# Salsa20

Salsa20 (also Snuffle 2005) is a stream cipher, which has been developed by Daniel J. Bernstein, 2005. In the European project eSTREAM is reduced to 12 rounds version Salsa20/12 one of the finalists ( Profile 1 - software applications ). Salsa20 is free of patents.

## Formation

Daniel J. Bernstein Snuffle developed in 2005 as a response to the previous U.S. attempts to restrict cryptographic publications. From the restrictions hash functions were excluded; with Snuffle 2005 it was shown that a strong encryption can also be made by means of hash functions.

## Variants

Salsa20 Core is the core of various hash functions and stream ciphers.

- Salsa20 or Snuffle 2005 is a family of 256- bit stream ciphers: Salsa20/20 with 20 rounds is intended as a standard.
- Salsa20/12 with 12 rounds for time critical applications was a finalist in the eSTREAM project, a European competition for power encryptions.
- Salsa20 / 8 with 8 rounds for time-critical applications used Scrypt in the key derivation function.

Salsa10 is the precursor of Salsa20 introduced in 2004.

Salsa20 components are also used in the compression function Rumba20.

## Design

Salsa20 based on a few simple operations and is thus similar in structure to the XTEA encryption functions and IDEA. By conservative design a good and consistent software performance on many CPUs and a substantial resistance against some side-channel attacks (time- attacks) is achieved. The core consists of a function key and nonce counter maps to a 64- byte block. The function consists of a long chain of three operations: 32- bit add, the 32-bit XOR, 32-bit rotation ( at constant intervals ). For the stream cipher, the result of the function is used in Counter Mode and with the plaintext exclusive - OR (XOR ) linked. The recommended key length is 256 bits, but shorter keys are possible. Salsa20 has a compact implementation is fast and memory - friendly.

## Security

In a new method, based on the probabilistic neutral bits ( PNBs ), Aumassen et al 2008 presented an attack on Salsa20 / 7, Salsa20 / 8, Chaha6, ChaCha7 and Rumba3 ago, in which, among other Salsa20 / 7 ( 128 -bit key ) could be broken with a time complexity of 2111, a data complexity of 221 and a success rate of 50%. 2012, this attack by Shi et al was again improved. The best crypto analysis for the round -reduced variants of Salsa20 and ChaCha are therefore (as of November 2013):

- Salsa20 / 7 ( 128 -bit key ): would need the supercomputer Roadrunner about 20,580,831,662 years for this and would also need to freely chosen plaintexts access to the corresponding ciphertexts have ( chosen- plaintext attack ): time complexity in 2109, space complexity 219 For illustration. However aside a remains the possibility of parallelization; Daniel J. Bernstein, the inventor of Salsa20, therefore, holds 128 -bit key for " uncomfortably risky " ( " troubling risky ").
- ChaCha6 (128 -bit key ): time complexity in 2105, space complexity, 228