7

I've written implementations of Salsa20 and ChaCha that accept 384 and 448 bit keys. It was fairly trivial to implement, the 'sigma' constant is replaced with key material, and the counter, (which was initialized at 0), rotates and can be initialized at any value. So along with the 64 bit vector, the entire 512 bit state can now be initialized via a key/vector.

This does not affect the performance in any way, and if a key is constructed using key + sigma + 0, the output aligns with an implementation that uses a 256 bit key. Provided that the key used is created using a strong PRNG, and the values that replace the constant are sufficiently asymmetric, this should not present a problem, as the constants function seems to be purely to reduce symmetry.

Is there anything incorrect in the description given above?

One other question: I am considering extending max rounds to 24, I have looked at the mathematical model and it seems that this should not do anything other than further diffuse the input. Is that correct?

otus
  • 32,462
  • 5
  • 75
  • 167
JGU
  • 327
  • 3
  • 10

1 Answers1

3

You are correct about extending number of rounds. It is safe to increase number of rounds. In most cases it will increase safety margin.

Removing constants doesn't seem to be a good idea to me, as Salsa20 and ChaCha don't have any round constants. Purpose of constants is also to reduce number of bits that can be controlled by attacker, however key is not assumed to be controlled by attacker. Constants also separate different key lengths. I'm also concerned about sliding attacks, however I don't know, if they are applicable to Salsa20 and ChaCha as they are not a block ciphers.

Setting start value of counter with key will cause same block outputs with different keys at some points as counter will change key.

Even if replacing constants and counter with key is secure, setting 448-bit key into Salsa20 or ChaCha doesn't guarantee 448-bit security. For longer keys cipher (permutation) has to be stronger. Best attack on Salsa20 with 128-bit key breaks 7 rounds, while with 256-bit key it breaks 8 rounds. Also see Keccak permutation distinguishers.

Mouha and Preneel proofed that 15 rounds of Salsa20 is 128-bit secure against differential cryptanalysis. This means Salsa20 with 15 rounds and 448-bit key could possibly be broken with differential cryptanalysis with complexity of about 128-bits.

You could use XSalsa20 to extend key (instead of nonce) by 128-bits. This would be at least as secure as 256-bit Salsa20.

LightBit
  • 1,741
  • 14
  • 28