Salsa20 Encryption

Salsa20 is an ARX stream cipher designed by Daniel J. Bernstein and submitted to the eSTREAM competition in 2005. It operates on a 4×4 matrix of 32-bit words (512-bit total state) using only addition (mod 2³²), bitwise rotation, and XOR — no S-boxes, no lookup tables. This ARX structure makes Salsa20 execution time independent of key or data values, providing inherent resistance to cache-timing side-channel attacks. A 64-bit stream counter allows random access to any position in the keystream without processing earlier blocks.

Salsa20 was selected for the eSTREAM Portfolio Profile 1 (software) in 2008 after a rigorous multi-year evaluation. Bernstein also defined XSalsa20 in 2011: it uses the HSalsa20 function to derive a 256-bit subkey from the first 128 bits of a 192-bit nonce and the original key, feeding the derived subkey and remaining 64-bit nonce into Salsa20/20. This construction enables random 192-bit nonce generation without birthday-bound concern, making XSalsa20 the foundation of NaCl’s secretbox (XSalsa20-Poly1305 AEAD).

How Salsa20 Works

Salsa20 initializes a 4×4 matrix of 32-bit words: four constant words encoding the ASCII string “expand 32-byte k” (0x61707865, 0x3320646e, 0x79622d32, 0x6b206574), eight 32-bit words from the 256-bit key, two 32-bit words from the 64-bit stream counter (position 0), and two 32-bit words from the 64-bit nonce.

The core round function is the quarter-round on (a, b, c, d): b⊕=(a+d)‹‹11; c⊕=(b+a)‹‹8; d⊕=(c+b)‹‹16; a⊕=(d+c)‹‹12 (note: Salsa20 actual rotations are 7, 9, 13, 18). A double round applies a column round (quarter-round on each column) followed by a diagonal round (quarter-round on each diagonal of the 4×4 matrix). Salsa20/20 applies 10 such double rounds (20 rounds total). The final output block = XOR of the 20-round transformed state with the original input state (not just the result of the rounds alone).

The 64-bit stream counter increments by 1 per 64-byte keystream block, enabling a total keystream of 2⁶⁴ × 64 = 2⁷² bytes per (key, nonce) pair. Stream-cipher output XORs with plaintext: identical positions in encryption and decryption use the same keystream byte. Counter-based construction enables seeking to any keystream position by setting the counter value, allowing parallel encryption of independent 64-byte segments.

Round Variants

• Salsa20/20 (20 rounds, standard): the full variant; 10 column-diagonal double rounds, maximum security margin; eSTREAM nominated; no full-round attacks known (best published attack: Crowley 2005 reduced to theoretical note); recommended for all security-critical applications.
• Salsa20/12 (12 rounds): reduced-round variant with 6 double rounds; Bernstein’s recommended performance-security balance; faster than Salsa20/20 by approximately 35%; no known attacks on 12 rounds; included in eSTREAM portfolio as secondary recommendation.
• Salsa20/8 (8 rounds): fastest reduced-round variant with 4 double rounds; known distinguishers and reduced-security results exist (Aumasson et al. 2008 reduced 8-round attack complexity to 2^249 from 2^256 brute-force); not recommended for new security-sensitive deployments; use only for benchmarking or research.

Key Features

• ARX design (Add-Rotate-XOR): no S-boxes, no lookup tables; all operations are 32-bit addition, bitwise rotation, and XOR; execution time is independent of key or data values, providing inherent immunity to cache-timing and table-lookup side-channel attacks.
• Large keystream via 64-bit counter: 2^64 blocks × 64 bytes = 2^74 bytes of keystream per (key, nonce) pair; supports random-access to any 64-byte keystream block by setting the counter value without reprocessing prior blocks.
• 64-bit nonce (Salsa20 base): requires strict application-level nonce uniqueness; across 2^32 messages under the same key, birthday-bound probability of accidental nonce collision becomes non-negligible; use XSalsa20 (192-bit nonce) for long-lived or shared keys.
• XSalsa20 (192-bit nonce, Bernstein 2011): HSalsa20 derives a 256-bit subkey from (key, nonce[0:128]), which feeds Salsa20/20 with the remaining nonce[128:192]; enables completely random nonce generation (no nonce management needed); NaCl/libsodium secretbox standard.
• eSTREAM Portfolio Profile 1 (software, 2008): selected after a multi-year public evaluation by an independent panel; Salsa20/12 is the eSTREAM portfolio primary software cipher; Salsa20/20 provides maximum security margin; no breaks of 12 or 20 round variants known.

Security Considerations

• Nonce reuse is catastrophic: encrypting two plaintexts with the same (key, nonce, counter) produces ciphertexts whose XOR equals the XOR of the plaintexts, enabling full plaintext recovery. Enforce globally unique nonces (e.g., counter-based nonce allocation or random XSalsa20 nonces). XSalsa20 with a 192-bit random nonce reduces the NaCl secretbox nonce collision probability to negligible even with billions of messages.
• Short nonce birthday bound (Salsa20 only): with a 64-bit nonce, after approximately 2^32 messages under the same key, the probability of a random nonce collision becomes approximately 50%. Use unique sequential nonces, or switch to XSalsa20 (192-bit nonce) which makes birthday collision probability negligible across any realistic message volume.
• Round-reduction attacks: no attacks on Salsa20/20 or Salsa20/12 are known. For Salsa20/8 (8 rounds), Aumasson et al. (2008) demonstrated distinguisher attacks with reduced complexity compared to brute force. If security is a requirement, use Salsa20/20; use Salsa20/8 only for performance benchmarking.
• No authentication: Salsa20 provides confidentiality only. Ciphertext modification is undetectable without a separate message authentication code. Use XSalsa20-Poly1305 (NaCl secretbox) or ChaCha20-Poly1305 (RFC 8439) for authenticated encryption. Never use bare Salsa20 (without MAC) where ciphertext integrity must be verified.

Real-World Usage

• NaCl secretbox / libsodium crypto_secretbox_xsalsa20poly1305: XSalsa20-Poly1305 was the original authenticated symmetric encryption primitive in Daniel Bernstein’s NaCl networking and cryptography library, providing AEAD with 192-bit nonce and Poly1305 authentication; still widely deployed in libsodium-based applications.
• eSTREAM Portfolio Profile 1 (software, 2008): Salsa20/12 selected as a primary software stream cipher candidate after a 4-year public competition (2004–2008) organized by the ECRYPT Network of Excellence; evaluated alongside RC4, SNOW 3G, and other candidates.
• Influence on ChaCha20: Bernstein designed ChaCha20 (2008) as a variant of Salsa20 with improved per-round diffusion; ChaCha20 uses a different matrix layout and quarter-round rotation constants, achieving better bit diffusion in fewer rounds compared to Salsa20. All ChaCha20 security properties derive from the Salsa20 ARX framework.
• Legacy cryptographic systems: many early libsodium-based VPN tools, file encryption utilities, and messaging applications used XSalsa20-Poly1305 before ChaCha20-Poly1305 was standardized in RFC 7539 (2015) / RFC 8439 (2018). XSalsa20 remains valid and supported for these deployments.

References

• D.J. Bernstein - Salsa20 Specification
• eSTREAM Project - Stream Cipher Portfolio
• Wikipedia - Salsa20
• NaCl - Networking and Cryptography Library