Salsa20 Online Encryption/Decryption
High-speed stream cipher encryption/decryption tool supporting Salsa20, Salsa20/12, Salsa20/8 and XSalsa20 variants
Initial block counter value (usually 0 for encryption, use same value for decryption)
About Salsa20
Salsa20 is a stream cipher designed by Daniel J. Bernstein in 2005. It uses a 256-bit key and 64-bit nonce to generate a keystream, which is XORed with plaintext to produce ciphertext. The cipher is designed for high performance in software implementations.
Salsa20 was submitted to the eSTREAM project and selected as a finalist in the software profile. It is the basis for the ChaCha cipher family.
Algorithm Comparison
| Algorithm | Rounds | Nonce Length | Speed | Best Use Case |
|---|---|---|---|---|
| Salsa20/20 | 20 | 64 bits (8 bytes) | Standard | General encryption, high security |
| Salsa20/12 | 12 | 64 bits (8 bytes) | Fast | Performance-critical applications |
| Salsa20/8 | 8 | 64 bits (8 bytes) | Fastest | Maximum speed scenarios |
| XSalsa20 | 20 | 192 bits (24 bytes) | Standard | Random nonce, NaCl/libsodium |
How Salsa20 Works
Salsa20 operates on a 4×4 matrix of 32-bit words (512 bits total). The initial state consists of the key (256 bits), nonce (64 bits), counter (64 bits), and four constant words that form the string 'expand 32-byte k'.
The core function applies 20 rounds of quarter-round operations using only addition-rotation-XOR (ARX) operations. This makes Salsa20 efficient in software and resistant to timing attacks.
XSalsa20 uses HSalsa20 to extend the nonce to 192 bits. HSalsa20 derives a subkey from the first 128 bits of the nonce, with the remaining 64 bits serving as the actual nonce. This allows secure random nonce generation.
Round Variants
- Salsa20/20 (20 rounds) - Standard variant providing full security margin. Recommended for most applications.
- Salsa20/12 (12 rounds) - eSTREAM portfolio selection. Provides good balance between performance and security.
- Salsa20/8 (8 rounds) - Fastest variant. No known practical attacks, but reduced security margin.
Key Features
- High Performance: Optimized for software, requires only 3-4 clock cycles per byte on modern CPUs
- Simple Design: Uses only ARX operations, easy to implement without lookup tables
- Constant Time: Resistant to cache timing side-channel attacks
- Large Counter: 64-bit counter allows encryption of up to 2^70 bytes per key-nonce pair
- Extended Nonce: XSalsa20's 192-bit nonce supports random nonce generation
Security Considerations
- Never reuse nonce under the same key - this completely breaks security
- Salsa20 provides encryption only, not authentication - requires AEAD with Poly1305
- For random nonces, use XSalsa20 to minimize collision probability
- Use proper KDF (HKDF, Argon2) to derive keys from passwords
Real-World Usage
- NaCl/libsodium: XSalsa20-Poly1305 is the default AEAD construction
- Encryption Tools: Many file encryption utilities use Salsa20 variants
- Password Managers: Some use Salsa20 to encrypt stored credentials
- Game Engines: Used for fast encryption in networked games