|
Salsa20 is a stream cipher submitted to eSTREAM by Daniel J. Bernstein. It is built on a pseudorandom function based on add-rotate-xor (ARX) operations — 32-bit addition, bitwise addition (XOR) and rotation operations. Salsa20 maps a 256-bit key, a 64-bit nonce, and a 64-bit stream position to a 512-bit output (a version with a 128-bit key also exists). This gives Salsa20 the unusual advantage that the user can efficiently seek to any position in the output stream in constant time. It offers speeds of around 4–14 cycles per byte in software on modern x86 processors,〔(Salsa20 home page )〕 and reasonable hardware performance. It is not patented, and Bernstein has written several public domain implementations optimized for common architectures.〔(Speed of Salsa20 )〕 Salsa20 has been submitted to eSTREAM. A related cipher, ChaCha, which has similar features but a different round function, was published by Bernstein in 2008. == Structure == Internally, the cipher uses bitwise addition ⊕ (exclusive OR), 32-bit addition mod 232 ⊞, and constant-distance rotation operations (<<<) on an internal state of sixteen 32-bit words. This choice of operations avoids the possibility of timing attacks in software implementations. The basic Salsa20 round primitive R(a,b,c,k) isb ⊕= (a ⊞ c) <<< k; The initial state is made up of 8 words of key, 2 words of stream position, 2 words of nonce (essentially additional stream position bits), and 4 fixed words. 20 rounds of mixing produce 16 words of stream cipher output. A quarter-round takes a four-word input and produces a four-word output. The internal 16-word state is arranged as a 4x4 matrix; even-numbered rounds apply the quarter-round operation to each of the four rows, while odd-numbered rounds apply the quarter-round operation to each of the four columns. Two consecutive rounds (a row-round and column-round) together are called a double-round. A more precise specification appears below as pseudocode, although in this form the row/column pattern is more difficult to see. ⊞ is addition modulo 232, <<< is the left-rotate operation, and ⊕ is exclusive-or. x ⊕= y is an abbreviation for x = x ⊕ y.x(4 ) ⊕= (x(0 ) ⊞ x())<<<7; x(9 ) ⊕= (x(5 ) ⊞ x(1 ))<<<7; x() ⊕= (x() ⊞ x(6 ))<<<7; x(3 ) ⊕= (x() ⊞ x())<<<7; x(8 ) ⊕= (x(4 ) ⊞ x(0 ))<<<9; x() ⊕= (x(9 ) ⊞ x(5 ))<<<9; x(2 ) ⊕= (x() ⊞ x())<<<9; x(7 ) ⊕= (x(3 ) ⊞ x())<<<9; x() ⊕= (x(8 ) ⊞ x(4 ))<<<13; x(1 ) ⊕= (x() ⊞ x(9 ))<<<13; x(6 ) ⊕= (x(2 ) ⊞ x())<<<13; x() ⊕= (x(7 ) ⊞ x(3 ))<<<13; x(0 ) ⊕= (x() ⊞ x(8 ))<<<18; x(5 ) ⊕= (x(1 ) ⊞ x())<<<18; x() ⊕= (x(6 ) ⊞ x(2 ))<<<18; x() ⊕= (x() ⊞ x(7 ))<<<18; x(1 ) ⊕= (x(0 ) ⊞ x(3 ))<<<7; x(6 ) ⊕= (x(5 ) ⊞ x(4 ))<<<7; x() ⊕= (x() ⊞ x(9 ))<<<7; x() ⊕= (x() ⊞ x())<<<7; x(2 ) ⊕= (x(1 ) ⊞ x(0 ))<<<9; x(7 ) ⊕= (x(6 ) ⊞ x(5 ))<<<9; x(8 ) ⊕= (x() ⊞ x())<<<9; x() ⊕= (x() ⊞ x())<<<9; x(3 ) ⊕= (x(2 ) ⊞ x(1 ))<<<13; x(4 ) ⊕= (x(7 ) ⊞ x(6 ))<<<13; x(9 ) ⊕= (x(8 ) ⊞ x())<<<13; x() ⊕= (x() ⊞ x())<<<13; x(0 ) ⊕= (x(3 ) ⊞ x(2 ))<<<18; x(5 ) ⊕= (x(4 ) ⊞ x(7 ))<<<18; x() ⊕= (x(9 ) ⊞ x(8 ))<<<18; x() ⊕= (x() ⊞ x())<<<18; Salsa20 performs 20 rounds of mixing on its input, then adds the final array to the original array to obtain its 64-byte output block.〔http://cr.yp.to/snuffle/salsafamily-20071225.pdf〕 However, reduced round variants Salsa20/8 and Salsa20/12 using 8 and 12 rounds respectively have also been introduced. These variants were introduced to complement the original Salsa20, not to replace it, and perform even better in the eSTREAM benchmarks than Salsa20, though with a correspondingly lower security margin. == eSTREAM selection == Salsa20 has been selected as a Phase 3 design for Profile 1 (software) by the eSTREAM project, receiving the highest weighted voting score of any Profile 1 algorithm at the end of Phase 2.〔http://www.ecrypt.eu.org/stream/endofphase2.html〕 Salsa20 had previously been selected as Phase 2 Focus design for Profile 1 (software) and as a Phase 2 design for Profile 2 (hardware) by the eSTREAM project,〔http://www.ecrypt.eu.org/stream/endofphase1.html〕 but was not advanced to Phase 3 for Profile 2 because eSTREAM felt that it was probably not a good candidate for extremely resource constrained hardware environments.〔http://www.ecrypt.eu.org/stream/PhaseIIreport.pdf〕 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Salsa20」の詳細全文を読む スポンサード リンク
|