Salsa20 (also Snuffle 2005) is a stream cipher, which has been developed by Daniel J. Bernstein, 2005. In the European project eSTREAM is reduced to 12 rounds version Salsa20/12 one of the finalists ( Profile 1 - software applications ). Salsa20 is free of patents.


Daniel J. Bernstein Snuffle developed in 2005 as a response to the previous U.S. attempts to restrict cryptographic publications. From the restrictions hash functions were excluded; with Snuffle 2005 it was shown that a strong encryption can also be made by means of hash functions.


Salsa20 Core is the core of various hash functions and stream ciphers.

  • Salsa20 or Snuffle 2005 is a family of 256- bit stream ciphers: Salsa20/20 with 20 rounds is intended as a standard.
  • Salsa20/12 with 12 rounds for time critical applications was a finalist in the eSTREAM project, a European competition for power encryptions.
  • Salsa20 / 8 with 8 rounds for time-critical applications used Scrypt in the key derivation function.

Salsa10 is the precursor of Salsa20 introduced in 2004.

Salsa20 components are also used in the compression function Rumba20.


Salsa20 based on a few simple operations and is thus similar in structure to the XTEA encryption functions and IDEA. By conservative design a good and consistent software performance on many CPUs and a substantial resistance against some side-channel attacks (time- attacks) is achieved. The core consists of a function key and nonce counter maps to a 64- byte block. The function consists of a long chain of three operations: 32- bit add, the 32-bit XOR, 32-bit rotation ( at constant intervals ). For the stream cipher, the result of the function is used in Counter Mode and with the plaintext exclusive - OR (XOR ) linked. The recommended key length is 256 bits, but shorter keys are possible. Salsa20 has a compact implementation is fast and memory - friendly.


In a new method, based on the probabilistic neutral bits ( PNBs ), Aumassen et al 2008 presented an attack on Salsa20 / 7, Salsa20 / 8, Chaha6, ChaCha7 and Rumba3 ago, in which, among other Salsa20 / 7 ( 128 -bit key ) could be broken with a time complexity of 2111, a data complexity of 221 and a success rate of 50%. 2012, this attack by Shi et al was again improved. The best crypto analysis for the round -reduced variants of Salsa20 and ChaCha are therefore (as of November 2013):

  • Salsa20 / 7 ( 128 -bit key ): would need the supercomputer Roadrunner about 20,580,831,662 years for this and would also need to freely chosen plaintexts access to the corresponding ciphertexts have ( chosen- plaintext attack ): time complexity in 2109, space complexity 219 For illustration. However aside a remains the possibility of parallelization; Daniel J. Bernstein, the inventor of Salsa20, therefore, holds 128 -bit key for " uncomfortably risky " ( " troubling risky ").
  • ChaCha6 (128 -bit key ): time complexity in 2105, space complexity, 228