You are looking at a specific version 20130602:170111 of this paper. See the latest version.

Paper 2013/328

A Proof that the ARX Cipher Salsa20 is Secure against Differential Cryptanalysis

Nicky Mouha and Bart Preneel

Abstract

An increasing number of cryptographic primitives are built using the ARX operations: addition modulo $2^n$, bit rotation and XOR. Because of their very fast performance in software, ARX ciphers are becoming increasingly common. However, not a single ARX cipher has yet been proven to be secure against one of the most common attacks in symmetric-key cryptography: differential cryptanalysis. In this paper, we prove that no differential characteristic exists for 15 rounds of Salsa20 with a higher probability than $2^{-130}$. Thereby, we show that the full 20-round Salsa20 with a 128-bit key is secure against differential cryptanalysis, with a security margin of 5 rounds. Our proof holds both in single-key and related-key settings. Furthermore, our proof technique only involves writing out simple equations for every addition, rotation and XOR operation in the cipher, and applying an off-the-shelf SAT solver. To prove that Salsa20 is secure against differential cryptanalysis requires only about 20 hours of computation on a single CPU core.

Note: Updated affiliations.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Unknown where it was published
Keywords
Differential cryptanalysisARXSalsa20SAT solver
Contact author(s)
Nicky Mouha @ esat kuleuven be
History
2013-11-13: revised
2013-06-02: received
See all versions
Short URL
https://ia.cr/2013/328
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.