TheSalsa20familyofstreamciphers.pdf资源-CSDN文库

需积分: 9 30 浏览量 2020-11-15 17:35:11 上传评论收藏 262KB PDF 举报

资源推荐

资源详情

资源评论

The Salsa20 family of stream ciphers

Daniel J. Bernstein

Department of Mathematics, Statistics, and Computer Science (M/C 249)

The University of Illinois at Chicago

Chicago, IL 60607–7045

snuffle6@box.cr.yp.to

Abstract. Salsa20 is a family of 256-bit stream ciphers designed in 2005

and submitted to eSTREAM, the ECRYPT Stream Cipher Project.

Salsa20 has progressed to the third round of eSTREAM without any

changes. The 20-round stream cipher Salsa20/20 is consistently faster

than AES and is recommended by the designer for typical cryptographic

applications. The reduced-round ciphers Salsa20/12 and Salsa20/8 are

among the fastest 256-bit stream ciphers available and are recommended

for applications where speed is more important than conﬁdence. The

fastest known attacks use ⇡ 2

153

simple operations against Salsa20/7,

⇡ 2

249

simple operations against Salsa20/8, and ⇡ 2

255

simple operations

against Salsa20/9, Salsa20/10, etc. In this pape r, the Salsa20 designer

presents Salsa20 and discusses the decisions made in the Salsa20 design.

1 Introduction

A sender and receiver share a short secret key. They use the secret key to encrypt

a series of messages. A message could be short, just a few bytes, but it could be

much longer, perhaps gigabytes. The series of messages could be short, just one

message, but it could be much longer, perhaps billions of messages.

The sender and receiver encrypt messages using an encryption function:a

function that produces the ﬁrst ciphertext from the key and the ﬁrst plaintext,

that produces the second ciphertext from the key and the second plaintext, etc.

An encryption function has to be fast. Many senders have to encrypt large

volumes of data in very little time using limited resources. Many receivers are

faced with even larger volumes of data—not just the legitimate messages but

also a ﬂood of forgery attempts. A slow encryption function can satisfy some

senders and receivers, but my focus is on encryption functions suitable for a

wider range of applications.

An encryption function also has to be secure. Many users are facing, or at

least think that they are facing, years of cryptanalytic computations by well-

funded attackers equipped with millions of fast parallel processors. Some users

Permanent ID of this document: 31364286077dcdff8e4509f9ff3139ad. Date of this

document: 2007.12.25. This work was supported by the National Science Foundation

under grants CCR–9983950 and ITR–0716498, and by the Alfred P. Sloan Founda-

tion.

Cycles/byte

Salsa20 Salsa20/8 Salsa20/12 Salsa20/20

Arch MHz Machine software long 576 long 576 long 576

amd64 3000 Xeon 5160 (6f6) amd64-xmm6 1.88 2.07 2.80 3.25 3.93 4.25

amd64 2137 Core 2 Duo (6f6) amd64-xmm6 1.88 2.07 2.57 2.80 3.91 4.33

ppc32 533 PowerPC G4 7410 ppc-altivec 1.99 2.14 2.74 2.88 4.24 4.39

x86 2137 Core 2 Duo (6f6) x86-xmm5 2.06 2.28 2.80 3.15 4.32 4.70

amd64 2000 Athlon 64 X2 (15,75,2) amd64-3 3.47 3.65 4.86 5.04 7.64 7.84

ppc64 2000 PowerPC G5 970 ppc-altivec 3.28 3.48 4.83 4.87 7.82 8.04

amd64 2391 Opteron (f5a) amd64-3 3.78 3.96 5.33 5.51 8.42 8.62

amd64 2192 Opteron (f58) amd64-3 3.82 4.18 5.35 5.73 8.42 8.78

x86 2000 Athlon 64 X2 (15,75,2) x86-1 4.50 4.78 6.27 6.55 9.80 10.07

x86 900 Athlon (622) x86-athlon 4.61 4.84 6.44 6.65 10.04 10.24

ppc64 1452 POWER4 merged 6.83 7.00 8.35 8.51 11.29 11.47

hppa 1000 PA-RISC 8900 merged 5.82 5.97 7.68 7.85 11.39 11.56

amd64 3000 Pentium D (f64) amd64-xmm6 5.38 5.87 7.19 7.84 10.69 11.73

x86 1300 Pentium M (695) x86-xmm5 5.30 5.53 7.44 7.70 11.70 11.98

x86 3000 Xeon (f26) x86-xmm5 5.30 5.86 7.41 8.21 11.64 12.55

x86 3200 Xeon (f25) x86-xmm5 5.30 5.84 7.40 8.15 11.63 12.59

x86 2800 Xeon (f29) x86-xmm5 5.33 5.95 7.44 8.20 11.67 12.65

x86 3000 Pentium 4 (f41) x86-xmm5 5.76 6.92 8.12 9.33 11.84 13.40

x86 1400 Pentium III (6b1) x86-mmx 6.37 6.79 8.88 9.29 13.88 14.29

sparc 1050 UltraSPARC IV sparc 6.65 6.76 9.21 9.33 14.34 14.45

x86 3200 Pentium D (f47) x86-athlon 7.13 7.66 9.90 10.31 15.29 15.94

ia64 1500 Itanium II merged 8.49 8.87 12.42 12.62 18.07 18.27

ia64 1400 Itanium II merged 8.28 8.65 12.56 12.76 18.21 18.40

Table 1.1. Salsa20 software speeds; measured by the oﬃcial eSTREAM benchmarking

framework; sorted by ﬁnal column. “576” means single-core cycles/byte to encrypt a

576-byte packet; “long” means single-core cycles/byte to encrypt a long stream.

are satisﬁed with lower levels of security, but again my focus is on encryption

functions suitable for a wider range of applications.

