Salsa20 Encryption
High-speed stream cipher with extended nonce variant
Client-Side Security
All encryption and decryption operations are performed locally in your browser. No data is ever sent to any server.
Initial block counter value (usually 0 for encryption, same value for decryption)
About Salsa20
Salsa20 is a stream cipher designed by Daniel J. Bernstein in 2005. It uses a 256-bit key and 64-bit nonce to generate a keystream that is XORed with plaintext to produce ciphertext. The cipher is designed for high performance in software implementations.
Salsa20 was submitted to the eSTREAM project and selected as a finalist in the software profile. It forms the basis for the ChaCha family of ciphers.
Algorithm Comparison
| Algorithm | Rounds | Nonce Length | Speed | Best For |
|---|---|---|---|---|
| Salsa20/20 | 20 | 64 bits (8 bytes) | Standard | General encryption, high security |
| Salsa20/12 | 12 | 64 bits (8 bytes) | Fast | Performance-critical applications |
| Salsa20/8 | 8 | 64 bits (8 bytes) | Fastest | Maximum speed scenarios |
| XSalsa20 | 20 | 192 bits (24 bytes) | Standard | Random nonce, NaCl/libsodium |
How Salsa20 Works
Salsa20 operates on a 4×4 matrix of 32-bit words (512 bits total). The initial state consists of the key (256 bits), nonce (64 bits), counter (64 bits), and four constant words forming the string 'expand 32-byte k'.
The core function applies 20 rounds of the quarterround operation, which uses only add-rotate-XOR (ARX) operations. This makes Salsa20 efficient in software and resistant to timing attacks.
XSalsa20 extends the nonce to 192 bits using HSalsa20, a variant that derives a subkey from the first 128 bits of the nonce, leaving 64 bits for the actual nonce. This allows safe random nonce generation.
Round Variants
- Salsa20/20 (20 rounds) - The standard variant providing full security margin. Recommended for most applications.
- Salsa20/12 (12 rounds) - eSTREAM portfolio selection. Provides good security with better performance.
- Salsa20/8 (8 rounds) - Fastest variant. No known practical attacks, but reduced security margin.
Key Features
- High Performance: Optimized for software, achieving 3-4 cycles per byte on modern CPUs
- Simple Design: Uses only ARX operations, easy to implement without lookup tables
- Constant-time: Resistant to cache-timing side-channel attacks
- Large Counter: 64-bit counter allows encrypting up to 2^70 bytes per key-nonce pair
- Extended Nonce: XSalsa20's 192-bit nonce enables random nonce generation
Security Considerations
- Never reuse a nonce with the same key - this completely breaks security
- Salsa20 provides only encryption, not authentication - combine with Poly1305 for AEAD
- For random nonces, use XSalsa20 to minimize collision probability
- Use proper KDF (HKDF, Argon2) to derive keys from passwords
Real-World Usage
- NaCl/libsodium: XSalsa20-Poly1305 is the default AEAD construction
- Encryption tools: Many file encryption utilities use Salsa20 variants
- Password managers: Some use Salsa20 for encrypting stored credentials
- Game engines: Used for fast encryption in networked games
References
Related Tools
ChaCha20 Encryption
Modern stream cipher with ChaCha20, ChaCha20-Poly1305 AEAD, and XChaCha20 variants for secure encryption
AES Encryption/Decryption
Securely encrypt and decrypt text using AES algorithm
RC Cipher Family (RC4/RC5/RC6)
RC family stream and block ciphers including RC4, RC4-Drop, RC5, and RC6 (AES finalist) with multiple modes