Score:0

# If ChaCha20 only has 128 bits, is it secure?

ChaCha20 also provides 256-bit encryption, i.e, 2^256 possibilities of keys. But ChaCha20 is very fast, I think it provides at most 2^256 multiplied by decrypting time. 256-bit AES provides 254-bit security due to biclique attack, i.e., 2^254 multiplied by decrypting time. Since AES is slower than ChaCha20 (decrypting AES ciphertext needs more time), I think even if biclique attack works, that 254-bit security is better than ChaCha20's 256-bit security. Assume that ChaCha20 only has 128-bit, is it secure?

Score:4

Assume that ChaCha20 only has 128-bit, is it secure?

Let us think this through; suppose that our best attack is trying each key individually (which, as far as we know, is true), and that our theoretical attacker would be happen if he succeeds with probability 1% - to reach that goal, he would need to test $$2^{128}/100 \approx 3.4 \times 10^{36}$$ keys.

Suppose further that the attacker has access to one trillion ($$10^{12}$$) computers, and each one can check a key in one picosecond (that is, $$10^{-12}$$ of a second) (which, of course, is much faster than what we can do currently).

Since he can test $$10^{24}$$ keys per second, he would need $$3.4 \times 10^{36} / 20^{24} = 3.4 \times 10^{12}$$ seconds, or about 100,000 years.

So, unless you have an attacker which is happy with a significantly smaller probability of success, can amass even more computing power, or is willing to wait even longer, well, yes, it appears to be secure...

If the hardware has accelerator for ChaCha20, how many times is ChaCha20 faster than AES? Modern computers have hardware acceleration for AES.
@Flan1335 ChaCha20 isn't faster than AES when AES-NI is used. Look at benchmarks for AES-GCM, AES-OCB, AEGIS, Rocca-S; they are all significantly faster than ChaCha20.
I sit in a Tesla and translated this thread with Ai: