Paper 2016/377

Differential Cryptanalysis of Salsa and ChaCha -- An Evaluation with a Hybrid Model

Arka Rai Choudhuri and Subhamoy Maitra


While \textsf{Salsa} and \textsf{ChaCha} are well known software oriented stream ciphers, since the work of Aumasson et al in FSE 2008 there aren't many significant results against them. The basic model of their attack was to introduce differences in the IV bits, obtain biases after a few forward rounds, as well as to look at the Probabilistic Neutral Bits (PNBs) while reverting back. In this paper we first consider the biases in the forward rounds, and estimate an upper bound on the number of rounds till such biases can be observed. For this, we propose a hybrid model (under certain assumptions), where initially the nonlinear rounds as proposed by the designer are considered, and then we employ their linearized counterpart. The effect of reverting the rounds with the idea of PNBs is also considered. Based on the assumptions and analysis, we conclude that 12 rounds of \textsf{Salsa} and \textsf{ChaCha} should be considered sufficient for 256-bit keys under the current best known attack models.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
ARX CipherStream CipherChaChaSalsaNon-RandomnessProbabilistic Neutral Bit (PNB)
Contact author(s)
arkarai choudhuri @ gmail com
2016-04-15: revised
2016-04-14: received
See all versions
Short URL
Creative Commons Attribution


      author = {Arka Rai Choudhuri and Subhamoy Maitra},
      title = {Differential Cryptanalysis of Salsa and ChaCha -- An Evaluation with a Hybrid Model},
      howpublished = {Cryptology ePrint Archive, Paper 2016/377},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.