Open AccessCryptanalysis for reduced round Salsa and ChaCha: revisited
Author(s) -
Deepthi Kakumani K.C.,
Singh Kunwar
Publication year - 2019
Publication title -
iet information security
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.308
H-Index - 34
eISSN - 1751-8717
pISSN - 1751-8709
DOI - 10.1049/iet-ifs.2018.5328
Subject(s) - linear cryptanalysis , cryptanalysis , reversing , arithmetic , bit (key) , mistake , key (lock) , mathematics , differential cryptanalysis , time complexity , algorithm , computer science , theoretical computer science , cryptography , computer security , law , materials science , political science , composite material
Maitra et al . (WCC‐2015) proposed the characterisation of valid states by reversing the one round of Salsa20. When revisited, a mistake was found in the one bit change of eighth and ninth word while reversing the one round result to a valid initial state. It was mentioned in WCC‐2015 that it would be an interesting combinatorial problem to characterise all such states. Thus, nine more values were characterised, leading to valid initial states. Aumasson et al . (FSE‐2008) attacked 128‐bit key Salsa20/7 with 2 111time and ChaCha6 with 2 107time. In this study, the attack was improved on 128‐bit key Salsa20/7 with 2 107time and ChaCha6 with 2 102time. Maitra (DAM‐2016) improved the attack on 256‐bit key Salsa20/8 and ChaCha7 by choosing the proper initialisation vectors. In congruence with this, 128‐bit key Salsa20/7 was attacked with 2 104time and ChaCha6 with 2 101time. Choudhuri and Maitra (FSE 2017) developed theoretical results on the differential‐linear cryptanalysis and thus improved the biases on Salsa/ChaCha. Theoretical work had been extended with triple bits from m − 1 round to one bit m round of Salsa with the linear approximation holding the probability 1. In consideration of the linear approximation which holds the probability <1, linear approximation for three rounds from m to m + 3 for Salsa and ChaCha was exhibited.