ChaCha is a family of 256-bit stream ciphers. This create includes five members of the family:
|nonce length||stream length||key length||rounds|
(Lengths are given in bytes.)
ChaCha12 and ChaCha8 trade off the security margin in favor of performance. The IETF implementation increases the nonce length, making randomly generating the same nonce twice less likely, at the cost of making the stream shorter. XChaCha20 increases the nonce length even further while maintaining the stream length at the cost of a slightly more expensive initialization step.
ChaCha benefits greatly from SIMD instructions, which currently requires Rust's
nightly build. Compile with the feature
nightly enabled for maximum performance.
ChaCha was designed by Daniel J. Bernstein in 2008 as a slightly modified version of his Salsa family of ciphers. Salsa20 has been analyzed as part of the eSTREAM project and has not had any practical attack found. That cryptanalysis would generally apply to ChaCha20 as well. The ChaCha round function is used in the BLAKE hash function, which was analyzed as part of the SHA-3 competition, again without finding a practical attack. The IETF's RFC 7539 standardizes a member of the ChaCha family.
A ChaCha keystream.
An error when generating a keystream
Types that encapsulate a stream of bytes that to be combined with a cryptographic plaintext or ciphertext
KeyStreams that allow efficiently moving to positions in the stream
Apply the ChaCha core function. Note that this is reversible.
Apply the ChaCha core function and add the result to the input. This is what maps ChaCha streams' input blocks to output blocks.