Salsa20 Encryption
High-speed stream cipher with extended nonce variant
Client-Side Security
All encryption and decryption operations are performed locally in your browser. No data is ever sent to any server.
Initial block counter value (usually 0 for encryption, same value for decryption)
About Salsa20
Salsa20 is a stream cipher designed by Daniel J. Bernstein in 2005. It uses a 256-bit key and 64-bit nonce to generate a keystream that is XORed with plaintext to produce ciphertext. The cipher is designed for high performance in software implementations.
Salsa20 was submitted to the eSTREAM project and selected as a finalist in the software profile. It forms the basis for the ChaCha family of ciphers.
Algorithm Comparison
| Algorithm | Rounds | Nonce Length | Speed | Best For |
|---|---|---|---|---|
| Salsa20/20 | 20 | 64 bits (8 bytes) | Standard | General encryption, high security |
| Salsa20/12 | 12 | 64 bits (8 bytes) | Fast | Performance-critical applications |
| Salsa20/8 | 8 | 64 bits (8 bytes) | Fastest | Maximum speed scenarios |
| XSalsa20 | 20 | 192 bits (24 bytes) | Standard | Random nonce, NaCl/libsodium |
How Salsa20 Works
Salsa20 operates on a 4×4 matrix of 32-bit words (512 bits total). The initial state consists of the key (256 bits), nonce (64 bits), counter (64 bits), and four constant words forming the string 'expand 32-byte k'.
The core function applies 20 rounds of the quarterround operation, which uses only add-rotate-XOR (ARX) operations. This makes Salsa20 efficient in software and resistant to timing attacks.
XSalsa20 extends the nonce to 192 bits using HSalsa20, a variant that derives a subkey from the first 128 bits of the nonce, leaving 64 bits for the actual nonce. This allows safe random nonce generation.
Round Variants
- Salsa20/20 (20 rounds) - The standard variant providing full security margin. Recommended for most applications.
- Salsa20/12 (12 rounds) - eSTREAM portfolio selection. Provides good security with better performance.
- Salsa20/8 (8 rounds) - Fastest variant. No known practical attacks, but reduced security margin.
Key Features
- High Performance: Optimized for software, achieving 3-4 cycles per byte on modern CPUs
- Simple Design: Uses only ARX operations, easy to implement without lookup tables
- Constant-time: Resistant to cache-timing side-channel attacks
- Large Counter: 64-bit counter allows encrypting up to 2^70 bytes per key-nonce pair
- Extended Nonce: XSalsa20's 192-bit nonce enables random nonce generation
Security Considerations
- Never reuse a nonce with the same key - this completely breaks security
- Salsa20 provides only encryption, not authentication - combine with Poly1305 for AEAD
- For random nonces, use XSalsa20 to minimize collision probability
- Use proper KDF (HKDF, Argon2) to derive keys from passwords
Real-World Usage
- NaCl/libsodium: XSalsa20-Poly1305 is the default AEAD construction
- Encryption tools: Many file encryption utilities use Salsa20 variants
- Password managers: Some use Salsa20 for encrypting stored credentials
- Game engines: Used for fast encryption in networked games
References
- D.J. Bernstein - Salsa20 Specification
- eSTREAM Project - Stream Cipher Portfolio
- Wikipedia - Salsa20
- NaCl - Networking and Cryptography Library
FAQ
What's the difference between Salsa20 and ChaCha20?
ChaCha20 is a modification of Salsa20 with improved diffusion per round. ChaCha20 achieves better security per round, which is why it became the IETF standard. For new projects, ChaCha20 is generally preferred.
Which round variant should I use?
Use Salsa20/20 for maximum security. Salsa20/12 is a good balance of speed and security. Only use Salsa20/8 when performance is absolutely critical and your threat model allows reduced security margin.
When should I use XSalsa20?
Use XSalsa20 when you need to generate random nonces. Its 192-bit nonce space makes collisions virtually impossible with random generation. Standard Salsa20's 64-bit nonce requires careful counter management.
Is Salsa20 secure without authentication?
Salsa20 alone provides only confidentiality, not integrity. An attacker can modify ciphertext without detection. Always combine with Poly1305 or another MAC for authenticated encryption.
Can I use this tool for production?
This tool is for educational and development purposes. While the implementation follows the specification, production systems should use well-audited cryptographic libraries like libsodium, OpenSSL, or platform-provided APIs.
Related Tools
ChaCha20 Encryption
Modern stream cipher with ChaCha20, ChaCha20-Poly1305 AEAD, and XChaCha20 variants for secure encryption
AES Encryption/Decryption
Securely encrypt and decrypt text using AES algorithm
RC Cipher Family (RC4/RC5/RC6)
RC family stream and block ciphers including RC4, RC4-Drop, RC5, and RC6 (AES finalist) with multiple modes