Significantly Improved Multi-bit Differentials for Reduced Round Salsa and ChaCha

ChaCha and Salsa are two software oriented stream ciphers that have attracted serious attention in academic as well as commercial domain. The most important cryptanalysis of reduced versions of these ciphers was presented by Aumasson et al. in FSE 2008. One part of their attack was to apply input difference(s) to investigate biases after a few rounds. So far there have been certain kind of limited exhaustive searches to obtain such biases. For the first time, in this paper, we show how to theoretically choose the combinations of the output bits to obtain significantly improved biases. The main idea here is to consider the multi-bit differentials as extension of suitable single-bit differentials with linear approximations, which is essentially a differential-linear attack. As we consider combinations of many output bits (for example 19 for Salsa and 21 for ChaCha), exhaustive search is not possible here. By this method we obtain very high biases for linear combinations of bits in Salsa after 6 rounds and in ChaCha after 5 rounds. These are clearly two rounds of improvement for both the ciphers over the existing works. Using these biases we obtain several significantly improved cryptanalytic results for reduced round Salsa and ChaCha that could not b obtained earlier. In fact, with our results it is now possible to cryptanalyse 6-round Salsa and 5-round ChaCha in practical time.

[1]  Willi Meier,et al.  Non-randomness in eSTREAM Candidates Salsa20 and TSC-4 , 2006, INDOCRYPT.

[2]  Ali Aydin Selçuk,et al.  On Probability of Success in Linear and Differential Cryptanalysis , 2008, Journal of Cryptology.

[3]  Gaëtan Leurent,et al.  Improved Differential-Linear Cryptanalysis of 7-Round Chaskey with Partitioning , 2016, EUROCRYPT.

[4]  Eli Biham,et al.  Enhancing Differential-Linear Cryptanalysis , 2002, ASIACRYPT.

[5]  Kaisa Nyberg,et al.  Joint data and key distribution of simple, multiple, and multidimensional linear cryptanalysis test statistic and its impact to data complexity , 2017, Des. Codes Cryptogr..

[6]  Tsukasa Ishiguro,et al.  Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha , 2011, ICICS.

[7]  Bin Zhang,et al.  Improved Key Recovery Attacks on Reduced-Round Salsa20 and ChaCha , 2012, ICISC.

[8]  Juan E. Tapiador,et al.  On the Salsa20 Core Function , 2008, FSE.

[9]  Bart Preneel,et al.  A Proof that the ARX Cipher Salsa20 is Secure against Differential Cryptanalysis , 2013, IACR Cryptol. ePrint Arch..

[10]  Gaëtan Leurent,et al.  Construction of Differential Characteristics in ARX Designs Application to Skein , 2013, CRYPTO.

[11]  Susan K. Langford,et al.  Differential-Linear Cryptanalysis , 1994, CRYPTO.

[12]  Willi Meier,et al.  Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles , 2015, IACR Cryptol. ePrint Arch..

[13]  Gaëtan Leurent,et al.  Analysis of Differential Attacks in ARX Constructions , 2012, ASIACRYPT.

[14]  Yukiyasu Tsunoo,et al.  Differential Cryptanalysis of Salsa20/8 , 2007 .

[15]  Paul Crowley Truncated differential cryptanalysis of five rounds of Salsa20 , 2005, IACR Cryptol. ePrint Arch..

[16]  Subhamoy Maitra,et al.  Chosen IV cryptanalysis on reduced round ChaCha and Salsa , 2016, Discret. Appl. Math..

[17]  Bart Preneel,et al.  UNAF: A Special Set of Additive Differences with Application to the Differential Analysis of ARX , 2012, FSE.

[18]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[19]  Shahram Khazaei,et al.  New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba , 2008, FSE.

[20]  Andrey Bogdanov,et al.  On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui's Algorithm 2 , 2013, FSE.