The Salsa20 Family of Stream Ciphers

  • Daniel J. Bernstein
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4986)


Salsa20 is a family of 256-bit stream ciphers designed in 2005 and submitted to eSTREAM, the ECRYPT Stream Cipher Project. Salsa20 has progressed to the third round of eSTREAM without any changes. The 20-round stream cipher Salsa20/20 is consistently faster than AES and is recommended by the designer for typical cryptographic applications. The reduced-round ciphers Salsa20/12 and Salsa20/8 are among the fastest 256-bit stream ciphers available and are recommended for applications where speed is more important than confidence. The fastest known attacks use ≈ 2153 simple operations against Salsa20/7, ≈ 2249 simple operations against Salsa20/8, and ≈ 2255 simple operations against Salsa20/9, Salsa20/10, etc. In this paper, the Salsa20 designer presents Salsa20 and discusses the decisions made in the Salsa20 design.


Block Cipher Advance Encryption Standard Stream Cipher Basic Argument Encryption Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    MPC7450 RISC microprocessor family reference manual, Freescale Semiconductor (2005),
  2. 2.
    Aumasson, J.-P., Fischer, S., Khazaei, S., Meier, W., Rechberger, C.: New features of Latin dances: analysis of Salsa, ChaCha, and Rumba (2007),
  3. 3.
    Barua, R., Lange, T. (eds.): INDOCRYPT 2006. LNCS, vol. 4329. Springer, Heidelberg (2006) See [14] zbMATHGoogle Scholar
  4. 4.
    Bernstein, D.J.: The Poly1305-AES message-authentication code in [15], pp. 32–49 (2005) (ID 0018d9551b5546d97c340e0dd8cb5750),
  5. 5.
    Bernstein, D.J.: Cache-timing attacks on AES (2005) (ID cd9faae9bd5308c440df50fc26a517b4),
  6. 6.
    Bernstein, D.J.: The Salsa20 stream cipher, slides of talk. In: ECRYPT STVL Workshop on Symmetric Key Encryption (2005),
  7. 7.
    Bernstein, D.J.: Understanding brute force. In: Workshop Record of ECRYPT STVL Workshop on Symmetric Key Encryption, eSTREAM report 2005/036 (2005) (ID 73e92f5b71793b498288efe81fe55dee),
  8. 8.
    Bernstein, D.J.: Cycle counts for authenticated encryption. In: Workshop Record of SASC 2007: The State of the Art of Stream Ciphers, eSTREAM report 2007/015 (2007) (ID be6b4df07eb1ae67aba9338991b78388),
  9. 9.
    Bernstein, D.J.: Polynomial evaluation and message authentication (2007) (ID b1ef3f2d385a926123e1517392e20f8c),
  10. 10.
    Burwick, C., Coppersmith, D., D’Avignon, E., Gennaro, R., Halevi, S., Jutla, C., Matyas Jr., S.M., OĆonnor, L., Peyravian, M., Safford, D., Zunic, N.: MARS: a candidate cipher for AES (1999),
  11. 11.
    Crowley, P.: Truncated differential cryptanalysis of five rounds of Salsa20. In: Workshop Record of SASC 2006: Stream Ciphers Revisted, eSTREAM technical report 2005/073 (2005),
  12. 12.
    Davies, D.W. (ed.): EUROCRYPT 1991. LNCS, vol. 547. Springer, Heidelberg (1991) See [17]zbMATHGoogle Scholar
  13. 13.
    Ferguson, N., Whiting, D., Schneier, B., Kelsey, J., Lucks, S., Kohno, T.: Helix: fast encryption and authentication in a single cryptographic primitive, in [16], pp. 330–346 (2003),
  14. 14.
    Fischer, S., Meier, W., Berbain, C., Biasse, J.-F., Robshaw, M.J.B.: Non-randomness in eSTREAM candidates Salsa20 and TSC-4, in [3], pp. 2–16 (2006)Google Scholar
  15. 15.
    Gilbert, H., Handschuh, H. (eds.): FSE 2005. LNCS, vol. 3557. Springer, Heidelberg (2005), See [4]Google Scholar
  16. 16.
    Johansson, T. (ed.): FSE 2003. LNCS, vol. 2887. Springer, Heidelberg (2003), See [13] Google Scholar
  17. 17.
    Lai, X., Massey, J.L., Murphy, S.: Markov ciphers and differential cryptanalysis, in [12], pp. 17–38 (1991)Google Scholar
  18. 18.
    Matsui, M., Nakajima, J.: On the power of bitslice implementation on Intel Core2 Processor, in [20], pp. 121–134 (2007)Google Scholar
  19. 19.
    Nechvatal, J., Barker, E., Bassham, L., Burr, W., Dworkin, M., Foti, J., Roback, E.: Report on the development of the Advanced Encryption Standard (AES). Journal of Research of the National Institute of Standards and Technology 106 (2001),
  20. 20.
    Paillier, P., Verbauwhede, I. (eds.): CHES 2007. LNCS, vol. 4727. Springer, Heidelberg (2007) See [18]Google Scholar
  21. 21.
    Preneel, B. (ed.): FSE 1994. LNCS, vol. 1008. Springer, Heidelberg (1995) See [23]Google Scholar
  22. 22.
    Tsunoo, Y., Saito, T., Kubo, H., Suzaki, T., Nakashima, H.: Differential cryptanalysis of Salsa20/8. In: Workshop Record of SASC 2007: The State of the Art of Stream Ciphers, eSTREAM report 2007/010 (2007),
  23. 23.
    Wheeler, D.J., Needham, R.M.: TEA, a tiny encryption algorithm, in [21], pp. 363–366 (1995) Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Daniel J. Bernstein
    • 1
  1. 1.Department of Mathematics, Statistics, and Computer Science (M/C 249)The University of Illinois at ChicagoChicago 

Personalised recommendations