Abstract
ChaCha and Salsa are two software oriented stream ciphers that have attracted serious attention in academic as well as commercial domain. The most important cryptanalysis of reduced versions of these ciphers was presented by Aumasson et al. in FSE 2008. One part of their attack was to apply input difference(s) to investigate biases after a few rounds. So far there have been certain kind of limited exhaustive searches to obtain such biases. For the first time, in this paper, we show how to theoretically choose the combinations of the output bits to obtain significantly improved biases. The main idea here is to consider the multi-bit differentials as extension of suitable single-bit differentials with linear approximations, which is essentially a differential-linear attack. As we consider combinations of many output bits (for example 19 for Salsa and 21 for ChaCha), exhaustive search is not possible here. By this method we obtain very high biases for linear combinations of bits in Salsa after 6 rounds and in ChaCha after 5 rounds. These are clearly two rounds of improvement for both the ciphers over the existing works. Using these biases we obtain several significantly improved cryptanalytic results for reduced round Salsa and ChaCha that could not b obtained earlier. In fact, with our results it is now possible to cryptanalyse 6-round Salsa and 5-round ChaCha in practical time.
Highlights
Salsa20 [3] is a stream cipher designed by Bernstein in 2005 as a candidate for the eSTREAM competition [10]
We study the structure of these ciphers to show, for the first time, how to theoretically choose combination of output bits to obtain significantly improved biases enabling differential-linear cryptanalysis
Our results explain the dual bit differentials reported by Aumasson et al in [1], which we believe were found by exhaustive search. This is suggested by the authors in [2], “Unlike Salsa20, our exhaustive search showed no bias in 4-round ChaCha, be it with one, two, or three target output bits." Using our theoretical results, we indicate why their exhaustive searches for ChaCha did not yield any bias of significance
Summary
Salsa20 [3] is a stream cipher designed by Bernstein in 2005 as a candidate for the eSTREAM competition [10]. We study the structure of these ciphers to show, for the first time, how to theoretically choose combination of output bits to obtain significantly improved biases enabling differential-linear cryptanalysis. With these theoretical results, we use a limited search over the input differences to obtain the best possible biases known so far. We agree that as the number of rounds increase the number of Probabilistic Neutral Bits (PNBs) fall rapidly in case of multi-bit differentials and the significance of our results reduces as the number of rounds increases which is reflected for the attack against 8-round Salsa and 7-round ChaCha, though we could manage slightly better results than the presently known ones [17].
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call