论文信息 - Related-Cipher Attack on Salsa20

Related-Cipher Attack on Salsa20

Salsa20 was proposed by Daniel Bernstein and is one of the finalists of eSTREAM project. Related-cipher attack was introduced by Hongjun Wu in 2002 and applied to block ciphers. The related ciphers can be considered as ciphers with the same round function, but with different round numbers. There has not been any related-cipher attack applied to Salsa20 stream cipher. In this paper, we apply related-cipher attack on stream cipher Salsa20, since Salsa20 uses flexible rounds (reduced-round versions of Salsa20) and the key schedule of Salsa20 is independent of the number of rounds. If a secret key is used in Salsa20/12 and Salsa20/8 to encrypt the same message, we can recover the 256-bit secret key with computational complexity of about 2224. The result shows that related-cipher attack may be also applied to stream ciphers.

Lin Ding | Zeng-yu Shao

[1] Paul Crowley. Truncated differential cryptanalysis of five rounds of Salsa20 , 2005, IACR Cryptol. ePrint Arch..

[2] Kazuhiro Yokoyama,et al. The Block Cipher SC2000 , 2001, FSE.

[3] Juan E. Tapiador,et al. On the Salsa20 Core Function , 2008, FSE.

[4] Carlisle M. Adams,et al. The CAST-128 Encryption Algorithm , 1997, RFC.

[5] Willi Meier,et al. Non-randomness in eSTREAM Candidates Salsa20 and TSC-4 , 2006, INDOCRYPT.

[6] Daesung Kwon,et al. New Block Cipher: ARIA , 2003, ICISC.

[7] Daniel J. Bernstein. Notes on the Salsa20 key size , 2005 .

[8] Jongsung Kim,et al. Related-Cipher Attacks on Block Ciphers with Flexible Number of Rounds , 2005, WEWoRC.

[9] Lars R. Knudsen,et al. Truncated Differentials of SAFER , 1996, FSE.

[10] Vincent Rijmen,et al. The Block Cipher Square , 1997, FSE.

[11] William Millan,et al. Strengthening the Key Schedule of the AES , 2002, ACISP.

[12] Hongjun Wu,et al. Related-Cipher Attacks , 2002, ICICS.

[13] Shahram Khazaei,et al. New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba , 2008, FSE.