Cryptology ePrint Archive: Report 2015/698

Chosen IV Cryptanalysis on Reduced Round ChaCha and Salsa

Subhamoy Maitra

Abstract: Recently, ChaCha20 (the stream cipher ChaCha with 20 rounds) is in the process of being a standard and thus it attracts serious interest in cryptanalysis. The most significant effort to analyse Salsa and ChaCha had been explained by Aumasson et al long back (FSE 2008) and further, only minor improvements could be achieved. In this paper, first we revisit the work of Aumasson et al to provide a clearer insight of the existing attack (2^{248} complexity for ChaCha7, i.e., 7 rounds) and showing certain improvements (complexity around 2^{243}) by exploiting additional Probabilistic Neutral Bits. More importantly, we describe a novel idea that explores proper choice of IVs corresponding to the keys, for which the complexity can be improved further (2^{239}). The choice of IVs corresponding to the keys is the prime observation of this work. We systematically show how a single difference propagates after one round and how the differences can be reduced with proper choices of IVs. For Salsa too (Salsa20/8, i.e., 8 rounds), we get improvement in complexity, reducing it to 2^{245.5} from 2^{247.2} reported by Aumasson et al.

Category / Keywords: secret-key cryptography /

Date: received 13 Jul 2015, last revised 14 Jul 2015

Contact author: subho at isical ac in

Available format(s): PDF | BibTeX Citation

Note: Some latex marks in the abstract are removed as per eprint Editor's suggestion. One paragraph added in contribution to explain the scenario more clearly. Acknowledgment is added too.

Version: 20150714:122626 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]