstein (2013-05-16). "Salsa 20 speed; Salsa20 software".

[latin-3] Jean-Philippe Aumasson; Simon Fischer; Shahram Khazaei; Willi Meier; Christian Rechberger (2008-03-14). "New Features of Latin Dances" (PDF). International Association for Cryptologic Research.

[ChaCha-4] Bernstein, Daniel (28 January 2008), ChaCha, a variant of Salsa20 (PDF), retrieved 2018-06-03

[5] Daniel J. Bernstein (2013-05-16). "Snuffle 2005: the Salsa20 encryption function".

[6] "Salsa20: Software speed". 2007-05-11.

[1]

[2]

[3]

[4]

[5]

[6]