ChaCha is a family of 256-bit stream ciphers. This create includes five members of the family:
| nonce length | stream length | key length | rounds | |
|---|---|---|---|---|
| ChaCha20 | 8 | 270 | 32 | 20 |
| IETF | 16 | 238 | 32 | 20 |
| XChaCha20 | 24 | 270 | 32 | 20 |
| ChaCha12 | 8 | 270 | 32 | 12 |
| ChaCha8 | 8 | 270 | 32 | 8 |
| (Lengths are given in bytes.) |
ChaCha12 and ChaCha8 trade off the security margin in favor of performance. The IETF implementation increases the nonce length, making randomly generating the same nonce twice less likely, at the cost of making the stream shorter. XChaCha20 increases the nonce length even further while maintaining the stream length at the cost of a slightly more expensive initialization step.
ChaCha benefits greatly from SIMD instructions, which currently requires Rust's
nightly build. Compile with the feature nightly enabled for maximum performance.
ChaCha was designed by Daniel J. Bernstein in 2008 as a slightly modified version of his Salsa family of ciphers. Salsa20 has been analyzed as part of the eSTREAM project and has not had any practical attack found. That cryptanalysis would generally apply to ChaCha20 as well. The ChaCha round function is used in the BLAKE hash function, which was analyzed as part of the SHA-3 competition, again without finding a practical attack. The IETF's RFC 7539 standardizes a member of the ChaCha family.