Significantly Improved Multi-bit Differentials for Reduced Round Salsa and ChaCha

Abstract: ChaCha and Salsa are two software oriented stream ciphers that have attracted serious attention in academic as well as commercial domain. The most important cryptanalysis of reduced versions of these ciphers was presented by Aumasson et al. in FSE 2008. One part of their attack was to apply input difference(s) to investigate biases after a few rounds. So far there have been certain kind of limited exhaustive searches to obtain such biases. For the first time, in this paper, we show how to theoretically choose … Show more

“…[13] is 0.3310 [12] Pr Δs 9 (5) [0] ⊕ Δs 13 (5) [0] ⊕ Δs 1 (5) [13] = 0 Δs 7 (0) = 2 17 , Δs 8 (0) = 2 23 = 1 2 (1 + 0.3310)…”

“…The combination of these two parts is the differential-linear analysis. The differentiallinear bias is as follows [12,16]:…”

“…Maitra et al [10] have demonstrated the one bit change in eighth and ninth word while reversing the one round results to a valid initial state as follows: Maitra [11] has improved the attack on reduced Salsa20/8 and ChaCha7 by choosing a proper IVs with 256-bit key. Choudhuri and Maitra [12] have developed the theoretical results on differential-linear cryptanalysis of Salsa/ChaCha and thus have improved the biases on Salsa/ChaCha. Sabyasachi and Santanu Sarkar [13] have developed new algorithm to construct PNB, by which the attacks on Salsa and ChaCha have been improved around 2.27 and 5.39 times faster than the existing results [12].…”

“…Choudhuri and Maitra [12] have developed the theoretical results on differential-linear cryptanalysis of Salsa/ChaCha and thus have improved the biases on Salsa/ChaCha. Sabyasachi and Santanu Sarkar [13] have developed new algorithm to construct PNB, by which the attacks on Salsa and ChaCha have been improved around 2.27 and 5.39 times faster than the existing results [12].…”

“…Choudhuri and Maitra [12] have developed the theoretical results on the differential-linear cryptanalysis of Salsa/ChaCha and thus have improved the biases on Salsa/ChaCha. In this paper, theoretical work has been extended with triple bits from m − 1 round to the one bit m round of Salsa with the linear approximation holding the probability 1.…”

Cryptanalysis for reduced round Salsa and ChaCha: revisited

“…[13] is 0.3310 [12] Pr Δs 9 (5) [0] ⊕ Δs 13 (5) [0] ⊕ Δs 1 (5) [13] = 0 Δs 7 (0) = 2 17 , Δs 8 (0) = 2 23 = 1 2 (1 + 0.3310)…”

“…The combination of these two parts is the differential-linear analysis. The differentiallinear bias is as follows [12,16]:…”

“…Maitra et al [10] have demonstrated the one bit change in eighth and ninth word while reversing the one round results to a valid initial state as follows: Maitra [11] has improved the attack on reduced Salsa20/8 and ChaCha7 by choosing a proper IVs with 256-bit key. Choudhuri and Maitra [12] have developed the theoretical results on differential-linear cryptanalysis of Salsa/ChaCha and thus have improved the biases on Salsa/ChaCha. Sabyasachi and Santanu Sarkar [13] have developed new algorithm to construct PNB, by which the attacks on Salsa and ChaCha have been improved around 2.27 and 5.39 times faster than the existing results [12].…”

“…Choudhuri and Maitra [12] have developed the theoretical results on differential-linear cryptanalysis of Salsa/ChaCha and thus have improved the biases on Salsa/ChaCha. Sabyasachi and Santanu Sarkar [13] have developed new algorithm to construct PNB, by which the attacks on Salsa and ChaCha have been improved around 2.27 and 5.39 times faster than the existing results [12].…”

“…Choudhuri and Maitra [12] have developed the theoretical results on the differential-linear cryptanalysis of Salsa/ChaCha and thus have improved the biases on Salsa/ChaCha. In this paper, theoretical work has been extended with triple bits from m − 1 round to the one bit m round of Salsa with the linear approximation holding the probability 1.…”

Cryptanalysis for reduced round Salsa and ChaCha: revisited

Catalog and Illustrative Examples of Lightweight Cryptographic Primitives

Improved Linear Approximations to ARX Ciphers and Attacks Against ChaCha