Re: [TLS] Salsa vs. ChaCha

Nikos Mavrogiannopoulos <> Tue, 19 November 2013 08:36 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7DA7A1A802B for <>; Tue, 19 Nov 2013 00:36:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.427
X-Spam-Status: No, score=-7.427 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.525, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8fsziBOlm1h3 for <>; Tue, 19 Nov 2013 00:36:14 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 76AC71ACCDA for <>; Tue, 19 Nov 2013 00:36:14 -0800 (PST)
Received: from ( []) by (8.14.4/8.14.4) with ESMTP id rAJ8a7k9008919 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 19 Nov 2013 03:36:07 -0500
Received: from [] ( []) by (8.13.8/8.13.8) with ESMTP id rAJ8a59q027460 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 19 Nov 2013 03:36:06 -0500
Message-ID: <>
From: Nikos Mavrogiannopoulos <>
To: Zooko Wilcox-OHearn <>
Date: Tue, 19 Nov 2013 09:36:05 +0100
In-Reply-To: <>
References: <>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.67 on
Subject: Re: [TLS] Salsa vs. ChaCha
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Nov 2013 08:36:16 -0000

On Mon, 2013-11-18 at 21:34 +0000, Zooko Wilcox-OHearn wrote:
> Folks:
> draft-josefsson-salsa20-tls-03 makes it sound as though choosing
> ChaCha over Salsa would be trading off security (at least as reflected
> by Salsa being an eSTREAM finalist) for performance (at least in
> hardware). I don't think this reflects typical beliefs about the
> relative merits of these two ciphers.
> Instead, I think ChaCha is generally considered to be slightly
> stronger than Salsa, in addition to slightly faster (in both software
> and hardware).

Hello Zooko,
 This was not our intention (and if there is some text that needs to be
changed to prevent that, please let us know). Mainly what we want to say
there, is that we do not want to evaluate any new cipher (we are not
experts in cipher design). We select what is considered secure from the
existing cryptographic competitions in order to replace RC4. 

If we follow the path to chacha, which is not the outcome of a cipher
competition there can be arguments why not consider some other XXX
stream cipher as well which could be better than ChaCha in some aspect.
Such arguments would then be hard to confront.

> So, unfortunately there is no "provable security" reduction by which
> we can show that *any* attack on BLAKE must necessarily lead to an
> attack on ChaCha, or vice versa.
> However, they are so closely related that in my opinion the copious
> cryptanalysis of BLAKE during the SHA-3 contest would probably have
> revealed weaknesses in ChaCha at the same time as it revealed any
> weaknesses in BLAKE.

You provide some good arguments in favor of chacha, although as you say
the results cannot be directly related to Chacha as a cipher. In any
case our decision for the cipher is not written in stone.