Cryptology ePrint Archive: Report 2016/377

Differential Cryptanalysis of Salsa and ChaCha -- An Evaluation with a Hybrid Model

Arka Rai Choudhuri and Subhamoy Maitra

Abstract: While \textsf{Salsa} and \textsf{ChaCha} are well known software oriented stream ciphers, since the work of Aumasson et al in FSE 2008 there aren't many significant results against them. The basic model of their attack was to introduce differences in the IV bits, obtain biases after a few forward rounds, as well as to look at the Probabilistic Neutral Bits (PNBs) while reverting back. In this paper we first consider the biases in the forward rounds, and estimate an upper bound on the number of rounds till such biases can be observed. For this, we propose a hybrid model (under certain assumptions), where initially the nonlinear rounds as proposed by the designer are considered, and then we employ their linearized counterpart. The effect of reverting the rounds with the idea of PNBs is also considered. Based on the assumptions and analysis, we conclude that 12 rounds of \textsf{Salsa} and \textsf{ChaCha} should be considered sufficient for 256-bit keys under the current best known attack models.

Category / Keywords: secret-key cryptography / ARX Cipher, Stream Cipher, ChaCha, Salsa, Non-Randomness, Probabilistic Neutral Bit (PNB)

Date: received 14 Apr 2016, last revised 15 Apr 2016

Contact author: arkarai choudhuri at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20160415:084502 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]