LLMpediaThe first transparent, open encyclopedia generated by LLMs

Salsa20

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: ChaCha20-Poly1305 Hop 4
Expansion Funnel Raw 121 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted121
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Salsa20
Salsa20
Sissssou · CC BY-SA 3.0 · source
NameSalsa20
DesignerDaniel J. Bernstein
Publish date2005
Key size128 or 256
Block size64 bytes (512 bits)
Rounds8, 12, or 20
Structurestream cipher, ARX construction
RelatedChaCha

Salsa20 Salsa20 is a stream cipher designed for high-speed software encryption with a simple ARX (Addition-Rotation-XOR) construction by Daniel J. Bernstein. It was published in 2005 and evaluated in many cryptographic venues, influencing modern designs and adoption across protocols, libraries, and operating systems.

Overview

Salsa20 was introduced by Daniel J. Bernstein and discussed in venues such as RSA Conference, IACR, CRYPTO, Eurocrypt, Usenix, and Black Hat USA. It competes with ciphers like RC4, AES, ChaCha, Sosemanuk, and Grain family for use in applications from OpenSSH to TLS implementations. The design emphasizes portability for processors such as x86, ARM architecture, PowerPC, SPARC, and platforms including Linux kernel, FreeBSD, OpenBSD, Windows NT, and embedded systems like ARM Cortex-M microcontrollers. Salsa20's reception involved contributions and analysis by researchers at institutions like Bell Labs, MIT, Stanford University, ETH Zurich, University of California, Berkeley, University College London, and NIST.

Design and Specification

The algorithm uses a 512-bit state and operates on 32-bit words with operations modeled for CPUs including Intel Core, AMD Ryzen, ARM Cortex-A, IBM POWER and vector extensions such as SSE2, AVX2, NEON. The core uses repeated quarterround and row/column operations resembling constructions discussed at IETF, with parameters proposed for 8, 12, and 20 rounds—commonly termed Salsa20/8, Salsa20/12, and Salsa20/20. The key schedule supports 128-bit and 256-bit keys and a 64-bit nonce used in contexts like IPsec, SSH, TLS handshake, and IEEE 802.11-related proposals. Specification documents circulated through archives at IETF, IACR ePrint Archive, and presentations at DEF CON and CanSecWest.

Security Analysis

Salsa20’s security has been the subject of cryptanalysis by teams including researchers at Microsoft Research, Google, IBM Research, Universidade de Coimbra, École Polytechnique, Ruhr University Bochum, Nanyang Technological University, and independent cryptographers such as Mihir Bellare, Phil Zimmermann, and Bruce Schneier-style commentators in public forums. Attacks in publications in Eurocrypt, Asiacrypt, CHES, CRYPTO, and IACR ePrint Archive explored reduced-round distinguishers, differential cryptanalysis, and rotational cryptanalysis; results generally affect only reduced-round variants. Comparative evaluations in workshops at USENIX Security Symposium and reviews by NIST emphasized resistance to known plaintext, chosen plaintext, and chosen ciphertext models when used with proper nonces and key-management practices as applied in PKCS-style deployments and X.509 infrastructures.

Performance and Implementation

Implementations of Salsa20 exist in software libraries and projects such as OpenSSL, LibreSSL, BoringSSL, libsodium, NaCl, GnuPG, OpenSSH, WireGuard, OpenVPN, Quic research implementations, and language runtimes for Java, Python, Go (programming language), Rust (programming language), Node.js, and .NET Framework. Optimizations leverage CPU features like AVX, AVX2, SSSE3, NEON, and BMI2 on processors from Intel, AMD, Qualcomm, and Apple Silicon. Benchmarks reported at venues including SPEC, ECRYPT Benchmarking, and Crypto Forum Research Group show favorable throughput and low code size relative to block ciphers in CBC mode, GCM, or OCB when used in stream configurations. Hardware implementations target FPGAs such as those by Xilinx and Intel (Altera), and ASIC designs for IoT platforms from ARM Holdings and MIPS Technologies.

Applications and Adoption

Salsa20 has been adopted in protocols and products including OpenSSH, Tor Project, WireGuard, Signal (software), WhatsApp, Telegram Messenger, Dropbox, and secure file systems and disk encryption solutions in Linux distributions like Debian and Ubuntu. It is available in cryptographic toolkits used by Mozilla Foundation, Google Chrome, Apple, Microsoft Edge, and projects maintained by Cloudflare and Amazon Web Services. Standards discussions have appeared in IETF drafts and influenced designs in the NIST Lightweight Cryptography discourse, with academic courses at Carnegie Mellon University, Harvard University, and Princeton University using Salsa20 as a teaching example.

Variants and Extensions

Notable variants and related constructions include ChaCha (a derivative with modified rotation constants), the XSalsa20 extension providing a longer nonce, and combination modes such as Salsa20 with Poly1305 for authenticated encryption. Research variants and parameter explorations were published by groups at INRIA, EPFL, TU Darmstadt, University of Bristol, and CWI, influencing new proposals in competitions like the SHA-3 competition and later authenticated-encryption evaluations at CAESAR. Implementations in libraries such as libsodium offer XSalsa20-Poly1305 and support multiuser key management used in projects like Matrix (protocol), Signal Protocol, and distributed storage projects at MIT CSAIL.

Category:Stream ciphers