## Extending the Salsa20 nonce

### BibTeX

@MISC{Bernstein_extendingthe,

author = {Daniel J. Bernstein},

title = {Extending the Salsa20 nonce},

year = {}

}

### OpenURL

### Abstract

Abstract. This paper introduces the XSalsa20 stream cipher. XSalsa20 is based upon the Salsa20 stream cipher but has a much longer nonce: 192 bits instead of 64 bits. XSalsa20 has exactly the same streaming speed as Salsa20, and its extra nonce-setup cost is slightly smaller than the cost of generating one block of Salsa20 output. This paper proves that XSalsa20 is secure if Salsa20 is secure: any successful fast attack on XSalsa20 can be converted into a successful fast attack on Salsa20.

### Citations

193 | The security of the cipher block chaining message authentication code - Bellare, Kilian, et al. - 2000 |

144 | The Security of Cipher Block Chaining - Bellare, Kilian, et al. |

92 | Pseudorandom Functions Revisited: The Cascade Construction and Its Concrete Security
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...—which is approximately 2 −42 against this attacker— is multiplied by the number of queries. The attack does disprove [5, “Theorem” 3.1], which omitted the factor q, as pointed out ten years later in =-=[6]-=-. The core problem in this AES cascade is the use of AES outputs—which are only 128 bits—as keys. High security demands larger keys. The cascade also has a performance problem not present in CBC: the ... |

58 | A block-cipher mode of operation for parallelizable message authentication
- Black, Rogaway
(Show Context)
Citation Context ...acker who sees q function outputs, is at most the insecurity of E plus 27q 2 /2 129 . For simpler proofssand improved bounds see [42], [34], [12], and [10]. For variants and generalizations see [11], =-=[21]-=-, [33], [28], [31], and [35]. Unfortunately, these security proofs become meaningless as the number of queries approaches the square root of the number of inputs allowed by the original function: 2 64... |

37 | Indistinguishability of random systems
- Maurer
- 2002
(Show Context)
Citation Context .... More precisely: The insecurity of this function, against an attacker who sees q function outputs, is at most the insecurity of E plus 27q 2 /2 129 . For simpler proofssand improved bounds see [42], =-=[34]-=-, [12], and [10]. For variants and generalizations see [11], [21], [33], [28], [31], and [35]. Unfortunately, these security proofs become meaningless as the number of queries approaches the square ro... |

28 | Vmac: Message authentication code using universal hashing - Krovetz, Dai - 2007 |

23 |
Omac: One-Key CBC
- Iwata, Kurosawa
(Show Context)
Citation Context ...es q function outputs, is at most the insecurity of E plus 27q 2 /2 129 . For simpler proofs and improved bounds see [43], [35], [14], and [12]. For variants and generalizations see [13], [23], [34], =-=[29]-=-, [32], and [36]. Unfortunately, these security proofs become meaningless as the number of queries approaches the square root of the number of inputs allowed by the original function: 2 64 for AES, an... |

22 | G.: Plaintext recovery attacks against SSH
- Albrecht, Paterson, et al.
(Show Context)
Citation Context ...d to gain confidence in the security of the resulting protocol. Switching session keys does not magically create immunity to cryptanalysis! As illustrated by the Albrecht–Paterson–Watson announcement =-=[3]-=- of a cryptographic flaw in ssh, one must analyze complete cryptographic protocols, not just pieces of those protocols. There are some security proofs for constructions that can be viewed as switching... |

20 | Stronger Security Bounds for Wegman-Carter-Shoup Authenticators - Bernstein - 2005 |

19 | How to stretch random functions: the security of protected counter sums
- BERNSTEIN
- 1999
(Show Context)
Citation Context ...an attacker who sees q function outputs, is at most the insecurity of E plus 27q 2 /2 129 . For simpler proofssand improved bounds see [42], [34], [12], and [10]. For variants and generalizations see =-=[11]-=-, [21], [33], [28], [31], and [35]. Unfortunately, these security proofs become meaningless as the number of queries approaches the square root of the number of inputs allowed by the original function... |

19 | The Salsa20 Family of Stream Ciphers
- Bernstein
- 2008
(Show Context)
Citation Context ...a stream of output blocks with Salsa20/r. This straightforward implementation strategy immediately produces the same streaming speeds for XSalsa20/r that have already been achieved for Salsa20/r. See =-=[16]-=- and [18] for surveys of those speeds. The overhead for XSalsa20/r, compared to Salsa20/r, is the HSalsa20/r computation, which as discussed above is slightly faster than computing a single Salsa20/r ... |

16 | Improved Security Analyses for CBC MACs - Bellare, Pietrzak, et al. - 2005 |

14 |
Truncated differential cryptanalysis of five rounds of Salsa20
- Crowley
(Show Context)
Citation Context ... recommended—and continue to recommend—Salsa20/20, with Salsa20/12 and Salsa20/8 as faster options for users who value speed more highly than confidence. Four attack papers by fourteen cryptanalysts (=-=[24]-=-, [26], [41], and [3]) culminated in a 2 184 -operation attack on Salsa20/7 and a 2 251 -operation attack on Salsa20/8. The eSTREAM portfolio recommended Salsa20/12: “Eight and twenty round versions w... |

