Paper 2024/1363
Improved Key Recovery Attacks on Reduced-Round Salsa20
Abstract
In this paper, we present an improved attack on the stream cipher Salsa20. Our improvements are based on two technical contributions. First, we make use of a distribution of a linear combination of several random variables that are derived from different differentials and explain how to exploit this in order to improve the attack complexity. Secondly, we study and exploit how to choose the actual value for so-called probabilistic neutral bits optimally. Because of the limited influence of these key bits on the computation, in the usual attack approach, these are fixed to a constant value, often zero for simplicity. As we will show, despite the fact that their influence is limited, the constant can be chosen in significantly better ways, and intriguingly, zero is the worst choice. Using this, we propose the first-ever attack on 7.5-round of $128$-bit key version of Salsa20. Also, we provide improvements in the attack against the 8-round of $256$-bit key version of Salsa20 and the 7-round of $128$-bit key version of Salsa20.
Metadata
- Available format(s)
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- Salsa20Differential-Linear CryptanalysisProbabilistic Neutral BitsKey recovery
- Contact author(s)
- sharmanitinkumar685 @ gmail com
- History
- 2024-08-30: approved
- 2024-08-29: received
- See all versions
- Short URL
- https://ia.cr/2024/1363
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/1363, author = {Sabyasachi Dey and Gregor Leander and Nitin Kumar Sharma}, title = {Improved Key Recovery Attacks on Reduced-Round Salsa20}, howpublished = {Cryptology {ePrint} Archive, Paper 2024/1363}, year = {2024}, url = {https://eprint.iacr.org/2024/1363} }