Questions tagged [chacha]
ChaCha is a family of stream ciphers proposed by Daniel J. Bernstein, as an evolution of Salsa20 with (conjecturally) improved resistance to cryptanalysis.
179
questions
2
votes
1
answer
1k
views
Is XSalsa20-Poly1305-SIV a reasonable choice for nonce-misuse-resistant authenticated encryption?
Consider XSalsa20-Poly1305-SIV. This is obtained by:
computing a MAC $t_{secret}$ of the plaintext from the key and nonce, as in ChaCha20-Poly1305 except that the plaintext, not the ciphertext, is ...
5
votes
1
answer
2k
views
Is ChaCha12 considered 256-bit secure?
ChaCha20 is considered 256-bit secure (no attack faster than brute force). However, the best known cryptanalysis that I know of is on ChaCha7.
That gives ChaCha20 a rather large security margin (...
0
votes
1
answer
291
views
Hardware optimized stream ciphers?
As I understand it, ChaCha20 is slower than AES-CTR in hardware. Are there any hardware-optimized stream ciphers?
6
votes
1
answer
7k
views
What happens if a nonce is reused in ChaCha20-Poly1305?
In ChaCha20-Poly1305, I know that reusing a nonce loses confidentiality and integrity for all messages encrypted with the (key, nonce) pair.
However, is security affected for those messages encrypted ...
4
votes
1
answer
142
views
Symmetric encryption algorithms with large IVs and authentication?
Most modern symmetric ciphers require a nonce/IV. If the nonce is reused, security is lost.
If the nonce is large enough, it can be generated securely by using a CSPRNG. This avoids needing to keep ...
6
votes
1
answer
3k
views
Is ChaCha20 alone sufficient for securing data-at-rest?
I wonder if ChaCha20 alone is sufficient for securing files stored on a disk or should Poly1305 should be used along with it? AFAIK, Poly1305 is used to secure the authentication channel, but for ...
2
votes
1
answer
697
views
Why is there no 'ECDSA' version of 'DHE-RSA-CHACHA20-POLY1305'?
So I was just checking my TLS cipherlist and noticed that there was a 'DSS' / DSA / ECDSA version of every ...
10
votes
1
answer
601
views
Why is the whole initial state used in the final addition of Salsa20 and ChaCha?
Both Salsa20 and ChaCha basically work like this:
Put the key, the nonce, the sequence number and a constant into a 4x4 matrix of 32-bit words.
Transform the matrix invertibly with a number of ARX ...
22
votes
2
answers
10k
views
Why should one prefer Salsa20 over ChaCha?
We are all aware of Google's approach to introduce ChaCha/Poly1305 as TLS cipher suite. The rationale seems clear: ChaCha is newer and seems to provide better security (and maybe speed?) gained from ...
20
votes
3
answers
1k
views
Collision or second preimage for the ChaCha core?
Daniel J. Bernstein's ChaCha core is an evolution of the Salsa20 core. Both are functions over the set of 512-bit bitstrings, partitioned as sixteen 32-bit words.
Can we exhibit collisions, or second-...
4
votes
1
answer
1k
views
chacha20-poly1305 padding and length encoding
The AEAD construction for chacha20-poly1305 described in the IETF proposal encodes message lengths into the text that is to be hashed. The newer proposal goes further and pads associated data and ...
9
votes
2
answers
5k
views
Where are the ChaCha20 test vectors/examples?
I see in the Salsa20 specification there are test examples throughout the document to help an implementer make sure every function works as designed. Consequently the whole algorithm would work ...
6
votes
1
answer
1k
views
Extending key sizes in Salsa20 and ChaCha?
I've written implementations of Salsa20 and ChaCha that accept 384 and 448 bit keys. It was fairly trivial to implement, the 'sigma' constant is replaced with key material, and the counter, (which was ...
10
votes
1
answer
984
views
Can I use the ChaCha core as a 256-bit to 256-bit one-way function?
I'm looking to implement Lamport signatures as a little fun project, and I need a fast one way function that maps $\{0,1\}^{256} \rightarrow \{0,1\}^{256}$.
I was wondering whether I could safely use ...