Paper 2015/217

Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles

Subhamoy Maitra, Goutam Paul, and Willi Meier


In this paper, we revisit some existing techniques in Salsa20 cryptanalysis, and provide some new ideas as well. As a new result, we explain how a valid initial state can be obtained from a Salsa20 state after one round. This helps in studying the non-randomness of Salsa20 after 5 rounds. In particular, it can be seen that the 5-round bias reported by Fischer et al. (Indocrypt 2006) is a special case of our analysis. Towards improving the existing results, we revisit the idea of Probabilistic Neutral Bit (PNB) and how a proper choice of certain parameters reduce the complexity of the existing attacks. For cryptanalysis against 8-round Salsa20, we could achieve the key search complexity of $2^{247.2}$ compared to $2^{251}$ (FSE 2008) and $2^{250}$ (ICISC 2012).

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. MINOR revision.WCC 2015
Stream CipherSalsa20Salsa2012Non-RandomnessRound ReversalProbabilistic Neutral Bit (PNB)ARX Cipher.
Contact author(s)
subho @ isical ac in
2015-03-08: received
Short URL
Creative Commons Attribution


      author = {Subhamoy Maitra and Goutam Paul and Willi Meier},
      title = {Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles},
      howpublished = {Cryptology ePrint Archive, Paper 2015/217},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.