ChaCha20#

ChaCha20 is a stream cipher built on a symmetric block cipher close to Salsa20. It is often paired with Poly1305, a universal hash family, used as a one-time MAC (Message Authentication Code). A slightly different version is described in RFC 7539.

Summary of ANSSI rules and recommendations#

Rule or recommendation

Comments

ANSSI: recommended or obsolete?

Recommended

RègleCléSym

Follows rule 2, OK for long-term use (beyond 2026).

RecommendationCléSym

Recommended, minimum key length is 128 bits.

RègleChiffFlot

Follows rule 2, OK for long-term use (beyond 2026), no known attack requiring less than \(2^{125}\) operations.

RecommendationChiffFlot

  1. OK, it uses a block cipher primitive with counter mode of operation.

  2. OK, it does not use a stream cipher primitive.

RègleIntegSym

  1. OK, Poly1305 is based on a block primitive which complies with the standard.

  2. OK, no attacks using fewer than \(2^{n/2}\) calls to the underlying primitive, where \(n\) is the output size of that primitive.

RecommandationIntegSym

Recommended, proof from Bernstein that Poly1305-AES or Poly1305-AnotherFunction has a security close to the underlying primitive.

Overview#

ChaCha20 parameters#

Parameter

Value

Comment

Block size

64 bytes / 512 bits

Key length

256 bits

Treated as eight 32-bit little-endian integers.

Nonce length

96 bits

Treated as three 32-bit little-endian integers.

Block count length

32 bits

Treated as a 32-bit little-endian integers.

Some key points to keep in mind regarding this algorithm:

  • The nonce should not be reused: encrypting two different plaintexts with the same key and nonce results in the XOR of the plaintexts being equal to the XOR of the resulting ciphertexts, which is a strong confidentiality breach. The integrity is also affected by a nonce reuse.

  • The block count usually starts at 0 for ChaCha20 but in ChaCha20-Poly1305 the first block is used for Poly1305_Key_Gen so at the first encrypted block the block counter is at 1.

ANSSI rules and recommendations#

Symmetric keys#

RègleCléSym

  1. For symmetric keys used up to 2025, the minimum length is 112 bits.

  2. For symmetric keys used from 2026 onwards, the minimum length is 128 bits.

RecommendationCléSym

The minimum recommended length for symmetric keys is 128 bits.

Stream ciphers#

RègleChiffFlot

  1. For a stream cipher algorithm used up to the end of 2025, there must not be a known attack requiring less than \(2^{100}\) operations.

  2. For a stream cipher algorithm used in 2026 and beyond, there must not be a known attack requiring less than \(2^{125}\) operations.

RecommendationChiffFlot

  1. It is recommended to use block cipher primitives instead of stream cipher ones. If the properties of a stream cipher are required, it is possible to use a mode of operation of a block cipher that is recommended and emulates a stream cipher.

  2. If a stream cipher is used, it is recommended that the algorithm used has been scrutinized by academia.

Symmetric encryption#

RègleIntegSym

  1. The most traditional symmetric integrity methods rely on block encryption or hashing mechanisms. Such primitives must comply with the reference framework.

  2. There should be no attack on the integrity mechanism using fewer than \(2^{n/2}\) calls to the underlying primitive, where \(n\) is the output size of that primitive.

RecommandationIntegSym

  1. It is preferable to use mechanisms that have a security proof.