ChaCha20#

ChaCha20 is a stream cipher built on a symmetric block cipher close to Salsa20. It is often paired with Poly1305, a universal hash family, used as a one-time MAC (Message Authentication Code). A slightly different version is described in RFC 7539.

Summary of ANSSI rules and recommendations#
Rule or recommendation	Comments
ANSSI: recommended or obsolete?	Recommended
RègleCléSym	Follows rule 2, OK for long-term use (beyond 2026).
RecommendationCléSym	Recommended, minimum key length is 128 bits.
RègleChiffFlot	Follows rule 2, OK for long-term use (beyond 2026), no known attack requiring less than \(2^{125}\) operations.
RecommendationChiffFlot	OK, it uses a block cipher primitive with counter mode of operation. OK, it does not use a stream cipher primitive.
RègleIntegSym	OK, Poly1305 is based on a block primitive which complies with the standard. OK, no attacks using fewer than \(2^{n/2}\) calls to the underlying primitive, where \(n\) is the output size of that primitive.
RecommandationIntegSym	Recommended, proof from Bernstein that Poly1305-AES or Poly1305-AnotherFunction has a security close to the underlying primitive.

Overview#

ChaCha20 parameters#
Parameter	Value	Comment
Block size	64 bytes / 512 bits
Key length	256 bits	Treated as eight 32-bit little-endian integers.
Nonce length	96 bits	Treated as three 32-bit little-endian integers.
Block count length	32 bits	Treated as a 32-bit little-endian integers.

Some key points to keep in mind regarding this algorithm:

The nonce should not be reused: encrypting two different plaintexts with the same key and nonce results in the XOR of the plaintexts being equal to the XOR of the resulting ciphertexts, which is a strong confidentiality breach. The integrity is also affected by a nonce reuse.
The block count usually starts at 0 for ChaCha20 but in ChaCha20-Poly1305 the first block is used for Poly1305_Key_Gen so at the first encrypted block the block counter is at 1.

ANSSI rules and recommendations#

Reference: ANSSI - Guide des mécanismes cryptographiques

Symmetric keys#

RègleCléSym

For symmetric keys used up to 2025, the minimum length is 112 bits.
For symmetric keys used from 2026 onwards, the minimum length is 128 bits.

RecommendationCléSym

The minimum recommended length for symmetric keys is 128 bits.

Stream ciphers#

RègleChiffFlot

For a stream cipher algorithm used up to the end of 2025, there must not be a known attack requiring less than \(2^{100}\) operations.
For a stream cipher algorithm used in 2026 and beyond, there must not be a known attack requiring less than \(2^{125}\) operations.

RecommendationChiffFlot

It is recommended to use block cipher primitives instead of stream cipher ones. If the properties of a stream cipher are required, it is possible to use a mode of operation of a block cipher that is recommended and emulates a stream cipher.
If a stream cipher is used, it is recommended that the algorithm used has been scrutinized by academia.

Symmetric encryption#

RègleIntegSym

The most traditional symmetric integrity methods rely on block encryption or hashing mechanisms. Such primitives must comply with the reference framework.
There should be no attack on the integrity mechanism using fewer than \(2^{n/2}\) calls to the underlying primitive, where \(n\) is the output size of that primitive.

RecommandationIntegSym

It is preferable to use mechanisms that have a security proof.