LoupVaillant
commented
4 years ago Hi,
Indeed, the only difference between the two is the initial state and the rounds (all of them, not just a few).
I believe your best bet is copy the Salsa20 code from TweetNaCl. The tarball comes with a copy. It wasn't written for speed, but I've found that with -O3 it's pretty fast. If you need faster code, I suggest you take it from Libsodium or SUPERCOP. If you stick to portable C, Monocypher should have the fastest possible load/store code.
Once you've copied or implemented XSalsa20, I strongly urge you to check it against Libsodium: generate random inputs of all possible lengths, from 0 to… let's say 4096 bytes just to be safe. If Libsodium and your implementation behave the same for all those inputs you're good. Finally, you need to check for undefined behaviour. Use Valgrind and sanitizers.
Don't worry about side channels: just do the simplest thing that works, it will naturally run in constant time. Thank DJB for making Salsa20 easy to implement safely.
Does that help? Loup.
I'm aware that Monocypher includes ChaCha, which is basically an improved version of Salsa. But there are protocols using Salsa — I'm looking at Dat, and it would be nice to be able to use Monocypher to implement it.
The Wikipedia article makes it sound like the two differ only in the the initial state and a few of the rounds, so I'm guessing it would be easy to copy-and-modify the ChaCha code? (Not that I feel competent to do so myself.)