Salsa20 is a stream cipher developed by Daniel J. Bernstein in 2005, with a closely related variant called ChaCha introduced in 2008. Both ciphers are based on a pseudorandom function that uses add-rotate-XOR (ARX) operations, which include 32-bit addition, bitwise addition (XOR), and rotation operations. The core function maps a 256-bit key, a 64-bit nonce, and a 64-bit counter to a 512-bit block of the key stream. Salsa20 and ChaCha provide the advantage of efficiently seeking to any position in the key stream in constant time.
The internal structure of Salsa20 uses bitwise addition, 32-bit addition mod 232, and constant-distance rotation operations on an internal state of sixteen 32-bit words arranged in a 4×4 matrix. Salsa20 performs 20 rounds of mixing on its input, with reduced-round variants Salsa20/8 and Salsa20/12 using 8 and 12 rounds, respectively. In 2008, Bernstein proposed a variant called XSalsa20 with 192-bit nonces for applications requiring longer nonces.
Salsa20 was selected as a Phase 3 design for Profile 1 (software) by the eSTREAM project, receiving the highest weighted voting score of any Profile 1 algorithm at the end of Phase 2. As of 2015, there are no published attacks on Salsa20/12 or the full Salsa20/20; the best attack known breaks 8 of the 12 or 20 rounds.