Cryptanalysis for reduced round Salsa and ChaCha: revisited

Abstract

Maitra et al. (WCC-2015) proposed the characterisation of valid states by reversing the one round of Salsa20. When revisited, a mistake was found in the one bit change of eighth and ninth word while reversing the one round result to a valid initial state. It was mentioned in WCC-2015 that it would be an interesting combinatorial problem to characterise all such states. Thus, nine more values were characterised, leading to valid initial states. Aumasson et al. (FSE-2008) attacked 128-bit key Salsa20/7 with 2 111 time and ChaCha6 with 2 107 time. In this study, the attack was improved on 128-bit key Salsa20/7 with 2 107 time and ChaCha6 with 2 102 time. Maitra (DAM-2016) improved the attack on 256-bit key Salsa20/8 and ChaCha7 by choosing the proper initialisation vectors. In congruence with this, 128-bit key Salsa20/7 was attacked with 2 104 time and ChaCha6 with 2 101 time. Choudhuri and Maitra (FSE 2017) developed theoretical results on the differential-linear cryptanalysis and thus improved the biases on Salsa/ChaCha. Theoretical work had been extended with triple bits from m - 1 round to one bit m round of Salsa with the linear approximation holding the probability 1. In consideration of the linear approximation which holds the probability <;1, linear approximation for three rounds from m to m + 3 for Salsa and ChaCha was exhibited.