6 years after too much crypto
Test of time passed
In 2019 I published Too much crypto and presented it at Real World Crypto 2020 in New York. I argued that symmetric algorithms burn unnecessary cycles because:
Designers rightfully set many rounds in their initial design as a security margin, but
Once an algorithm is standardized, the round count isn’t adjusted after we know it’s oversized.
The saddest case is Keccak/SHA3: submitted with 18 rounds, designers raised it to 24 rounds during the SHA3 competition after a pretty dumb 2¹⁰²⁴-complexity attack on 18 rounds. The observable universe contains only about 2²⁶⁶ atoms. As of November 2025, there are no practical attacks for more than five rounds.
I argued we could safely lower the rounds of AES, ChaCha20, Keccak/SHA-3, and BLAKE2. How did these suggestions age?
AES
I proposed 9 rounds instead of 10.
No meaningful cryptanalysis progress. The best practical attack remains stuck at 6 rounds. A 2025 paper proved that 8-round AES behaves at least close to ideally with respect to input–output differentials’ distribution.
✅ Test passed
BLAKE2
I proposed 8 rounds instead of 12 for BLAKE2b and 7 rounds instead of 10 for BLAKE2s.
And the same year we designed BLAKE3 with 7 rounds.
No meaningful cryptanalysis progress. No non-trivial practical attacks even on reduced versions. The astronomical-complexity “boomerang distinguishers” up to 7.5 rounds are unimproved since 2014.
✅ Test passed
ChaCha20
I proposed 8 rounds instead of 20, that is, ChaCha8.
Daniel J. Bernstein, the designer of ChaCha20, finds it too risky.
ChaCha6 cryptanalysis progressed: complexity dropped from 2¹²⁷ to 2⁵⁷. Doing 2⁵⁷ operations is practical; at most minutes on a small GPU cluster. But here the attacker needs 2⁵⁵ outputs, or about 2⁶¹ bytes, two exbibytes. That’s more data than every hyperscaler on Earth stores combined. The attacker also needs to control the nonces.
ChaCha7 cryptanalysis progressed: complexity dropped from 2²³⁸ to 2¹⁴⁸. The attacker needs about 2¹²⁶ known-ciphertext data blocks. GPT says “2¹²⁶ is the number of grains of sand if you crushed a million Earths into sand.” True or not, 2¹²⁶ is a shockingly high number. Anything with time or data complexity above 2¹⁰⁰ is and will likely remain impossible.
ChaCha8: still no attack published.
✅ Test passed
Keccak/SHA3
I proposed 10 rounds instead of 24. The Keccak designers had proposed KangarooTwelve with 12 rounds (now RFC 9861, with TurboSHAKE)
No meaningful cryptanalysis progress, just practical attacks on 4-round SHA3-384. The best practical attack breaks 5 rounds.
✅ Test passed
To conclude
IETF and NIST won’t revise the standardized round counts of AES, ChaCha20, or SHA-3. AES is already so fast on hardware that shaving one round brings no meaningful gain.
But there are places where reduced rounds make sense:
ChaCha8 delivers a 2.5× speed-up when the 20-round standard isn’t required. For example, Rust programs can integrate ChaCha8 via RustCrypto.
10-round Keccak/SHA3 yields a 2.4× speed-up and would benefit Ethereum and every blockchain relying on Keccak, especially when computed as a circuit inside ZK proof systems.
Let’s revisit all this again in 25 years.
Featured image: Dale Cooper, from Twin Peaks.
Your paper has influenced (among other things) modern programming languages - the widely used Rust `rand` crate uses 12-round ChaCha for its PRNG, Go's math/randv2 uses 8-round ChaCha, and the proposal for a seeded PRNG in JS is currently planning to use either 8 or 12 round ChaCha. Threads for design of all of these specifically reference Too Much Crypto.