Cryptology ePrint Archive: Report 2016/1034

Significantly Improved Multi-bit Differentials for Reduced Round Salsa and ChaCha

Arka Rai Choudhuri and Subhamoy Maitra

Abstract: ChaCha and Salsa are two software oriented stream ciphers that have attracted serious attention in academic as well as commercial domain. The most important cryptanalysis of reduced versions of these ciphers was presented by Aumasson et al. in FSE 2008. One part of their attack was to apply input difference(s) to investigate biases after a few rounds. So far there have been certain kind of limited exhaustive searches to obtain such biases. For the first time, in this paper, we show how to theoretically choose the combinations of the output bits to obtain significantly improved biases. The main idea here is to consider the multi-bit differentials as extension of suitable single-bit differentials with linear approximations, which is essentially a differential-linear attack. As we consider combinations of many output bits (for example 19 for Salsa and 21 for ChaCha), exhaustive search is not possible here. By this method we obtain very high biases for linear combinations of bits in Salsa after 6 rounds and in ChaCha after 5 rounds. These are clearly two rounds of improvement for both the ciphers over the existing works. Using these biases we obtain several significantly improved cryptanalytic results for reduced round Salsa and ChaCha that could not be obtained earlier. In fact, with our results it is now possible to cryptanalyse 6-round Salsa and 5-round ChaCha in practical time.

Category / Keywords: secret-key cryptography / Stream Cipher, ChaCha, Salsa, Non-Randomness, Bias, Probabilistic Neutral Bit (PNB), ARX Cipher, Differential-Linear Cryptanalysis

Original Publication (in the same form): IACR-FSE-2017

Date: received 31 Oct 2016, last revised 24 Nov 2016

Contact author: subho at isical ac in

Available format(s): PDF | BibTeX Citation

Version: 20161124:141116 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]