10 |
New features of Latin dances: analysis
- Aumasson, Khazaei, et al.
(Show Context)
Citation Context ...nue to recommend—Salsa20/20, with Salsa20/12 and Salsa20/8 as faster options for users who value speed more highly than confidence. Four attack papers by fourteen cryptanalysts ([24], [26], [41], and =-=[3]-=-) culminated in a 2 184 -operation attack on Salsa20/7 and a 2 251 -operation attack on Salsa20/8. The eSTREAM portfolio recommended Salsa20/12: “Eight and twenty round versions were also considered d... |

8 |
A short proof of the unpredictability of cipher block chaining
- Bernstein
- 2005
(Show Context)
Citation Context ... precisely: The insecurity of this function, against an attacker who sees q function outputs, is at most the insecurity of E plus 27q 2 /2 129 . For simpler proofssand improved bounds see [42], [34], =-=[12]-=-, and [10]. For variants and generalizations see [11], [21], [33], [28], [31], and [35]. Unfortunately, these security proofs become meaningless as the number of queries approaches the square root of ... |

8 |
Tanja Lange (editors), eBACS: ECRYPT Benchmarking of Cryptographic Systems, accessed 5
- Bernstein
- 2012
(Show Context)
Citation Context ...ycles/byte. The two speed reports for each cipher here are for, respectively, 1536-byte packets and long streams on a Core 2 U9400 10676. These are two of the benchmarks reported by the eBACS project =-=[18]-=-; see the eBACS web site for many other measurements. Salsa20, my own eSTREAM submission, offers high speed for long and short packets, but has a potential drawback: its nonce is limited to just 64 bi... |

5 |
A Simple and Unified Method of Proving Indistinguishability (2006
- Nandi
- 2006
(Show Context)
Citation Context ...tputs, is at most the insecurity of E plus 27q 2 /2 129 . For simpler proofssand improved bounds see [42], [34], [12], and [10]. For variants and generalizations see [11], [21], [33], [28], [31], and =-=[35]-=-. Unfortunately, these security proofs become meaningless as the number of queries approaches the square root of the number of inputs allowed by the original function: 2 64 for AES, and even fewer for... |

4 | Salsa20 specification (2005). URL: http://cr.yp.to/ snuffle.html. Citations in this paper: §3. Ingrid Biehl, Bernd Meyer, Volker Müller, Differential fault attacks on elliptic curve cryptosystems (extended abstract - Bernstein |

3 | PRF Domain Extension Using DAGs
- Jutla
- 2006
(Show Context)
Citation Context ...unction outputs, is at most the insecurity of E plus 27q 2 /2 129 . For simpler proofssand improved bounds see [42], [34], [12], and [10]. For variants and generalizations see [11], [21], [33], [28], =-=[31]-=-, and [35]. Unfortunately, these security proofs become meaningless as the number of queries approaches the square root of the number of inputs allowed by the original function: 2 64 for AES, and even... |

3 |
TMAC: Two-key CBC
- Kurosawa, Iwata
- 2003
(Show Context)
Citation Context ...who sees q function outputs, is at most the insecurity of E plus 27q 2 /2 129 . For simpler proofssand improved bounds see [42], [34], [12], and [10]. For variants and generalizations see [11], [21], =-=[33]-=-, [28], [31], and [35]. Unfortunately, these security proofs become meaningless as the number of queries approaches the square root of the number of inputs allowed by the original function: 2 64 for A... |

2 |
Response to “Slid pairs
- Bernstein
- 2008
(Show Context)
Citation Context ...ombining a very nice performance profile with what appears to be a comfortable margin for security.”sThe recent paper [37] claimed to “show that Salsa20 does not have 256bit security.” I responded in =-=[17]-=- that “the best ‘attack’ in the paper receives ciphertexts from 2 191 users and finds a 256-bit key after time 2 192 on a machine of size roughly 2 192 ” and that this is “vastly more expensive than t... |

1 |
Understanding brute force, ECRYPT STVL Workshop on Symmetric Key Encryption (2005). URL: http://cr.yp.to/papers. html#bruteforce. Citations in this document: §1
- Bernstein
(Show Context)
Citation Context ... unit cycles through 2 43 possibilities for k1, computes AES AESk 1 (0)(0), and compares the results to all of the collected outputs. (This can be done with negligible communication costs; see, e.g., =-=[14]-=-.) The attacker then has a good chance of discovering an equation k1 = AESk(n), immediately revealing all of the cascade outputs for nonces of the form (n, n2, n3). This attack does not contradict the... |

1 | Tal Rabin (editors), Theory of cryptography, third theory of cryptography conference, TCC 2006 - Halevi |

1 | Citations in this document: §1 - html |

1 | editor), Advances in cryptology—EUROCRYPT 2002, international conference on the theory and applications of cryptographic techniques - Knudsen |

1 |
Biryukov, Slid pairs
- Priemuth-Schmid, Alex
(Show Context)
Citation Context ...during the eSTREAM process, but we feel that Salsa20/12 offers the best balance, combining a very nice performance profile with what appears to be a comfortable margin for security.”sThe recent paper =-=[37]-=- claimed to “show that Salsa20 does not have 256bit security.” I responded in [17] that “the best ‘attack’ in the paper receives ciphertexts from 2 191 users and finds a 256-bit key after time 2 192 o... |

1 | Citations in this document - html |

1 | Rogaway, Improved security analyses for CBC MACs, in [40] (2005), 527–545; see also newer version [12]. the Salsa20 nonce 13 - Bellare, Pietrzak, et al. |