ChaCha20 is a modern, fast stream cipher used to encrypt data. A stream cipher encrypts data in the form of individual bits or bytes and is particularly well-suited for encrypting data streams, such as in networks or for large amounts of data.
Like every stream cipher, ChaCha20 generates a keystream (a sequence of pseudo-random bits) from the key and the nonce. This keystream is XORed with the plaintext to produce the ciphertext. The same procedure is also used for decryption: the keystream is XORed again with the ciphertext to recover the plaintext. ChaCha20 is used alongside AES in TLS 1.3 and is also applied in various open-source projects (e.g., KeePass).
Summary
The first step is to construct an initial matrix consisting of four constants (red), the key (green), a counter (light green), and the nonce (gray). In this example, the UTF-8 string 12345678123456781234567812345678 was used as the key. The counter was set to 0, and only zero bytes were used as the nonce.
In principle, ChaCha20 allows the use of either an 8-byte or a 12-byte nonce. Accordingly, index 13 of the matrix is either filled or left as zeros.
Note: When setting up the initial matrix, Little Endian must be considered. This means that both the key material and the nonce are inserted in Little Endian format, which reverses the byte order. The illustration shows how the respective bytes are rearranged to form new words.
At the heart of ChaCha20 are two operations: the Rotate operation and the QuarterRound operation.
The Rotate operation performs a left shift by n positions (here, 3) and appends the shifted bits on the right-hand side. In this example, three bits (011) are cut off on the left side and reinserted on the right side of the lower word.
The QuarterRound operation consists of several additions as well as XOR and Rotate operations. It is executed with four arguments, which correspond to specific indices in the matrix (in the first round: the initial matrix).
The QuarterRound operation shown here involves two rounds: depending on whether the round number is even or odd, the Rotate operations are executed with arguments 16 and 12, or 8 and 7.
The QuarterRound operation is executed eight times in succession with different indices, causing the key material and nonces to diffuse throughout the matrix. Applied to the initial matrix, this produces rounds 1 and 2 of the encryption algorithm.
After performing this double-round ten times, with the result of each step serving as the input to the next, we obtain a result that is then added to the original matrix. After one final Little Endian transformation, we obtain the keystream, which can then be XORed with the plaintext.
Implementation in Excel
ChaCha20 was implemented in Excel to make the individual processing steps easier to follow. In this implementation, only the first 64 bytes of the keystream are generated. In principle, the method can be extended to plaintexts of arbitrary length. In that case, it must be taken into account that for every additional 64 bytes, the counter in the matrix must be incremented.
You can download the Microsoft Excel file. No macros were used; however, since it relies on Lambda functions, it will only run under Office 365 or Excel 2024.
SHA256: CE8E4112E2F11F463CC061A14DB5A6FA206718DEF9D179F618C7AB2C98A3AC6B