**Salsa20** is a stream cipher submitted to eSTREAM by Daniel Bernstein. It is built on a pseudorandom function based on 32-bit addition, bitwise addition (XOR) and rotation operations, which maps a 256-bit key, a 64-bit nonce, and a 64-bit stream position to a 512-bit output; this gives Salsa20 the unusual advantage that the user can efficiently seek to any position in the output stream. It offers speeds of around 8–14 cycles/byte in software on modern x86 processors, and reasonable hardware performance. It is not patented, and Bernstein has written several public domain implementations optimized for common architectures [1]. The operation of A5/1, a LFSR-based stream cipher used to encrypt mobile phone conversations. ...
eSTREAM is a project to identify new stream ciphers that might become suitable for widespread adoption, organised by the EU ECRYPT network. ...
Daniel Julius Bernstein (sometimes known simply as djb) is a professor at the University of Illinois at Chicago, a mathematician, a cryptologist, and a programmer. ...
In cryptography, a pseudorandom function family, abbreviated PRF, is a collection of efficiently-computable functions which emulate a random oracle in the following way: No efficient algorithm can distinguish (with significant advantage) between a function chosen randomly from the PRF family and a random oracle (a function whose outputs are...
This article is about the unit of information. ...
In cryptography, the key size (alternatively key length) is the size of the digits used to create an encrypted text; it is therefore also a measure of the number of possible keys which can be used in a cipher, and the number of keys which must be tested to break...
In security engineering, a nonce is a number used once. ...
x86 or 80x86 is the generic name of a microprocessor architecture first developed and manufactured by Intel. ...
The public domain comprises the body of all creative works and other knowledge—writing, artwork, music, science, inventions, and others—in which no person or organization has any proprietary interest. ...
Internally, the cipher uses bitwise addition (exclusive OR), 32-bit addition mod 2^{32}, and constant-distance rotation operations on an internal state of 16 32-bit words. This choice of operations avoids the possibility of timing attacks in software implementations. Exclusive disjunction (usual symbol xor) is a logical operator that results in true if one of the operands (not both) is true. ...
Modular arithmetic (sometimes called modulo arithmetic, or clock arithmetic because of its use in the 24-hour clock system) is a system of arithmetic for integers, where numbers wrap around after they reach a certain value â€” the modulus. ...
In cryptography, a timing attack is a form of side channel attack where the attacker tries to break a cryptosystem by analyzing the time taken to execute cryptographic algorithms. ...
Salsa20 performs 20 rounds of mixing on its input; however, reduced round variants Salsa20/8 and Salsa20/12 using 8 and 12 rounds respectively have also been introduced. These variants were introduced to complement the original Salsa20, not to replace it, and perform even better in the eSTREAM benchmarks than the already competitive Salsa20. As of 2006, no cryptanalytic attacks against Salsa20, Salsa20/12, or Salsa20/8 have been recognised. In 2005, Paul Crowley reported a 2^{165}-operation attack on Salsa20/5 using truncated differential cryptanalysis ^{[1]} and won Bernstein's US$1000 prize for "most interesting Salsa20 cryptanalysis". In 2006, Fischer, Meier, Berbain, Biasse, and Robshaw reported a 2^{177}-operation attack on Salsa20/6.^{[2]} 2006 is a common year starting on Sunday of the Gregorian calendar. ...
In cryptography, truncated differential cryptanalysis is a generalization of differential cryptanalysis, an attack against block ciphers. ...
Salsa20 has been selected as a Phase 3 design for Profile 1 (software) by the eSTREAM project, receiving the highest weighted voting score of any Profile 1 algorithm at the end of Phase 2 [2]. Salsa20 had previously been selected as Phase 2 Focus design for Profile 1 (software) and as a Phase 2 design for Profile 2 (hardware) by the eSTREAM project [3], but was not advanced to Phase 3 for Profile 2 because eSTREAM felt that it was probably not a good candidate for extremely resource constrained hardware environments [4].
## References
**^** Paul Crowley, Truncated differential cryptanalysis of five rounds of Salsa20 **^** Simon Fischer, Willi Meier, Côme Berbain, Jean-Francois Biasse, Matt Robshaw, *Non-Randomness in eSTREAM Candidates Salsa20 and TSC-4*, Indocrypt 2006 Matthew J.B. Matt Robshaw is a cryptographer, currently a lecturer at Royal Holloway, University of London. ...
Indocrypt (also INDOCRYPT) is an annual international cryptography conference held each December since 2000 in India. ...
## External links |