Cryptanalysis of Salsa and ChaCha: Revisited

  • Kakumani K. C. DeepthiEmail author
  • Kunwar Singh
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 235)


Stream cipher is one of the basic cryptographic primitives that provide the confidentiality of communication through insecure channel. EU ECRYPT network has organized a project for identifying new stream suitable for widespread adoption where the ciphers can provide a more security levels. Finally the result of the project has identified new stream ciphers referred as eSTREAM. Salsa20 is one of the eSTREAM cipher built on a pseudorandom function. In this paper our contribution is two phases. First phase have two parts. In WCC 2015, Maitra et al. [9] explained characterization of valid states by reversing one round of Salsa20. In first part, we have revisited the Maitra et al. [9] characterization of valid states by reversing one round of Salsa20. We found there is a mistake in one bit change in \(8^{th}\) and \(9^{th}\) word in first round will result in valid initial state. In second part, Maitra et al. [9] as mentioned that it would be an interesting combinatorial problem to characterize all such states. We have characterized nine more values which lead to valid initial states. The combinations \((s_4,s_7)\), \((s_2,s_3)\), \((s_{13},s_{14})\), \((s_1,s_6)\), \((s_1,s_{11})\), \((s_1,s_{12})\), \((s_6,s_{11})\), \((s_6,s_{12})\) and \((s_{11}, s_{12})\) which characterized as valid states.

In second phase, FSE 2008 Aumasson et al. [1] attacked 128-key bit of Salsa20/7 within \(2^{111}\) time and ChaCha6 in within \(2^{107}\) time. After this with best of our knowledge there does not exist any improvement on this attack. In this paper we have attacked 128-key bit of Salsa20/7 within \(2^{107}\) time and ChaCha6 within \(2^{102}\) time. Maitra [8] improved the attack on Salsa20/8 and ChaCha7 by choosing proper IVs corresponding to the 256-key bit. Applying the same concept we have attacked 128-key bit of Salsa20/7 within time \(2^{104}\) and ChaCha7 within time \(2^{101}\).


Stream cipher eSTREAM Salsa ChaCha Non-randomness Quarterround Reverseround Valid states Probabilistic neutral bit (PNB) ARX cipher 


  1. 1.
    Aumasson, J.-P., Fischer, S., Khazaei, S., Meier, W., Rechberger, C.: New features of Latin dances: analysis of Salsa, ChaCha, and Rumba. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 470–488. Springer, Heidelberg (2008). Scholar
  2. 2.
    Bernstein, D.J.: Chacha, a variant of Salsa20. In: Workshop Record of SASC, vol. 8, pp. 3–5 (2008)Google Scholar
  3. 3.
    Bernstein, D.J.: Snuffle 2005: the Salsa20 encryption function (2015)Google Scholar
  4. 4.
    Choudhuri, A.R., Maitra, S.: Significantly improved multi-bit differentials for reduced round Salsa and Chacha. IACR Trans. Symmetric Cryptol. 2016(2), 261–287 (2017)Google Scholar
  5. 5.
    Crowley, P.: Truncated differential cryptanalysis of five rounds of Salsa20. In: The State of the Art of Stream Ciphers SASC, vol. 2006, pp. 198–202 (2006)Google Scholar
  6. 6.
    Dey, S., Sarkar, S.: Improved analysis for reduced round Salsa and Chacha. Discret. Appl. Math. 227, 58–69 (2017)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Fischer, S., Meier, W., Berbain, C., Biasse, J.-F., Robshaw, M.J.B.: Non-randomness in eSTREAM candidates Salsa20 and TSC-4. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 2–16. Springer, Heidelberg (2006). Scholar
  8. 8.
    Maitra, S.: Chosen IV cryptanalysis on reduced round Chacha and Salsa. Discret. Appl. Math. 208, 88–97 (2016)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Maitra, S., Paul, G., Meier, W.: Salsa20 cryptanalysis: new moves and revisiting old styles. In: 9th International Workshop on Coding and Cryptography, WCC 2015 (2015)Google Scholar
  10. 10.
    Mouha, N., Preneel, B.: Towards finding optimal differential characteristics for ARX: application to Salsa20. Technical report, Cryptology ePrint Archive, Report 2013/328 (2013)Google Scholar
  11. 11.
    Shi, Z., Zhang, B., Feng, D., Wu, W.: Improved key recovery attacks on reduced-round Salsa20 and ChaCha. In: Kwon, T., Lee, M.-K., Kwon, D. (eds.) ICISC 2012. LNCS, vol. 7839, pp. 337–351. Springer, Heidelberg (2013). Scholar
  12. 12.
    Tsunoo, Y., Saito, T., Kubo, H., Suzaki, T., Nakashima, H.: Differential cryptanalysis of Salsa20/8. In: Workshop Record of SASC, p. 12 (2007)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  1. 1.Computer Science and Engineering DepartmentNational Institute of TechnologyTiruchirappalliIndia

Personalised recommendations