Salsa20/12
Salsa20/r is a software-oriented (profile 1) stream cipher proposed by Daniel J. Bernstein. The algorithm supports keys of 128 bits and 256 bits. During its operation, the key, a 64-bit nonce (unique message number), a 64-bit counter and four 32-bit constants are used to construct the 512-bit initial state. After r iterations of the Salsa20/r round function, the updated state is used as a 512-bit keystream output. Each such output block is an independent combination of the key, nonce, and counter and, since there is no chaining between blocks, the operation of Salsa20/r resembles the operation of a block cipher in counter mode. Salsa20/r therefore shares the very same implementation advantages, in particular the ability to generate output blocks in any order and in parallel. The maximum length of the keystream produced by Salsa20/r is 270 bits.
The round transformation of Salsa20 uses a combination of three simple operations: addition modulo 232, bit rotation and XOR (what has since become known as an ARX construction). The efficient implementation of these operations in software gives the good software performance of the cipher.
Within eSTREAM, three main variants of Salsa20 - depending on the number of rounds r - were proposed: Salsa20/8, Salsa20/12 and Salsa20/20. Each provides a different security vs. performance trade-off. Salsa20/20 is recommended by the designer for "encryption in typical cryptographic applications". The versions Salsa20/12 and Salsa20/8 have 12 and 8 rounds, respectively, and the designer recommends them for "users who value speed more highly than confidence". The eSTREAM committee suggested the use of Salsa20/12, as offering the best balance among the different versions, combining very good performance with a comfortable margin of security.
For more information about eSTREAM ciphers performance in software, refer to the eSTREAM testing framework page. For a more extensive comparison with many other stream ciphers on several different architectures, refer to the eBACS stream cipher software timings page maintained by D. Bernstein.
Analysis
During the years following its publication, Salsa20 has undergone significant cryptographic analysis. Although several attacks have been found on reduced-round versions of the cipher, there is no attack better than exhaustive key search on either Salsa20/12 or Salsa20/20.
At SASC 2006, Crowley presented a key-recovery attack on Salsa20/5 (article). The attack makes use of truncated differentials for three rounds and has time complexity 2165 and data complexity 26. At INDOCRYPT 2006 Fischer et al. described some non-randomness properties after four rounds of Salsa20, and used this observation to construct a key-recovery attack on Salsa20/6, with time complexity 2177 and data complexity 216; the authors also reported a related-key attack on Salsa20/7 with time and data complexity 2217 and 224, respectively (see article).
At SASC 2007, Tsunoo et al. (article) exploited a bias after four rounds of Salsa20 to construct an attack on Salsa20/7. The time and data complexities of the attack were 2190 and 211.37, respectively. At FSE 2008 Aumasson et al. improved this attack on Salsa20/7 and presented the first key-recovery attack on Salsa20/8 (article). It is a differential attack based on a technique called probabilistic neutral bits. The authors identify a bias in the output after the fourth round and use it to attack 8 rounds in time complexity 2251 and data complexity 231.
Miscellaneous
The designer of Salsa20 has recently proposed a version of the algorithms (called XSalsa20 - article) supporting 192 bit nonces. XSalsa20 has the same security level and speed as Salsa20, but is more suitable for applications that need longer nonces. A family of stream ciphers called ChaCha (article), also proposed by Bernstein in 2008, is a variant of Salsa20, aiming to improve the diffusion within a single round of Salsa20 "while preserving - and often improving - [the] time per round". The design of the hash function BLAKE, one of the SHA-3 finalists, is based on the stream cipher ChaCha.
The designer state that Salsa20 is free for any use (see statement).