[PATCH] Add support for Salsa20/12 - 12 round version of Salsa20

Simon Josefsson simon at josefsson.org
Fri Jul 26 21:12:58 CEST 2013

Werner Koch <wk at gnupg.org> writes:

> On Sun, 21 Jul 2013 16:53, dbaryshkov at gmail.com said:
>> Salsa20/12 is a reduced round version of Salsa20 that is amongst ciphers
>> selected by eSTREAM for Phase 3 of Profile 1 algorithm. Moreover it is
>> one of proposed ciphers for TLS (draft-josefsson-salsa20-tls-02).
> Why should anyone give up a good security margin for an algorithm which
> is already very fast.  If there is a real world application for such a
> reduced version of Salsa20 it makes sense to have it.  But until then, I
> doubt that it makes any sense.  
> Simon: Why are you proposing that?

eSTREAM picked 12-rounds Salsa, and not the 20-round version, so it
could be argued that it will receive more scrutiny -- even though it
seems quite unlikely that there would be any security problem with
20-round Salsa20 that wouldn't also affect 12-rounds.

I would recommend against implementing 12-rounds without also
implementing 20-rounds -- DJB specified 20-rounds and I would personally
use 20-rounds.  Whenever 12-rounds is available, 20-rounds should be
available as well.

I think it is unfortunate that eSTREAM managed to weaken it by lowering
the round count to 12-rounds, but that's where it is.  There doesn't
seem to be a lot of documentation how the change from 20-rounds to
12-rounds Salsa20 occured.


More information about the Gcrypt-devel mailing list