ChaCha20#
ChaCha20 is a stream cipher built on a symmetric block cipher close to Salsa20. It is often paired with Poly1305, a universal hash family, used as a one-time MAC (Message Authentication Code). A slightly different version is described in RFC 7539.
Rule or recommendation |
Comments |
---|---|
ANSSI: recommended or obsolete? |
Recommended |
Follows rule 2, OK for long-term use (beyond 2026). |
|
Recommended, minimum key length is 128 bits. |
|
Follows rule 2, OK for long-term use (beyond 2026), no known attack requiring less than \(2^{125}\) operations. |
|
|
|
|
|
Recommended, proof from Bernstein that Poly1305-AES or Poly1305-AnotherFunction has a security close to the underlying primitive. |
Overview#
Parameter |
Value |
Comment |
---|---|---|
Block size |
64 bytes / 512 bits |
|
Key length |
256 bits |
Treated as eight 32-bit little-endian integers. |
Nonce length |
96 bits |
Treated as three 32-bit little-endian integers. |
Block count length |
32 bits |
Treated as a 32-bit little-endian integers. |
Some key points to keep in mind regarding this algorithm:
The nonce should not be reused: encrypting two different plaintexts with the same key and nonce results in the XOR of the plaintexts being equal to the XOR of the resulting ciphertexts, which is a strong confidentiality breach. The integrity is also affected by a nonce reuse.
The block count usually starts at 0 for ChaCha20 but in ChaCha20-Poly1305 the first block is used for
Poly1305_Key_Gen
so at the first encrypted block the block counter is at 1.
ANSSI rules and recommendations#
Symmetric keys#
RègleCléSym
For symmetric keys used up to 2025, the minimum length is 112 bits.
For symmetric keys used from 2026 onwards, the minimum length is 128 bits.
RecommendationCléSym
The minimum recommended length for symmetric keys is 128 bits.
Stream ciphers#
RègleChiffFlot
For a stream cipher algorithm used up to the end of 2025, there must not be a known attack requiring less than \(2^{100}\) operations.
For a stream cipher algorithm used in 2026 and beyond, there must not be a known attack requiring less than \(2^{125}\) operations.
RecommendationChiffFlot
It is recommended to use block cipher primitives instead of stream cipher ones. If the properties of a stream cipher are required, it is possible to use a mode of operation of a block cipher that is recommended and emulates a stream cipher.
If a stream cipher is used, it is recommended that the algorithm used has been scrutinized by academia.
Symmetric encryption#
RègleIntegSym
The most traditional symmetric integrity methods rely on block encryption or hashing mechanisms. Such primitives must comply with the reference framework.
There should be no attack on the integrity mechanism using fewer than \(2^{n/2}\) calls to the underlying primitive, where \(n\) is the output size of that primitive.
RecommandationIntegSym
It is preferable to use mechanisms that have a security proof.