5

ChaCha20 is considered 256-bit secure (no attack faster than brute force). However, the best known cryptanalysis that I know of is on ChaCha7.

That gives ChaCha20 a rather large security margin (much larger than, say, AES-256). Is ChaCha12 still considered to be 256-bit secure (as in "considered usable when top performance and 256-bit security are needed, no HW AES support, and ChaCha20 is too slow")?

Demi
  • 4,793
  • 1
  • 19
  • 39
  • 1
    I would say yes... for now. The best results on 7-round still had a workload close to 2^{239}$, resulting in 256-bit security with 8 rounds, leaving a fair margin at 12 rounds. I would not be overly concerned unless you are looking at 20+ year security from a well funded attacker – Richie Frame Feb 22 '16 at 08:50

1 Answers1

3

Yes, the best attack still seems to be on 7 rounds. Namely, "Improved Key Recovery Attacks on Reduced-Round Salsa20 and ChaCha" shows a $2^{246.5}$ time attack on the 7-round variant.

So even the 12-round variant has a decent security margin – better than AES-256 had when standardized, much less currently.

otus
  • 32,132
  • 5
  • 70
  • 165
  • Isn't only 8 rounds of AES-256 broken in the single secret key model? I thought that all of the attacks on more than 8 rounds were related-key attacks. – Demi May 14 '16 at 00:02
  • @Demetri, yes all the "worst" attacks are all related-key. If you only take into account single-key attacks, AES and ChaCha are pretty close in terms of rounds broken. While related-key attacks are not realistic, I still think they can be taken as evidence of weaknesses which may allow further breaks. – otus May 14 '16 at 05:54