Link to this headingSalsa and ChaCha
- Uses 32-bit Addition, Left Rotational Shifting and XOR
- This is fast CPU instructions usually around 4-14 cycles per byte of data
- Avoids Timing attacks
- Uses a 256 bit key, 64 bit nonce, 64 bit counter to produce a 512 bit output block
- Can seek to any position in the keystream by changing the position
https://medium.com/asecuritysite-when-bob-met-alice/time-for-a-cha-cha-or-a-salsa-b33ad5a05be3
Link to this headingSalsa
- Can have a variation of rounds
- Salsa8 is 8 rounds
- Salsa12 is 12 rounds
- Salsa20 is 20 rounds
- Requires a 256-bit key and random 64-bit nonce
- Can use 128 bit key. But repeats in the other 128 bits
Link to this headingSecurity
- Best known attack can only affect 8 round Salsa.
- This is still a Computationally intensive attack that also requires knowlege of all of the other initial variables except the secret key
- The security of both Salsa20 and ChaCha depend on attackers not being able to discover half of the internal state; otherwise they could invert the computation.
Link to this headingExtended IV Salsa (XSalsa)
- Uses 192 bit IV
- decreases IV reuse attacks
Link to this headingChaCha
- Requires a 256-bit key and random 64-bit nonce
- Can use 128 bit key. But repeats in the other 128 bits
- Re-arranges the order of the inputs then salsa
Link to this headingImplementation
'''
|"expa"|"nd 3"|"2-by"|"te k"|
|Key |Key |Key |Key |
|Key |Key |Key |Key |
|Pos. |Pos. |Nonce |Nonce |
'''
#First row of 4 ints
#If it is a 128 bit key just repeat the key
= b
+=
= b
# Second and Third Row of key data
+=
#Fourth Row of position and IV
+= +
return
'''
|"expa"|"nd 3"|"2-by"|"te k"|
|Key |Key |Key |Key |
|Key |Key |Key |Key |
|Nonce |Nonce |Nonce |Nonce |
'''
#First row of 4 ints
#If it is a 128 bit key just repeat the key
= b
+=
= b
# Second and Third Row of key data
+=
#Fourth Row of position and IV
+=
return
'''
|"expa"|Key |Key |Key |
|Key |"nd 3"|Nonce |Nonce |
|Pos. |Pos. |"2-by"|Key |
|Key |Key |Key |"te k"|
'''
#If a 128 bit key repeat the key
= b + + b
+= +
+= b + + b
= b + + b
+= +
+= b + + b
return
'''
|"expa"|Key |Key |Key |
|Key |"nd 3"|Nonce |Nonce |
|Pos. |Pos. |"2-by"|Key |
|Key |Key |Key |"te k"|
'''
#If a 128 bit key repeat the key
= b + + b
+=
+= b + + b
= b + + b
+=
+= b + + b
return
=
=
=
=
return
=
=
=
=
=
=
=
=
=
=
=
=
return
#print(f"Intial State: {key_input}")
=
#Do 10 Rounds of both rows and diagonals
#Do Each Column
, , , =
, , , =
, , , =
, , , =
#Do Each Diagonal
, , , =
, , , =
, , , =
, , , =
#print(f"Full Subkey: {temp_round}")
return
#print(f"Intial State: {key_input}")
=
#Do 10 Rounds of both rows and diagonals
#Do Each Column Shifted down
, , , =
, , , =
, , , =
, , , =
#Do Each Row
, , , =
, , , =
, , , =
, , , =
#print(f"Full Subkey: {intarray_to_bytes(temp_round,4).hex()}")
return
=
#Do 10 Rounds of both rows and diagonals
#Do Each Column Shifted down
, , , =
, , , =
, , , =
, , , =
#Do Each Row
, , , =
, , , =
, , , =
, , , =
#Add the previous key_schedule and the current temp_round
#Then get only the 32bits of
=
return
=
#Do 10 Rounds of both rows and diagonals
#Do Each Column
, , , =
, , , =
, , , =
, , , =
#Do Each Diagonal
, , , =
, , , =
, , , =
, , , =
#Add the previous key_schedule and the current temp_round
#Then get only the 32bits of
=
return
#Geneate sub key
=
#print(master_key_input, len(master_key_input))
=
#for x in master_key_schedule:
# print(int_to_bytes(x).hex())
=
return
return
#Initialize output
= b
#Generate key box
=
#print(key_input, len(key_input))
=
#Encrypt the message
=
#Update the position in the key_schedule
=
=
#print(f"KeySchedule2: {key_schedule}")
#Convert key_input to byte string and xor against the message
+=
return
#Geneate sub key
=
#print(master_key_input, len(master_key_input))
=
#for x in master_key_schedule:
# print(int_to_bytes(x).hex())
=
return
return
#Initialize output
= b
#Generate key box
=
#print(key_input.hex(), len(key_input))
=
#Encrypt the message
