Paper 2024/1363

Improved Key Recovery Attacks on Reduced-Round Salsa20

Sabyasachi Dey
Gregor Leander
Nitin Kumar Sharma
Abstract

In this paper, we present an improved attack on the stream cipher Salsa20. Our improvements are based on two technical contributions. First, we make use of a distribution of a linear combination of several random variables that are derived from different differentials and explain how to exploit this in order to improve the attack complexity. Secondly, we study and exploit how to choose the actual value for so-called probabilistic neutral bits optimally. Because of the limited influence of these key bits on the computation, in the usual attack approach, these are fixed to a constant value, often zero for simplicity. As we will show, despite the fact that their influence is limited, the constant can be chosen in significantly better ways, and intriguingly, zero is the worst choice. Using this, we propose the first-ever attack on 7.5-round of $128$-bit key version of Salsa20. Also, we provide improvements in the attack against the 8-round of $256$-bit key version of Salsa20 and the 7-round of $128$-bit key version of Salsa20.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
Salsa20Differential-Linear CryptanalysisProbabilistic Neutral BitsKey recovery
Contact author(s)
sharmanitinkumar685 @ gmail com
History
2024-08-30: approved
2024-08-29: received
See all versions
Short URL
https://ia.cr/2024/1363
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1363,
      author = {Sabyasachi Dey and Gregor Leander and Nitin Kumar Sharma},
      title = {Improved Key Recovery Attacks on Reduced-Round Salsa20},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1363},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1363}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.