Paper 2015/698

Chosen IV Cryptanalysis on Reduced Round ChaCha and Salsa

Subhamoy Maitra


Recently, ChaCha20 (the stream cipher ChaCha with 20 rounds) is in the process of being a standard and thus it attracts serious interest in cryptanalysis. The most significant effort to analyse Salsa and ChaCha had been explained by Aumasson et al long back (FSE 2008) and further, only minor improvements could be achieved. In this paper, first we revisit the work of Aumasson et al to provide a clearer insight of the existing attack (2^{248} complexity for ChaCha7, i.e., 7 rounds) and showing certain improvements (complexity around 2^{243}) by exploiting additional Probabilistic Neutral Bits. More importantly, we describe a novel idea that explores proper choice of IVs corresponding to the keys, for which the complexity can be improved further (2^{239}). The choice of IVs corresponding to the keys is the prime observation of this work. We systematically show how a single difference propagates after one round and how the differences can be reduced with proper choices of IVs. For Salsa too (Salsa20/8, i.e., 8 rounds), we get improvement in complexity, reducing it to 2^{245.5} from 2^{247.2} reported by Aumasson et al.

Note: Some latex marks in the abstract are removed as per eprint Editor's suggestion. One paragraph added in contribution to explain the scenario more clearly. Acknowledgment is added too.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Contact author(s)
subho @ isical ac in
2015-07-14: last of 2 revisions
2015-07-14: received
See all versions
Short URL
Creative Commons Attribution


      author = {Subhamoy Maitra},
      title = {Chosen IV Cryptanalysis on Reduced Round ChaCha and Salsa},
      howpublished = {Cryptology ePrint Archive, Paper 2015/698},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.