Skip to main content

Questions tagged [chacha]

ChaCha is a family of stream ciphers proposed by Daniel J. Bernstein, as an evolution of Salsa20 with (conjecturally) improved resistance to cryptanalysis.

2 votes
2 answers

Can you use ChaCha20 as one-time pad?

My knowledge of cryptography nothing beyond basic so I am by no means an expert, but I do know a bit of undergraduate mathematics including number theory. I know that stream ciphers like ChaCha20 is ...
cryptobro's user avatar
0 votes
0 answers

ChaCha20 1Gb encryption speed question

I wrote a simple implementation of ChaCha20 encryptor for files in C using MbedTLS implementation. The process of encryption is standard - I set key, then for each block of fixed size I generate new ...
Enty AV's user avatar
1 vote
1 answer

ChaCha20 as a block cipher

Would it be possible to use ChaCha20 as a block cipher? With the key, the entire block function can be reversed.
somehybrid's user avatar
1 vote
2 answers

Constant values of ChaCha20

Is it possible to change the constant values of ChaCha20? and how it will affect the security of the cipher.
MFFC24's user avatar
  • 21
1 vote
0 answers


Research paper: "Extended-Chacha20 Stream Cipher With Enhanced Quarter Round Function" The initial matrix is 6x6, but what are the exact inputs for each index, in other words, how will you ...
MFFC24's user avatar
  • 21
1 vote
2 answers

Hamming Distance and Avalanche effect in Cryptography?

I am new to Cryptography and I know there are better ways to test a cipher's effectiveness out there but in this case I am trying to test a cryptographic algorithm's(AES,xchacha20,twofish) hamming ...
Jake's user avatar
  • 43
3 votes
1 answer

Is there any way to measure entropy of encryption algorithms in python?

I am new to cryptography and I am trying to find a way to measure ciphertext entropy of encryption algorithms such as AES, Chacha20, etc for a school project. Is there any way to do it on Python? I ...
Jake's user avatar
  • 43
2 votes
1 answer

Why doesn't ChaCha use a 512bit key and xor parameters into it?

ChaCha has clear delineations between key, nonce, counter and constants. What is the reason for not using a XEX-like ($k=0$) approach such that the ChaCha key is 512 bits and all the other things are ...
Loraine Toorla's user avatar
2 votes
1 answer

48-bit nonce reuse with ChaCha20

The situation: I have a group with 20 members, each member broadcasting 1 message per second. Communicating one on one is possible, but 1 message per member per second is the absolute limit and every ...
Florebol's user avatar
0 votes
1 answer

Chacha20 key/nonce/counter correct usage

Setting all 48 ChaCha state bytes (key, nonce, initial counter) from one result of strong hash function like sha3-384 or blake2b - correct usage? or bad practice? PS: using original chacha20 (8bytes ...
Yuri Myakotin's user avatar
0 votes
1 answer

ChaCha20-Poly1305 and AES-GCM-SIV output size

Background information: I need to encrypt 168bit messages, the ciphertext should, preferably, match the plaintext size. Message Authentication and Integrity is not a must, but a really important ...
Florebol's user avatar
2 votes
1 answer

Recommended output filter for Rumba20 [closed]

Rumba20 is a compression function that maps a 192-byte (1536-bit) string to a 64-byte (512-bit) string. It's designed to provide collision resistance by using Salsa20 (or ChaCha20) with the ...
samuel-lucas6's user avatar
3 votes
2 answers

Encrypting arbitrary large files in AEAD chunks - how to protect against chunk reordering?

I would like to encrypt big files using an authenticated cipher. I am convinced to use approach where file is divided into smaller manageable chunks that fit easily in memory (e.g. 1-10MB size) which ...
Tom Raganowicz's user avatar
0 votes
1 answer

If ChaCha20 only has 128 bits, is it secure?

ChaCha20 also provides 256-bit encryption, i.e, 2^256 possibilities of keys. But ChaCha20 is very fast, I think it provides at most 2^256 multiplied by decrypting time. 256-bit AES provides 254-bit ...
Flan1335's user avatar
  • 361
2 votes
1 answer

Choice of nonce for reproducible encryption

In my application I have an SQLite database that stores labels for images, like this: IMAGE ID LABEL 1 foo 1 bar 2 bar 3 foo The LABEL column is indexed as it is important that I can efficiently ...
AndreKR's user avatar
  • 173
2 votes
1 answer

Does triple ChaCha20 have 256-bit post-quantum security?

Experts suggested 3DES when AES wasn't developed yet, since meet-in-the-middle attack, they suggested triple DES. Grover's algorithm, a quantum algorithm, weakens symmetric encryptions, how about ...
Flan1335's user avatar
  • 361
1 vote
1 answer

Age: stream cipher with public key cryptography?

I have some rudimentary cryptography knowledge but am by no means an expert. I generally understand stream ciphers, such as such as ChaCha20-Poly1305, to be symmetric. I am wondering how age (https://...
incisor_supervisor's user avatar
0 votes
1 answer

Do multiple keys mitigate Grover algorithm?

