On the Salsa20 Core Function

  • Julio Cesar Hernandez-Castro
  • Juan M. E. Tapiador
  • Jean-Jacques Quisquater
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5086)


In this paper, we point out some weaknesses in the Salsa20 core function that could be exploited to obtain up to 231 collisions for its full (20 rounds) version. We first find an invariant for its main building block, the quarterround function, that is then extended to the rowround and columnround functions. This allows us to find an input subset of size 232 for which the Salsa20 core behaves exactly as the transformation f(x) = 2x. An attacker can take advantage of this for constructing 231 collisions for any number of rounds. We finally show another weakness in the form of a differential characteristic with probability one that proves that the Salsa20 core does not have 2 nd preimage resistance.


Salsa20 hash function cryptanalysis collision 


  1. 1.
    Bernstein, D.J.: The Salsa20 Stream Cipher. In: SKEW 2005, Symmetric Key Encryption Workshop, 2005, Workshop Record (2005),
  2. 2.
    Bernstein, D.J.: Salsa20 Specification,
  3. 3.
    Bernstein, D.J.: Salsa20/8 and Salsa20/12,
  4. 4.
    Bernstein, D.J.: Salsa20 design,
  5. 5.
    Biham, E., Granboulan, L., Nguyen, P.Q.: Impossible Fault Analysis of RC4 and Differential Fault Analysis of RC4. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 359–367. Springer, Heidelberg (2005)Google Scholar
  6. 6.
    Crowley, P.: Truncated Differential Cryptanalysis of Five Rounds of Salsa20. In: eSTREAM, ECRYPT Stream Cipher Project, Report 2005/073Google Scholar
  7. 7.
    Finney, H.: An RC4 Cycle that Cant Happen. sci.crypt newsgroup (September 1994)Google Scholar
  8. 8.
    Fischer, S., Meier, W., Berbain, C., Biasse, J.-F., Robshaw, M.: Non-Randomness in eSTREAM Candidates Salsa20 and TSC-4. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 2–16. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Kelsey, J., Schneier, B., Wagner, D.: Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 237–251. Springer, Heidelberg (1996)Google Scholar
  10. 10.
    Robshaw, M.: The Salsa20 Hash Function is Not Collision-Free June 22 (2005)Google Scholar
  11. 11.
    Tsunoo, Y., Saito, T., Kubo, H., Suzaki, T., Nakashima, H.: Differential Cryptanalysis of Salsa20/8 (submitted, 2007-01-02),
  12. 12.
    Wagner, D.: Message from discussion “Re-rolled Salsa-20 function” in the sci.crypt newsgroup on September 26th (2005),

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Julio Cesar Hernandez-Castro
    • 1
  • Juan M. E. Tapiador
    • 2
  • Jean-Jacques Quisquater
    • 1
  1. 1.Crypto Group, DICEUniversite Louvain-la-NeuveLouvain-la-NeuveBelgium
  2. 2.Computer Science DepartmentCarlos III UniversityLeganes, MadridSpain

Personalised recommendations