Abstract
In this paper, we point out some weaknesses in the Salsa20 core function that could be exploited to obtain up to 231 collisions for its full (20 rounds) version. We first find an invariant for its main building block, the quarterround function, that is then extended to the rowround and columnround functions. This allows us to find an input subset of size 232 for which the Salsa20 core behaves exactly as the transformation f(x) = 2x. An attacker can take advantage of this for constructing 231 collisions for any number of rounds. We finally show another weakness in the form of a differential characteristic with probability one that proves that the Salsa20 core does not have 2nd preimage resistance.
Chapter PDF
References
Bernstein, D.J.: The Salsa20 Stream Cipher. In: SKEW 2005, Symmetric Key Encryption Workshop, 2005, Workshop Record (2005), http://www.ecrypt.eu.org/stream/salsa20p2.html
Bernstein, D.J.: Salsa20 Specification, http://cr.yp.to/snuffle/spec.pdf
Bernstein, D.J.: Salsa20/8 and Salsa20/12, http://cr.yp.to/snuffle/812.pdf
Bernstein, D.J.: Salsa20 design, http://cr.yp.to/snuffle/design.pdf
Biham, E., Granboulan, L., Nguyen, P.Q.: Impossible Fault Analysis of RC4 and Differential Fault Analysis of RC4. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 359–367. Springer, Heidelberg (2005)
Crowley, P.: Truncated Differential Cryptanalysis of Five Rounds of Salsa20. In: eSTREAM, ECRYPT Stream Cipher Project, Report 2005/073
Finney, H.: An RC4 Cycle that Cant Happen. sci.crypt newsgroup (September 1994)
Fischer, S., Meier, W., Berbain, C., Biasse, J.-F., Robshaw, M.: Non-Randomness in eSTREAM Candidates Salsa20 and TSC-4. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 2–16. Springer, Heidelberg (2006)
Kelsey, J., Schneier, B., Wagner, D.: Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 237–251. Springer, Heidelberg (1996)
Robshaw, M.: The Salsa20 Hash Function is Not Collision-Free June 22 (2005)
Tsunoo, Y., Saito, T., Kubo, H., Suzaki, T., Nakashima, H.: Differential Cryptanalysis of Salsa20/8 (submitted, 2007-01-02), http://www.ecrypt.eu.org/stream/papersdir/2007/010.pdf
Wagner, D.: Message from discussion “Re-rolled Salsa-20 function” in the sci.crypt newsgroup on September 26th (2005), http://groups.google.com/group/sci.crypt/msg/0692e3aaf78687a3
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hernandez-Castro, J.C., Tapiador, J.M.E., Quisquater, JJ. (2008). On the Salsa20 Core Function. In: Nyberg, K. (eds) Fast Software Encryption. FSE 2008. Lecture Notes in Computer Science, vol 5086. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-71039-4_29
Download citation
DOI: https://doi.org/10.1007/978-3-540-71039-4_29
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-71038-7
Online ISBN: 978-3-540-71039-4
eBook Packages: Computer ScienceComputer Science (R0)