In this paper, we propose new attacks on 9-round Salsa20 and 8-round ChaCha. We constructed a distinguisher of double-bit di«erentials to improve Aumasson's single-bit di«erential cryptanalysis. We searched for correlations using a PC, and found strong correlations in 9-round Salsa20 and 8-round ChaCha. The complexities of the introduced attacks are 2 16 in 9-round Salsa20 and 2 in 8-round ChaCha, which are much less than the complexities of an exhaustive key search and existing attacks on those ciphers. The results show that an adversary can distinguish keystream bits from random bits using a few input and output pairs of an initial keys and initial vectors. This method has potential to apply to a wide range of stream ciphers; a double-bit correlation would be found in case that no single-bit correlation is found.