In 2019 I published Too much crypto and presented it at Real World Crypto 2020 in New York. I argued that symmetric algorithms burn unnecessary cycles because:
Designers rightfully set many rounds in their initial design as a security margin, but
Once an algorithm is standardized, the round count isn’t adjusted after we know it’s oversized.
The saddest case is Keccak/SHA3: submitted with 18 rounds, designers raised it to 24 rounds during the SHA3 competition after a pretty dumb 2¹⁰²⁴-complexity attack on 18 rounds. The observable universe contains only about 2²⁶⁶ atoms. As of November 2025, there are no practical attacks for more than five rounds.
I argued we could safely lower the rounds of AES, ChaCha20, Keccak/SHA-3, and BLAKE2. How did these suggestions age?
I proposed 9 rounds instead of 10.
No meaningful cryptanalysis progress. The best practical attack remains stuck at 6 rounds. A 2025 paper proved that 8-round AES behaves at least close to ideally with respect to input–output differentials’ distribution.
✅ Test passed
I proposed 8 rounds instead of 12 for BLAKE2b and 7 rounds instead of 10 for BLAKE2s.
And the same year we designed BLAKE3 with 7 rounds.
No meaningful cryptanalysis progress. No non-trivial practical attacks even on reduced versions. The astronomical-complexity “boomerang distinguishers” up to 7.5 rounds are unimproved since 2014.
✅ Test passed
I proposed 8 rounds instead of 20, that is, ChaCha8.
Daniel J. Bernstein, the designer of ChaCha20, finds it too risky.
ChaCha6 cryptanalysis progressed: complexity dropped from 2¹²⁷ to 2⁵⁷. Doing 2⁵⁷ operations is practical; at most minutes on a small GPU cluster. But here the attacker needs 2⁵⁵ outputs, or about 2⁶¹ bytes, two exbibytes. That’s more data than every hyperscaler on Earth stores combined. The attacker also needs to control the nonces.
ChaCha7 cryptanalysis progressed: complexity dropped from 2²³⁸ to 2¹⁴⁸. The attacker needs about 2¹²⁶ known-ciphertext data blocks. GPT says “2¹²⁶ is the number of grains of sand if you crushed a million Earths into sand.” True or not, 2¹²⁶ is a shockingly high number. Anything with time or data complexity above 2¹⁰⁰ is and will likely remain impossible.
ChaCha8: still no attack published.
✅ Test passed
I proposed 10 rounds instead of 24. The Keccak designers had proposed KangarooTwelve with 12 rounds (now RFC 9861, with TurboSHAKE)
No meaningful cryptanalysis progress, just practical attacks on 4-round SHA3-384. The best practical attack breaks 5 rounds.
✅ Test passed
IETF and NIST won’t revise the standardized round counts of AES, ChaCha20, or SHA-3. AES is already so fast on hardware that shaving one round brings no meaningful gain.
But there are places where reduced rounds make sense:
ChaCha8 delivers a 2.5× speed-up when the 20-round standard isn’t required. For example, Rust programs can integrate ChaCha8 via RustCrypto.
10-round Keccak/SHA3 yields a 2.4× speed-up and would benefit Ethereum and every blockchain relying on Keccak, especially when computed as a circuit inside ZK proof systems.
Let’s revisit all this again in 25 years.
Featured image: Dale Cooper, from Twin Peaks.