Grover, a quantum algorithm, weakens AES and ChaCha20. Is it possible to use multiple symmetric keys to encrypt a message multiple times to achieve 256-bit security for quantum computers?
Flan1335's user avatar
  • 361
1 vote
1 answer

XChaCha20-Poly1305 question about IV's

I've a question about XChaCha20-Poly1305, from a brute force perspective. Suppose we have the power to brute force crack it. If the IV is known to the attacker and it's only one file. The time needed ...
Andrew's user avatar
  • 13
7 votes
2 answers

Fast cipher without needing hardware support (like ChaCha20) for disk encryption

On my old laptop, ChaCha20 is quite a bit faster than AES as there is no hardware acceleration for AES. But for disk encryption AES based schemes seem to be the only option, as a stream cipher like ...
JanKanis's user avatar
  • 233
2 votes
0 answers

Why is using ChaCha20 for disk encryption insecure? Why do we use XTS over CTR for disk encryption? If we used ChaCha20 (without authentication) by simply encrypting each disk sector with the same ...
Mihai's user avatar
  • 21
4 votes
0 answers

ChaCha-based Sponge PRNG fails PractRand suite

TL;DR: My simple ChaCha-based sponge PRNG is getting "unusual" evaluation from PractRand test battery pretty reliably, sometimes even within the first GB; I'm trying understand why. I was in ...
Marandil's user avatar
  • 149
1 vote
1 answer

XChaCha20-Poly1305 vs Plain ChaCha20-Poly1305 performance

I know that the security of both are the same (only nonce size is different). But which one is faster and better to use, when encrypting a lot of files (500+, from 1MB to 200MB)?
kiiro's user avatar
  • 25
1 vote
1 answer

Is it possible to extend CMAC for ChaCha

CMAC is defined for AES for authentication. My question is pretty simple: is it possible to extend CMAC for ChaCha? Does it even make sense? I cannot find anything related and I am wondering if I am ...
Pol Henarejos's user avatar
0 votes
1 answer

Various attacks on cipher-images & tools, especially stream-cipher?

What kind of attack of image encryption that exist out there, especially if the cipherimage was created using secure stream-cipher like Salsa20 (256 key) or ChaCha20 (256 key)? From
akez's user avatar
  • 87
1 vote
1 answer

Dividing an encrypted file is secure against classical or quantum

I'm very new to cryptography and this may sound so foolish. Often I read quantum computers will brute force keys. Let's assume this is true (does it depend on key length? or on an algorithm? I don't ...
hajalev896's user avatar
6 votes
1 answer

is XChaCha20 stronger than ChaCha20?

Some of the encrypted messenger apps and password managers use extended version of Bernstein's ciphers and some of them not. Viber-Salsa20 Wire-ChaCha20 Threema-XSalsa20 Sid-Salsa20 Nordpass-XChaCha20 ...
barzo66's user avatar
  • 61
1 vote
0 answers

Is ChaCha20 + HMAC(SHA3) output indistinguishable from randomness?

I was wondering, if the output of following type of ChaCha + HMAC scheme is indistinguishable from randomness: ...
The amateur programmer's user avatar
0 votes
1 answer

ChaCha Single-Use RNG with All Zero Plaintext + Nonce

I am creating an internal application that will be used to generate and manage self-signed certificates and certificate authorities. Its primary use will be for generating certificates used in SSL ...
Goodies's user avatar
  • 145
4 votes
0 answers

Why Block Ciphers

I​ fail to understand what block ciphers can do that stream ciphers cannot. Also aren't they construct able from one another. prg(stream cipher) -> prf -> prp(block cipher) Any practical example ...
xzijoq's user avatar
  • 41
0 votes
1 answer

What is the lightest cipher that provides AES like security?

The lightest, or fastest cipher, that is well known and quite secure like AES. Is ChaCha20 a good option? Are there any better alternatives that are faster but still as secure?
imdoingmath's user avatar
2 votes
1 answer

XChaCha20 vs AES 128 security and speed

Is XChaCha20 with 256 bit key and 192 bit nonce more secure than 128 bit key 128 bit key nonce AES, due to using larger key/nonce sizes? Isn't it supposed to be faster due to being a stream cipher? (...
imdoingmath's user avatar
1 vote
1 answer

How to interpret algorithm diagrams

It's been a while since I know about cryptography, and always end up seing diagrams like this. However I have never been able to understang their meaning. I hope someone can explain in detail. Thank ...
MetabaseqUser1's user avatar
0 votes
1 answer

Encrypting two messages with the same content with different keys/IVs still secure if attacker knows they are the same?

