A Generalized Birthday Problem
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Decrypting a Class of Stream Ciphers Using Ciphertext Only
IEEE Transactions on Computers
A new paradigm for collision-free hashing: incrementality at reduced cost
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Non-randomness in eSTREAM candidates salsa20 and TSC-4
INDOCRYPT'06 Proceedings of the 7th international conference on Cryptology in India
Slid Pairs in Salsa20 and Trivium
INDOCRYPT '08 Proceedings of the 9th International Conference on Cryptology in India: Progress in Cryptology
New Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers
INDOCRYPT '08 Proceedings of the 9th International Conference on Cryptology in India: Progress in Cryptology
Improved Cryptanalysis of Skein
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Linearization Framework for Collision Attacks: Application to CubeHash and MD6
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Latin dances revisited: new analytic results of Salsa20 and ChaCha
ICICS'11 Proceedings of the 13th international conference on Information and communications security
Fast and small nonlinear pseudorandom number generators for computer simulation
PPAM'11 Proceedings of the 9th international conference on Parallel Processing and Applied Mathematics - Volume Part I
UNAF: a special set of additive differences with application to the differential analysis of ARX
FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
Improved key recovery attacks on reduced-round salsa20 and chacha
ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
From oblivious AES to efficient and secure database join in the multiparty setting
ACNS'13 Proceedings of the 11th international conference on Applied Cryptography and Network Security
| Hi-index | 0.00 |
The stream cipher Salsa20 was introduced by Bernstein in 2005 as a candidate in the eSTREAM project, accompanied by the reduced versions Salsa20/8 and Salsa20/12. ChaCha is a variant of Salsa20 aiming at bringing better diffusion for similar performance. Variants of Salsa20 with up to 7 rounds (instead of 20) have been broken by differential cryptanalysis, while ChaCha has not been analyzed yet. We introduce a novel method for differential cryptanalysis of Salsa20 and ChaCha, inspired by correlation attacks and related to the notion of neutral bits. This is the first application of neutral bits in stream cipher cryptanalysis. It allows us to break the 256-bit version of Salsa20/8, to bring faster attacks on the 7-round variant, and to break 6- and 7-round ChaCha. In a second part, we analyze the compression function Rumba, built as the XOR of four Salsa20 instances and returning a 512-bit output. We find collision and preimage attacks for two simplified variants, then we discuss differential attacks on the original version, and exploit a high-probability differential to reduce complexity of collision search from 2256to 279for 3-round Rumba. To prove the correctness of our approach we provide examples of collisions and near-collisions on simplified versions.