@@ -1301,49 +1301,85 @@ \chapter{Stream Ciphers}
13011301err = chacha_done(&st);
13021302\end {verbatim }
13031303
1304- \mysection {Salsa20}
1304+ \mysection {Salsa20 and XSalsa20}
1305+
1306+ \textit {Salsa20 } was Daniel Bernstein's submission to the EU eSTREAM
1307+ competition where a reduced-round version, \textit {Salsa20/12 }, was named
1308+ one of the winners. A third version, \textit {Salsa20/8 }, was also evaluated.
1309+ \vspace {1mm}
1310+
1311+ While 20 rounds is the conservative default number of rounds, eSTREAM deemed
1312+ 12 rounds to be a decent balance between strength and better performance.
1313+ The 8-round version, while still secure as of this writing, is faster but
1314+ does not enjoy the same margin of safety. Regardless of the number of rounds,
1315+ \textit {Salsa20 } accepts either a 128- or a 256-bit key, a 64-bit IV, and a
1316+ 64-bit counter.
1317+ \vspace {1mm}
1318+
1319+ \textit {XSalsa20 } is yet another variant of \textit {Salsa20 } designed to accept
1320+ only a 256-bit key and a longer 192-bit nonce, initialization being the only
1321+ difference between \textit {XSalsa20 } and \textit {Salsa20 }. Even the
1322+ \textit {salsa20\_ state } is the same. Thereafter, salsa20\_ crypt(),
1323+ salsa20\_ keystream(), and salsa20\_ done() are used unaltered.
1324+ salsa20\_ ivctr64() is NOT used with xsalsa20\_ setup().
1325+ \vspace {1mm}
1326+
1327+ To initialize \textit {Salsa20 } for 8, 12, or 20 rounds with a 128- or a
1328+ 256-bit key (16 or 32 bytes), a 64-bit IV (8 bytes), and counter (typically
1329+ zero), use:
13051330
1306- \textit {Salsa20 } is the forerunner of the ChaCha stream cipher. The ChaCha cipher is
1307- Salsa20 with a few minor tweaks to further improve its strength, and in so doing, increase its
1308- speed performance by about 5 percent. Unless you need Salsa20 for some reason, you should
1309- probably choose ChaCha instead.
1310-
1311- In April 2008 \textit {Salsa20/12 } was named one of the winners in the EU eSTREAM competition.
1312- Salsa20 was originally submitted by Daniel Bernstein with 20 rounds of strength but the
1313- 12-round reduced-round version was deemed to have sufficient strength and declared a winner.
1314- Even the 8-round reduced-round version, Salsa20/8, has withstood attack.
1315-
1316- For more information about Salsa20 see \url {https://en.wikipedia.org/wiki/Salsa20}.
1317-
1318- Supported key size: 16 or 32 bytes (128 or 256 bits).
1319-
1320- You can initialize Salsa20 with 64bit \textit {nonce } + 64bit \textit {counter }:
13211331\begin {verbatim }
13221332salsa20_state st;
1333+ ulong64 counter = 0;
13231334err = salsa20_setup(&st, key, key_len, rounds);
1324- err = salsa20_ivctr64(&st, nonce, 8, initial_64bit_ctr );
1335+ err = salsa20_ivctr64(&st, nonce, 8, counter );
13251336\end {verbatim }
13261337
1327- The \textit {salsa20 \_ setup } takes the number of rounds as a parameter -- choose 20 (the default)
1328- if you are not sure. As always never ever use the same key + nonce pair more than once.
1338+ To initialize \textit {XSalsa20 } for the recommended 20 rounds with a 256-bit
1339+ key (32 bytes) and a 192-bit nonce (24 bytes), use:
13291340
1330- For the actual encryption or decryption you have to call:
1341+ \begin {verbatim }
1342+ salsa20_state st;
1343+ err = xsalsa20_setup(&st, key, key_len, nonce, nonce_len, rounds);
1344+ \end {verbatim }
1345+
1346+ Both \textit {Salsa20 } and \textit {XSalsa20 } use the following functions. To
1347+ encrypt or decrypt call:
13311348\begin {verbatim }
13321349err = salsa20_crypt(&st, in_buffer, in_len, out_buffer);
13331350\end {verbatim }
13341351
1335- If you just want a random stream of bytes initialize the cipher with a truly random \textit {key }
1336- (32 bytes), a truly random \textit {nonce } (8 bytes) and zero initial counter. After that you can
1337- get a stream of pseudo--random bytes via:
1352+ For a random keystream initialize the cipher with a truly random \textit {key }
1353+ and random \textit {nonce } after which you can get a stream of
1354+ pseudo--random bytes via:
13381355\begin {verbatim }
13391356err = salsa20_keystream(&st, out_buffer, out_len);
13401357\end {verbatim }
13411358
1342- When finished you should wipe the state:
1359+ Finally, when finished you should wipe the state.
13431360\begin {verbatim }
13441361err = salsa20_done(&st);
13451362\end {verbatim }
13461363
1364+ For both \textit {Salsa20 } and \textit {XSalsa20 } rounds must be an even number
1365+ and if set to 0 the default number of rounds, 20, will be used.
1366+ \vspace {1mm}
1367+
1368+ If you define \textit {LTC_XSALSA20 } to include \textit {XSalsa20 } in a minimal
1369+ \textit {libtomcrypt } library build, you must also define \textit {LTC_SALSA20 }.
1370+ \vspace {1mm}
1371+
1372+ As always, never ever use the same key + nonce/IV pair more than once.
1373+ \vspace {1mm}
1374+
1375+ For more information about Salsa20 see
1376+ \url {https://en.wikipedia.org/wiki/Salsa20}.
1377+ \vspace {1mm}
1378+
1379+ For more information about XSalsa20 see
1380+ \url {https://cr.yp.to/snuffle/xsalsa-20081128.pdf}.
1381+ \vspace {1mm}
1382+
13471383\mysection {Sosemanuk}
13481384
13491385\textit {Sosemanuk }, along with Salsa20, HC-128, and Rabbit, was named one of the winners in
0 commit comments