Key-Schedule Cryptoanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Non-randomness in eSTREAM candidates salsa20 and TSC-4
INDOCRYPT'06 Proceedings of the 7th international conference on Cryptology in India
Impossible fault analysis of RC4 and differential fault analysis of RC4
FSE'05 Proceedings of the 12th international conference on Fast Software Encryption
Hi-index | 0.00 |
In this paper, we point out some weaknesses in the Salsa20 core function that could be exploited to obtain up to 231collisions for its full (20 rounds) version. We first find an invariant for its main building block, the quarterroundfunction, that is then extended to the rowroundand columnroundfunctions. This allows us to find an input subset of size 232for which the Salsa20 core behaves exactly as the transformation f(x) = 2x. An attacker can take advantage of this for constructing 231collisions for any number of rounds. We finally show another weakness in the form of a differential characteristic with probability one that proves that the Salsa20 core does not have 2ndpreimage resistance.