Score:3

XSalsa20Poly1305 for encryption at rest

cn flag

I just found a project that used XSalsa20Poly1305 for transit and encryption at rest. I am trying to find some information if that is something worth trusting data to.

It feels a little hard to put the information I found into context. I read that a Poly1305 (MAC) with (a good number of rounds of) Salsa20 (cipher) can be an alternative to AES.

  1. Is there a significant advantage of using XSalsa20Poly1305?
  2. Does the "X" in XSalsa20Poly1305 just mean a 192-bit nonce?

I am not a cryptographer and would love to understand some more of the details.

Score:4
in flag

While you did not mention the source, here one. Actually, XSalsa family is described in Bernstein's paper;

Does the "X" in XSalsa20Poly1305 just mean a 192 bit nonce?

Yes, it means the nonce sizes of XSalsa is 192-bit while Salsa has 64-bit. This is so huge that even for random nonces one has to generate $2^{96}$ uniform nonces so that a collision occurs with 50% probability. This is very important in the long-term keys. If a (key,nonce) pair is resued then the confidentiality is lost. The 192-bit prevents this. It is an almost never-going-to-happen event for Cryptography.

Is there a significant advantage of using XSalsa20Poly1305?

OpenSSL comparisons (ChaCha not Salsa);

type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
chacha20 361334.62k 665775.85k 1334323.20k 2750173.87k 2945690.28k 2972353.50k
aes-128-ctr NI 525049.40k 1867614.12k 3840132.18k 5231174.31k 5816388.27k 5875471.70k
aes-128-ctr 190707.84k 228983.55k 236486.66k 243153.92k 242283.86k 242614.27k

Also, note that in the paper Bernstein provided security proof; if Salsa20 is secure then XSalsa, too.

It is proven that 15 rounds of the Salsa20 is secure against differential attacks.

Note that there is a new variant of the Salsa family; the ChaCha family. ChaCha family is aimed to increase the diffusion per round with almost the same speed. ChaCha family is adapted more than the Salsa family, TLS 1.3 uses ChaCha20-Pol1305.

ChaCha20 has also XChaCha20-Poly1305 (ietf draft) that uses the same 192-bit nonce sizes. It is preferable to XSalsa20-Poly1305. Note that the ChaCha family is less studied than the Salsa family due to the fact that Salsa is represented in eSTREAM project.

Prefer XChaCha20-Poly1305 if you can.


Note that Authenticated encryption is a must on transmit, it is advisable for data on the rest.

cn flag
Fantastic input. Much appreciated.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.