A Proof that the ARX Cipher Salsa20 is Secure against Differential Cryptanalysis

An increasing number of cryptographic primitives are built using the ARX operations: addition modulo 2n, bit rotation and XOR. Because of their very fast performance in software, ARX ciphers are becoming increasingly common. However, not a single ARX cipher has yet been proven to be secure against one of the most common attacks in symmetrickey cryptography: differential cryptanalysis. In this paper, we prove that no differential characteristic exists for 15 rounds of Salsa20 with a higher probability than 2. Thereby, we show that the full 20-round Salsa20 with a 128-bit key is secure against differential cryptanalysis, with a security margin of 5 rounds. Our proof holds both in single-key and related-key settings. Furthermore, our proof technique only involves writing out simple equations for every addition, rotation and XOR operation in the cipher, and applying an off-the-shelf SAT solver. To prove that Salsa20 is secure against differential cryptanalysis requires only about 20 hours of computation on a single CPU core.

[1]  Alex Biryukov,et al.  Selected Areas in Cryptography - 17th International Workshop, SAC 2010, Waterloo, Ontario, Canada, August 12-13, 2010, Revised Selected Papers , 2011, Selected Areas in Cryptography.

[2]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[3]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[4]  Masayuki Kanda,et al.  Practical Security Evaluation against Differential and Linear Cryptanalyses for Feistel Ciphers with SPN Round Function , 2000, Selected Areas in Cryptography.

[5]  Andrey Bogdanov,et al.  Analysis and design of block cipher constructions , 2010 .

[6]  Ronald L. Rivest The MD 6 hash function A proposal to NIST for SHA-3 , 2008 .

[7]  Gaëtan Leurent,et al.  Security Analysis of SIMD , 2010, IACR Cryptol. ePrint Arch..

[8]  Anne Canteaut,et al.  A New Algorithm for Finding Minimum-Weight Words in a Linear Code: Application to McEliece’s Cryptosystem and to Narrow-Sense BCH Codes of Length , 1998 .

[9]  Armin Biere,et al.  PicoSAT Essentials , 2008, J. Satisf. Boolean Model. Comput..

[10]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[11]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[12]  Peter Schwabe,et al.  Faster and Timing-Attack Resistant AES-GCM , 2009, CHES.

[13]  Gaëtan Leurent,et al.  Analysis of Differential Attacks in ARX Constructions , 2012, ASIACRYPT.

[14]  Mitsuru Matsui,et al.  A New Method for Known Plaintext Attack of FEAL Cipher , 1992, EUROCRYPT.

[15]  Shoji Miyaguchi,et al.  Fast Data Encipherment Algorithm FEAL , 1987, EUROCRYPT.

[16]  Juan E. Tapiador,et al.  On the Salsa20 Core Function , 2008, FSE.

[17]  Shiho Moriai,et al.  Efficient Algorithms for Computing Differential Properties of Addition , 2001, FSE.

[18]  Christophe Clavier,et al.  Cryptographic Hardware and Embedded Systems - CHES 2009, 11th International Workshop, Lausanne, Switzerland, September 6-9, 2009, Proceedings , 2009, CHES.

[19]  Nikos Mavrogiannopoulos,et al.  The Salsa20 Stream Cipher for Transport Layer Security , 2013 .

[20]  Matthew J. B. Robshaw,et al.  New Stream Cipher Designs: The eSTREAM Finalists , 2008 .

[21]  Holger Hermanns,et al.  Computer Aided Verification, 19th International Conference, CAV 2007, Berlin, Germany, July 3-7, 2007, Proceedings , 2007, CAV.

[22]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[23]  Tomislav Nad The CodingTool Library , 2009 .

[24]  Annett Baier Selected Areas in Cryptography , 2005, Lecture Notes in Computer Science.

[25]  Arenberg Doctoral,et al.  Automated Techniques for Hash Function and Block Cipher Cryptanalysis , 2012 .

[26]  Kaisa Nyberg Fast Software Encryption, 15th International Workshop, FSE 2008, Lausanne, Switzerland, February 10-13, 2008, Revised Selected Papers , 2008, FSE.

[27]  Andrey Bogdanov,et al.  On unbalanced Feistel networks with contracting MDS diffusion , 2011, Des. Codes Cryptogr..

[28]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[29]  Shay Gueron,et al.  Intel's New AES Instructions for Enhanced Performance and Security , 2009, FSE.

[30]  Alex Biryukov,et al.  Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others , 2010, EUROCRYPT.

[31]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[32]  Shahram Khazaei,et al.  New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba , 2008, FSE.

[33]  Joos Vandewalle,et al.  Resynchronization Weaknesses in Synchronous Stream Ciphers , 1994, EUROCRYPT.

[34]  Charanjit S. Jutla,et al.  A Simple and Provably Good Code for SHA Message Expansion , 2005, IACR Cryptol. ePrint Arch..

[35]  Dawu Gu,et al.  Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming , 2011, Inscrypt.

[36]  Armin Biere,et al.  C32SAT: Checking C Expressions , 2007, CAV.

[37]  Christophe De Cannière,et al.  Trivium: A Stream Cipher Construction Inspired by Block Cipher Design Principles , 2006, ISC.

[38]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[39]  Daniel J. Bernstein,et al.  The Salsa20 Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[40]  Kyoji Shibutani,et al.  On the Diffusion of Generalized Feistel Structures Regarding Differential and Linear Cryptanalysis , 2010, Selected Areas in Cryptography.