Paper 2008/405

Slid Pairs in Salsa20 and Trivium

Deike Priemuth-Schmid and Alex Biryukov


The stream ciphers Salsa20 and Trivium are two of the finalists of the eSTREAM project which are in the final portfolio of new promising stream ciphers. In this paper we show that initialization and key-stream generation of these ciphers is {\em slidable}, i.e. one can find distinct (Key, IV) pairs that produce identical (or closely related) key-streams. There are $2^{256}$ and more then $2^{39}$ such pairs in Salsa20 and Trivium respectively. We write out and solve the non-linear equations which describe such related (Key, IV) pairs. This allows us to sample the space of such related pairs efficiently as well as detect such pairs in large portions of key-stream very efficiently. We show that Salsa20 does not have 256-bit security if one considers general birthday and related key distinguishing and key-recovery attacks.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Full version of the paper published on Indocrypt 2008
Salsa20TriviumeSTREAMstream cipherscryptanalysis
Contact author(s)
deike priemuth-schmid @ uni lu
2008-09-24: received
Short URL
Creative Commons Attribution


      author = {Deike Priemuth-Schmid and Alex Biryukov},
      title = {Slid Pairs in Salsa20 and Trivium},
      howpublished = {Cryptology ePrint Archive, Paper 2008/405},
      year = {2008},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.