If ChaCha20 only has 128 bits, is it secure?

tc flag

ChaCha20 also provides 256-bit encryption, i.e, 2^256 possibilities of keys. But ChaCha20 is very fast, I think it provides at most 2^256 multiplied by decrypting time. 256-bit AES provides 254-bit security due to biclique attack, i.e., 2^254 multiplied by decrypting time. Since AES is slower than ChaCha20 (decrypting AES ciphertext needs more time), I think even if biclique attack works, that 254-bit security is better than ChaCha20's 256-bit security. Assume that ChaCha20 only has 128-bit, is it secure?

my flag

Assume that ChaCha20 only has 128-bit, is it secure?

Let us think this through; suppose that our best attack is trying each key individually (which, as far as we know, is true), and that our theoretical attacker would be happen if he succeeds with probability 1% - to reach that goal, he would need to test $2^{128}/100 \approx 3.4 \times 10^{36}$ keys.

Suppose further that the attacker has access to one trillion ($10^{12}$) computers, and each one can check a key in one picosecond (that is, $10^{-12}$ of a second) (which, of course, is much faster than what we can do currently).

Since he can test $10^{24}$ keys per second, he would need $3.4 \times 10^{36} / 20^{24} = 3.4 \times 10^{12}$ seconds, or about 100,000 years.

So, unless you have an attacker which is happy with a significantly smaller probability of success, can amass even more computing power, or is willing to wait even longer, well, yes, it appears to be secure...

Flan1335 avatar
tc flag
If the hardware has accelerator for ChaCha20, how many times is ChaCha20 faster than AES? Modern computers have hardware acceleration for AES.
samuel-lucas6 avatar
bs flag
@Flan1335 ChaCha20 isn't faster than AES when AES-NI is used. Look at benchmarks for AES-GCM, AES-OCB, AEGIS, Rocca-S; they are all significantly faster than ChaCha20.
I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.