There is a conﬂict between these desiderata. One can reasonably conjecture,

for example, that every function that encrypts data in 0.5 Core-2 cycles/byte

is breakable. One can also conjecture that almost every function that encrypts

data in 5 Core-2 cycles/byte is breakable. On the other hand, several unbroken

submissions to eSTREAM, the ECRYPT Stream Cipher Project, encrypt data

in fewer than 5 Core-2 cycles/byte.

In particular, my 20-round stream cipher Salsa20/20 encrypts data in 3.93

Core-2 cycles/byte. (For comparison: Matsui and Nakajima recently reported 9.2

Core-2 cycles/byte for 10-round AES using a pre-expanded 128-bit key. See [18].)

The fastest known attack against Salsa20/20 is a 256-bit brute-force search. I

recommend Salsa20/20 for encryption in typical cryptographic applications.

Reduced-round ciphers in the Salsa20 family are attractive options for users

who value speed more highly than conﬁdence. The 12-round stream cipher

Salsa20/12 encrypts data in 2.80 Core-2 cycles /byte; the fastest known attack

against Salsa20/12 is a 256-bit brute-force search. The 8-round stream cipher

Salsa20/8 encrypts data in 1.88 Core-2 cycles/byte; as discussed in Section 5,

papers by several cryptanalysts have culminated in an attack against Salsa20/8

taking “only” 2

249

operations, but this is far beyond any computation that will

be carried out in the foreseeable future. Perhaps better attacks will be developed,

but competing ciphers at similar speeds seem to be much more easily broken!

I hadn’t heard of the Core 2 when I designed Salsa20. I was aiming for high

speed on a wide variety of platforms; I don’t ﬁnd it surprising that Salsa20 is

able to take advantage of a new platform. Table 1.1 shows Salsa20’s software

speeds on various CPUs.

This paper deﬁnes Salsa20 and explains the decisions that I made in the

Salsa20 design. Section 2 disc usse s the selection of low-level operations used

in Salsa20—a deliberately limited set, in particular with no S-boxes. Section 3

discusses the high-level data ﬂow in Salsa20—again quite limited, in particular

with no communication across blocks aside from a simple block counter. Section

4 discusses the middle-level structure of Salsa20. Section 5 reviews known attacks

on Salsa20.

2 Low level: Which operations are used?

2.1 What does Salsa20 do?

The Salsa20 encryption function is a long chain of three simple operations on

32-bit words:

• 32-bit addition, producing the sum a + b mod 2

of two 32-bit words a, b;

• 32-bit exclusive-or, producing the xor a  b of two 32-bit words a, b; and

• constant-distance 32-bit rotation, producing the rotation a<<<bof a 32-bit

word a by b bits to the left, where b is constant.

On occasion I encounter the superstitious notion that these ope rations are

“too simple.” In fact, these operations can easily simulate any circuit, and are

therefore capable of reaching the sam e security level as any other selection of

operations. The real question for the cipher designer is whether a di↵erent mix

of operations could achieve the same security level at higher speed.

2.2 Should there be integer multiplications?

Some popular CPUs can quickly compute xy mod 2

, given x, y. Some ciphers

are designed to take advantage of this operation. Sometimes one of x, y is a

constant; sometimes x, y are both variables.

The basic argument for integer multiplication is that the output bits are

complicated functions of the input bits, mixing the inputs more thoroughly than

a few simple integer operations.

The basic counterargument is that integer multiplication takes several cycles

on the fastest CPUs, and many more cycles on other CPUs. For comparison, a

剩余14页未读，继续阅读

评论收藏

内容反馈

beebeeyoung

粉丝: 19
资源: 61

The Salsa20 family of stream ciphers.pdf

最新资源

The Salsa20 family of stream ciphers.pdf

Cryptanalysis of MICKEY family of stream ciphers

论文研究-流密码Salsa20的差分研究.pdf

ChaCha, a variant of Salsa20.pdf

Salsa20 specication.pdf

salsa20 stream cipher

SALSA LipSync Suite面部动画插件.rar

salsa20算法官方程序

Salsa20:流密码Salsa20的C++实现

ChaCha20加密算法C语言源代码

salsa20-x86_64-asm_64.rar_Salsa20

libsodium.pdf_libsodium教程_libsodium_zip_

SALSA LipSync Suite 2.4.0.zip

SALSA With RandomEyesV1.3.3.rar

Salsa20-objc:Salsa20 流密码的 Objective-C 实现

基于数据挖掘的网络舆情分析方法研究.pdf

主流搜索引擎算法讲解大全.pdf

大基因denovo.pdf

1-三维地球模型精确定位地震与爆炸(定稿)分享.pdf

salsa20和zuc算法详细介绍及对比.docx

1-三维地球模型精确定位地震与爆炸(定稿)参照.pdf

devscripts：https：salsa.debian.orgdebandevscripts.git的镜像

云计算-普适计算中服务发现技术的研究.pdf

SALSA LipSync Suite v2.5.4仅供学习使用

SALSA with RandomEyes for unity3d

SALSA With RandomEyes 1.5.5.unitypackage

论文研究-基于扩散理论的HITS算法在Web挖掘中的研究与优化.pdf

论文研究-基于相似度的社区发现最大流算法 .pdf

最新资源