On the Salsa20 Core Function

Authors:
Julio Cesar Hernandez-Castro;Juan M. Tapiador;Jean-Jacques Quisquater
Affiliations:
Crypto Group, DICE, Universite Louvain-la-Neuve, Louvain-la-Neuve, Belgium B-1348;Computer Science Department, Carlos III University, Leganes, Madrid, Spain 28911;Crypto Group, DICE, Universite Louvain-la-Neuve, Louvain-la-Neuve, Belgium B-1348
Venue:
Fast Software Encryption
Year:
2008

Citing 3
Cited 0

Key-Schedule Cryptoanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES

CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Non-randomness in eSTREAM candidates salsa20 and TSC-4

INDOCRYPT'06 Proceedings of the 7th international conference on Cryptology in India
Impossible fault analysis of RC4 and differential fault analysis of RC4

FSE'05 Proceedings of the 12th international conference on Fast Software Encryption

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we point out some weaknesses in the Salsa20 core function that could be exploited to obtain up to 231collisions for its full (20 rounds) version. We first find an invariant for its main building block, the quarterroundfunction, that is then extended to the rowroundand columnroundfunctions. This allows us to find an input subset of size 232for which the Salsa20 core behaves exactly as the transformation f(x) = 2x. An attacker can take advantage of this for constructing 231collisions for any number of rounds. We finally show another weakness in the form of a differential characteristic with probability one that proves that the Salsa20 core does not have 2ndpreimage resistance.