Slid Pairs in Salsa20 and Trivium

Deike Priemuth-Schmid and Alex Biryukov

Abstract

The stream ciphers Salsa20 and Trivium are two of the finalists of the eSTREAM project which are in the final portfolio of new promising stream ciphers. In this paper we show that initialization and key-stream generation of these ciphers is {\em slidable}, i.e. one can find distinct (Key, IV) pairs that produce identical (or closely related) key-streams. There are $2^{256}$ and more then $2^{39}$ such pairs in Salsa20 and Trivium respectively. We write out and solve the non-linear equations which describe such related (Key, IV) pairs. This allows us to sample the space of such related pairs efficiently as well as detect such pairs in large portions of key-stream very efficiently. We show that Salsa20 does not have 256-bit security if one considers general birthday and related key distinguishing and key-recovery attacks.

Available format(s)
Category
Secret-key cryptography
Publication info
Published elsewhere. Full version of the paper published on Indocrypt 2008
Keywords
Salsa20TriviumeSTREAMstream cipherscryptanalysis
Contact author(s)
deike priemuth-schmid @ uni lu
History
Short URL
https://ia.cr/2008/405

CC BY

BibTeX

@misc{cryptoeprint:2008/405,
author = {Deike Priemuth-Schmid and Alex Biryukov},
title = {Slid Pairs in Salsa20 and Trivium},
howpublished = {Cryptology ePrint Archive, Paper 2008/405},
year = {2008},
note = {\url{https://eprint.iacr.org/2008/405}},
url = {https://eprint.iacr.org/2008/405}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.