Questions tagged [chacha]
ChaCha is a family of stream ciphers proposed by Daniel J. Bernstein, as an evolution of Salsa20 with (conjecturally) improved resistance to cryptanalysis.
32
questions
8
votes
1
answer
1k
views
Understanding the impact of partitioning oracle attacks on stream ciphers
Yesterday I came across some conversation discussing partitioning oracle attacks, against authenticated stream ciphers like ChaCha20 and Salsa20 with poly1305 for MAC.
As I understand it (though the ...
- 1,434
20
votes
3
answers
1k
views
Collision or second preimage for the ChaCha core?
Daniel J. Bernstein's ChaCha core is an evolution of the Salsa20 core. Both are functions over the set of 512-bit bitstrings, partitioned as sixteen 32-bit words.
Can we exhibit collisions, or second-...
- 143k
1
vote
1
answer
3k
views
How to generate a nonce for ChaCha20 Poly1305?
I am using a self implementation of ChaCha20 with Poly1305. Since the nonce is only 96 bits it cannot be chosen at random. Can anyone suggest an efficient method to generate nonce from the key ?
- 1,030
10
votes
2
answers
5k
views
Changing an Encryption scheme from AES to ChaCha20
I am using the AES cipher for my OTT platform. Almost all Chip vendors (ARM, Intel, etc) have built-in AES for faster and secure processing.
Now, how feasible it is to move from AES to ChaCha20? ...
- 650
9
votes
2
answers
5k
views
Does ChaCha20/Salsa have the same bit strength as AES for identical key sizes?
Does ChaCha20/Salsa have the same bit strength as AES for identical key sizes? In other words, does ChaCha20 with a 128-bit key theoretically require 2^128 attempts to brute force, as with AES-128?
...
- 1,434
6
votes
1
answer
7k
views
What happens if a nonce is reused in ChaCha20-Poly1305?
In ChaCha20-Poly1305, I know that reusing a nonce loses confidentiality and integrity for all messages encrypted with the (key, nonce) pair.
However, is security affected for those messages encrypted ...
- 4,793
10
votes
1
answer
984
views
Can I use the ChaCha core as a 256-bit to 256-bit one-way function?
I'm looking to implement Lamport signatures as a little fun project, and I need a fast one way function that maps $\{0,1\}^{256} \rightarrow \{0,1\}^{256}$.
I was wondering whether I could safely use ...
- 4,310
2
votes
2
answers
1k
views
Salsa20 / ChaCha with 128 bit keys
According to wikipedia both Salsa20 and ChaCha support both 128 and 256-bit keys.
The initial state for each has 8 words of key, where each word is 32 bits. 32*8 = 256. My question is... how is one ...
- 2,939
63
votes
5
answers
101k
views
What's the appeal of using ChaCha20 instead of AES?
I read about ChaCha20 being used in TLS by Google, SSH, and towards standardization in general.
What's the appeal of using something other than AES, what with AES receiving dedicated CPU instructions ...
- 733
10
votes
1
answer
782
views
Can reduced-round ChaCha be used as non-cryptographic fast PRNG to produce output indistinguishable from random data?
The fastest known attack against the Salsa20 family of stream ciphers requires 2137 simple operations against Salsa20/7, or 2244 against Salsa20/8. The 8-round version encrypts data at 1.88 cycles-per-...
- 15.4k
6
votes
1
answer
1k
views
Would it be safe to use the message hash as the IV in ChaCha?
This seemed like an option if the hash is unpredictable.
It could be the hash of the message or the hash of the message + some common secret (apart from the key).
The only circumstance in which the ...
- 135
4
votes
1
answer
1k
views
Advantages of HS1-SIV over ChaCha20-Poly1305-SIV?
What advantages does HS1-SIV have over ChaCha20-Poly1305-SIV?
I know that both use the ChaCha stream cipher, but I am trying to understand why HS1-Hash is a better MAC.
Edit: To hide the Poly1305 ...
- 4,793
4
votes
1
answer
1k
views
chacha20-poly1305 padding and length encoding
The AEAD construction for chacha20-poly1305 described in the IETF proposal encodes message lengths into the text that is to be hashed. The newer proposal goes further and pads associated data and ...
- 143
3
votes
1
answer
5k
views
Is XChacha20 - Poly1305 Quantum resistant?
This is a question just out of curiosity, as I am a newbie to Post Quantum Cryptography. I have read several articles where they emphasize that current standardised symmetric encryption algorithms (...
- 1,030
2
votes
2
answers
411
views
ChaCha with 64bit integers as a PRNG with streams
Can I use ChaCha with four rounds as a good non-cryptographic PRNG with different streams if I use 64 bit integers instead of the standard 32 bit integers? I need a bigger state and this seems the ...
- 223