=
#Update the position in the key_schedule by adding one
=
=
#print(f"KeySchedule2: {key_schedule}")
#Convert key_input to byte string and xor against the message
+=
return
#Test 128 bit ChaCha20 https://github.com/secworks/chacha_testvectors/blob/master/src/chacha_testvectors.txt
=
=
=
#Key stream 1: 826abdd84460e2e9349f0ef4af5b179b426e4b2d109a9c5bb44000ae51bea90a496beeef62a76850ff3f0402c4ddc99f6db07f151c1c0dfac2e56565d6289625
#Key stream 2: 5b23132e7b469c7bfb88fa95d44ca5ae3e45e848a4108e98bad7a9eb15512784a6a9e6e591dce674120acaf9040ff50ff3ac30ccfb5e14204f5e4268b90a8804
#Test 256 bit ChaCha20 https://github.com/secworks/chacha_testvectors/blob/master/src/chacha_testvectors.txt
=
=
=
#Key stream 1: 9fadf409c00811d00431d67efbd88fba59218d5d6708b1d685863fabbb0e961eea480fd6fb532bfd494b2151015057423ab60a63fe4f55f7a212e2167ccab931
#Key stream 2: fbfd29cf7bc1d279eddf25dd316bb8843d6edee0bd1ef121d12fa17cbc2c574cccab5e275167b08bd686f8a09df87ec3ffb35361b94ebfa13fec0e4889d18da5
#Test 128 bit Salsa20 https://github.com/alexwebr/salsa20/blob/master/test_vectors.128
=
=
=
#Key stream 1: 8b354c8f8384d5591ea0ff23e7960472b494d04b2f787fc87b6569cb9021562ff5b1287a4d89fb316b69971e9b861a109cf9204572e3de7eab4991f4c7975427
#Key stream 2: 5d33f4322125f8e89526e1ea1d83fbeb4e0905ac77e94f7e239a471087addc4dab09cdf55f06d01f833c9b909c108f9ee75c4331be50f583f525953051c7b70c
#Test 256 bit Salsa20 https://github.com/alexwebr/salsa20/blob/master/test_vectors.256
=
=
=
#Key stream 1: 3fe85d5bb1960a82480b5e6f4e965a4460d7a54501664f7d60b54b06100a37ffdcf6bde5ce3f4886ba77dd5b44e95644e40a8ac65801155db90f02522b644023
#Key stream 2: d5af60802b6fa74e3f2a5dbd4fa3f8b76e012ce9aa3a5747b96857a630f5462a0d21dd8d07ea722c72b31567eb7f4db1e6b3f03c0f3f2df4beb68a50d86df81a
#Test XChaCha https://tools.ietf.org/id/draft-arciszewski-xchacha-01.html#rfc.section.2
=
=
=
#SubKey: 82413b4227b27bfed30e42508a877d73a0f9e4d58a74a853c12ec41326d3ecdc
#Key Stream: e5082ea6e894d4b62d38f23e2ea2d05039f7f513856a980147b6b439592e9cd33c06eefa3ceaa34deb0a3e8d32b73198897640e9efda66bfc2526f26a5c62c11
#Key Stream: 88995280e9f0cd12d3ee63d0908da731abfabe363b1c3a6fc905f84897637cd866b7b254ecc6d03db4adfce9e183d2a1b7d60921352e39d1e6347c9a749db066
#Test XChaCha https://tools.ietf.org/id/draft-arciszewski-xchacha-01.html#rfc.section.2
=
=
=
=
#SubKey: 4a8ac0c0296222bafe959faabe06a45b89a3cee444fef6e3d77659a53f49ee32
#Ciphertext: 4559abba4e48c16102e8bb2c05e6947f50a786de162f9b0b7e592a9b53d0d4e98d8d6410d540a1a6375b26d80dace4fab52384c731acbf16a5923c0c48d3575d4d0d2c673b666faa731061277701093a6bf7a158a8864292a41c48e3a9b4c0daece0f8d98d0d7e05b37a307bbb66333164ec9e1b24ea0d6c3ffddcec4f68e7443056193a03c810e11344ca06d8ed8a2bfb1e8d48cfa6bc0eb4e2464b748142407c9f431aee769960e15ba8b96890466ef2457599852385c661f752ce20f9da0c09ab6b19df74e76a95967446f8d0fd415e7bee2a12a114c20eb5292ae7a349ae577820d5520a1f3fb62a17ce6a7e68fa7c79111d8860920bc048ef43fe84486ccb87c25f0ae045f0cce1e7989a9aa220a28bdd4827e751a24a6d5c62d790a66393b93111c1a55dd7421a10184974c7c5
#Test XSalsa http://cr.yp.to/highspeed/naclcrypto-20090310.pdf
=
=
#plaintext = bytes.fromhex(b"Test"*30)
=
#SubKey: dc908dda0b9344a953629b733820778880f3ceb421bb61b91cbd4c3e66256ce4
#Key Stream: eea6a7251c1e72916d11c2cb214d3c252539121d8e234e652d651fa4c8cff880309e645a74e9e0a60d8243acd9177ab51a1beb8d5a2f5d700c093c5e55855796
#Key Stream: 25337bd3ab619d615760d8c5b224a85b1d0efe0eb8a7ee163abb0376529fcc09bab506c618e13ce777d82c3ae9d1a6f972d4160287cbfe60bf2130fc0a6ff60430)
Link to this headingExtended IV ChaCha (XChaCha)
- Uses HChaCha with Key and the first 128 bits of the IV to generate a subkey that is used in the chacha encryption.
- 256-bit key, 192 bit nonce with 20 rounds
Link to this headingExtended IV Salsa (XSalsa)
- Uses HSalsa with Key and the first 128 bits of the IV to generate a subkey that is used in the salsa encryption.
- 256-bit key, 192 bit nonce with 20 rounds
Link to this headingHChaCha
- No Counter but bigger Nonce
- Ouput is only the first and last rows