I want to store two ciphertexts inside the same file. The data stored in each ciphertext is the same (except for padding), but the data was encrypted with different keys and IVs. Both ciphertexts were ...
slee69's user avatar
  • 25
1 vote
2 answers

Faster cipher than AES256-CBC to use for DRM purpose

I have to develop a program using a "secret" locally stored encoded program for a school project. For this I have to decipher the code on the fly to use it. The project recommend the use of ...
Job Valère's user avatar
0 votes
0 answers

Nonces in chacha20poly1305 vs chacha20

I'm currently working on replacing the chacha20 encryption in my app with chacha20poly1305, but I'm running into a few questions that I can't seem to find clear answers to, mainly stemming from the ...
Keegan Conlee's user avatar
0 votes
0 answers

Applicability of theoretical attack procedure in actual attack to ChaCha cipher

I was studying the theoretical attacks on ChaCha cipher here (See section 3). There is one special attack procedure which require key-IV(Initial Vector) pairs. These key-IV pairs are special in the ...
hiren_garai's user avatar
0 votes
1 answer

XChaCha20 With a Zeroed Nonce?

We know that for ChaCha20 and XChaCha20, the same key can never be used with the same nonce. But let's say I use a random 256-bit key every time... Then the nonce can be whatever because the key is ...
Evan Su's user avatar
  • 449
0 votes
1 answer

Can the security of Salsa20/Chacha20 be expanded to 448-bits if I fill the nonce and the Nothing-up-my-sleeve numbers with key material?

As I studied, Salsa20/Chacha20 is basically a hash function that accepts a 64-byte input and returns a output of the same size of input. 128-bits of the input are filled with four "Nothing-up-my-...
phantomcraft's user avatar
1 vote
0 answers

xChaCha20 Block Keys for Poly1305

So xChaCha20 has a nonce size large enough to safely use a random nonce with the same key. Poly1305 generally uses the first block of the cipher's output to generate its nonce. For xChaCha20 it would ...
Keith's user avatar
  • 123
0 votes
1 answer

How to choose between AES256-GCM, XSalsa20Poly1305 and XChaCha20Poly1305?

In libsodium, there're 3 symmetric encryption(stream cipher) which are AES256-GCM(Hardware-accelerated), XSalsa20Poly1305 and XChaCha20Poly1305(uncertain which version of libsodium add support to ...
Hern's user avatar
  • 159
1 vote
0 answers

What is the best way to save ChaCha20 Nonce in Cipher-Image BMP file?

I have a question about ChaCha20. As far as I know ChaCha20 is a cipher algorithm that uses 4 inputs: Key (secret) Constant (not secret) Block Number/Counter (keystream block number) Nonce (random ...
akez's user avatar
  • 87
1 vote
1 answer

Does Salsa20/ChaCha20 still provide Integrity when Encrypt Bitmap?

Forgive me for this question. I have an idea to encrypt *.bmp bitmap files using ChaCha20/Salsa20 without Poly1305. This is just a simple program, where I can encrypt *.bmp bitmap images, with the ...
akez's user avatar
  • 87
0 votes
1 answer

Where can I find test vectors for ChaCha20 (trying to understand Wikipedia example)?

I was playing around with stream ciphers an found this Wikipedia ChaCha20 page (the ChaCha variant). What I'm lost with is how to test this code. There are no testvectors anywhere on that page and I ...
The amateur programmer's user avatar
1 vote
0 answers

Impact of partitioning oracle attacks on file encryption?

I've just learned about partitioning oracle attacks recently, and I would like to clarify some things that are a little foggy to me right now. According to this thread, The aim is the recovery of a ...
Evan Su's user avatar
  • 449
1 vote
1 answer

Is using only one or two test vector(s) for ChaCha20 enough for validation of coded algorithm?

For validating the ChaCha20 encryption/decryption algorithm written in VB.NET, I am looking for more ChaCha20 test vectors that are based on the final spec for ChaCha20 that can be found here. See the ...
DotNET Afficionado's user avatar
4 votes
1 answer

XSalsa20Poly1305 for encryption at rest

I just found a project that used XSalsa20Poly1305 for transit and encryption at rest. I am trying to find some information if that is something worth trusting data to. It feels a little hard to put ...
tcurdt's user avatar
  • 143
3 votes
1 answer

It possible to encrypt .bmp bitmap files using Stream Cipher Chacha20?

Maybe this sounds like a stupid question. I'm sorry for that. I just wanted to know is it possible to encrypt a bitmap image file like *.BMP, and generate the ciphertext which is an obscure bitmap ...
akez's user avatar
  • 87
5 votes
1 answer

NIST LWC finalists (AEAD) vs ChaCha20-Poly1305

NIST LWC finalists announced. My question is that how finalists are faster or slower than current golden lightweight AEAD standard -- ChaCha20-Poly1305. Some benchmark among chacha20-poly1305 vs LWC ...
jannik's user avatar
  • 53
2 votes
3 answers

Benchmark for CSPRNG as stream ciphers?

My limitation in my security protocol is that I want my RNG as CSPRNG and I also want it to be super fast. If I use Salsa20 or ChaCha or AES counter mode, I don't get the desired speed. I want my PRNG ...
Masab Iqbal's user avatar

15 30 50 per page