## Cryptology ePrint Archive: Report 2015/217

Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles

Subhamoy Maitra and Goutam Paul and Willi Meier

Abstract: In this paper, we revisit some existing techniques in Salsa20 cryptanalysis, and provide some new ideas as well. As a new result, we explain how a valid initial state can be obtained from a Salsa20 state after one round. This helps in studying the non-randomness of Salsa20 after 5 rounds. In particular, it can be seen that the 5-round bias reported by Fischer et al. (Indocrypt 2006) is a special case of our analysis. Towards improving the existing results, we revisit the idea of Probabilistic Neutral Bit (PNB) and how a proper choice of certain parameters reduce the complexity of the existing attacks. For cryptanalysis against 8-round Salsa20, we could achieve the key search complexity of $2^{247.2}$ compared to $2^{251}$ (FSE 2008) and $2^{250}$ (ICISC 2012).

Category / Keywords: secret-key cryptography / Stream Cipher, Salsa20, Salsa20/12, Non-Randomness, Round Reversal, Probabilistic Neutral Bit (PNB), ARX Cipher.

Original Publication (with minor differences): WCC 2015