4

chacha20 has 20 rounds and even that is somewhat deceptive because the rounds alternate between columns and diagonals such that you need 2 rounds to involve the entire state.

However if you compare it to some other ARX ciphers such as Threefish and Speck you discover that not only do those ciphers have a smaller state but apparently they also require many more rounds. Threefish-256 is 72 rounds and Speck-128 is 34 rounds, and speck involves the entire state each round too.

Why is there such a big disparity in rounds between these ARX ciphers? Is it because chacha20 is not a keyed permutation and that somehow allows it to evade attacks that other ciphers require many more rounds to do?

Unlordship
  • 41
  • 2

1 Answers1

5

Typically, we assess the security of block ciphers with reference of differential and/or linear distinguishers. The strength of a distinguisher needs to be negligible and we typically try to bound the strength using the piling-up lemma. The product in the piling up lemma has $n$-terms, which in an ARX cipher one can think of as growing with the number of rounds. Each term in the product is an imbalance (or bias) which in an ARX cipher one can think of as the effective non-linearity of a round. To keep the product small, one can have a very good set of imbalances or a large number of rounds. CHACHA20 has a very complex round function which leads to small imbalances and hence fewer rounds. Speck and Threefish have relatively simple round functions which lead to slightly larger imbalances, but these can be mitigated by increasing the number of rounds.

Daniel S
  • 29,316
  • 1
  • 33
  • 73