ChaCha RNG with fewer rounds

ChaCha is a CSPRING, a cryptographically secure pseudorandom number generator. When used in cryptography, ChaCha typically carries out 20 rounds of its internal scrambling process. Google's Adiantum encryption system uses ChaCha with 12 rounds.

The runtime for ChaCha is proportional to the number of rounds, so you don't want to do more rounds than necessary if you're concerned with speed. Adiantum was developed for mobile devices and so Google wanted to reduce the number of rounds while maintaining a margin of cryptographic safety.

Cryptographer Jean-Philippe Aumasson suggests 8 rounds of ChaCha is plenty. He reports that there is a known attack on ChaCha with 6 rounds that requires on the order of 2¹¹⁶ operations, but that ChaCha with 5 rounds is definitely breakable, requiring on the order of only 2¹⁶ operations.

Three rounds of ChaCha are not enough [1], but four rounds are enough to satisfy DIEHARDER, PractRand, and TestU01 [2]. This illustrates the gap between adequate statistical quality and adequate cryptographic quality: Four rounds of ChaCha are apparently enough to produce the former but five rounds are not enough to produce the latter.

There doesn't seem to be any reason to use ChaCha with four rounds. If you don't need cryptographic security, then there are faster RNGs you could use. If you do need security, four rounds are not enough.

ChaCha with six rounds seems like a good compromise if you want an RNG that is fast enough for general use and that that also has reasonably good cryptographic quality. If you want more safety margin for cryptographic quality, you might want to go up to eight rounds.

What a difference one round makes

One thing I find interesting about random number generation and block encryption is that a single round of obfuscation can make a huge difference. ChaCha(3) fails statistical tests but ChaCha(4) is fine. ChaCha(5) is easily broken but ChaCha(6) is not.

Interesting failures

Often random number generators are either good or bad; they pass the standard test suites or they clearly fail. ChaCha(3) is interesting in that it is somewhere in between. As the results in the footnotes show, ChaCha(3) is an intermediate case. DIEHARDER hints at problems, but small crush thinks everything is fine. The full crush battery however does find problems.

The decisive failure of the Fourier tests is understandable: low-quality generators often fail spectral tests. But the results of the simple poker test are harder to understand. What is it about simulating poker that makes ChaCha(3) fail spectacularly? And in both cases, one more round of ChaCha fixes the problems.

Related posts

• ChaCha and Adiantum
• Implementing ChaCha in Python
• Random number generator testing

[1] ChaCha(3) passes passes DIEHARDER, though five of the tests passed with a "weak" pass. Passes TestU01 small crush but fails full crush:

========= Summary results of Crush ========= Version: TestU01 1.2.3 Generator: 32-bit stdin Number of statistics: 144 Total CPU time: 00:39:05.05 The following tests gave p-values outside [0.001, 0.9990]: (eps means a value 

ChaCha(3) also fails PractRand decisively.

RNG_test using PractRand version 0.94RNG = chacha(3), seed = 0x7221236ftest set = core, folding = standard (32 bit)rng=chacha(3), seed=0x7221236flength= 128 megabytes (2^27 bytes), time= 2.0 seconds Test Name Raw Processed Evaluation [Low1/32]BCFN(2+0,13-6,T) R= +31.0 p = 4.7e-11 VERY SUSPICIOUS [Low1/32]BCFN(2+1,13-6,T) R= +27.4 p = 8.3e-10 VERY SUSPICIOUS [Low1/32]BCFN(2+2,13-6,T) R= +52.7 p = 1.8e-18 FAIL ! [Low1/32]BCFN(2+3,13-6,T) R= +47.6 p = 9.5e-17 FAIL ! [Low1/32]BCFN(2+4,13-7,T) R= +26.1 p = 1.7e-8 very suspicious [Low1/32]DC6-9x1Bytes-1 R= +26.3 p = 1.3e-14 FAIL ! [Low1/32]FPF-14+6/16:all R= +8.6 p = 2.2e-7 very suspicious ...and 147 test result(s) without anomalies

[2] ChaCha(4) passed TestU01 small crush and full crush. It passed PractRand using up to 512 GB.