Non-randomness in eSTREAM Candidates Salsa20 and TSC-4

Fischer, Simon; Meier, Willi; Berbain, Côme; Biasse, Jean‐François; Robshaw, Matthew J. B.

doi:10.1007/11941378_2

Cited by 41 publications

(33 citation statements)

References 7 publications

(11 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…produces the actual output keystream from the current internal states X and Y . We divide 32-bit word x k into four bytes 3 , where x k,0 is the least significant byte, and x k,3 is the most significant byte. This is similar to y k,l (0 ≤ k, l ≤ 3).…”

Section: Cipher Bodymentioning

confidence: 99%

See 1 more Smart Citation

Differential Cryptanalysis of T-Function Based Stream Cipher TSC-4

Zhang

Wang

2007

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. TSC-4 is a T-function based stream cipher with 80-bit key, and proposed as a candidate for ECRYPT eStream project. In this paper, we introduce a differential method to analyze TSC-4. Our attack is based on the vulnerable differential characteristics in the state initialization of TSC-4, and for the chosen IV pairs, the differential probability is up to 2 −15.40 in the case of weak keys. We show that there are about 2 72 weak keys among the total 2 80 keys. To recover 8 bits of a weak key needs about 2 40.53 chosen IV pairs. After that, we can search the other 72 key bits by an exhaustive attack.

show abstract

Section: Cipher Bodymentioning

confidence: 99%

“…At Indocrypt 2006, Fischer, Meier and Berbain et al [3] presented a nonrandomness behavior of the full eight-round state initialization for TSC-4. The non-randomness can be detected in the initial state with about 1000 inputs, however, no bias in the keystream of TSC-4 resulting from this non-randomness has been detected yet.…”

Section: Introductionmentioning

confidence: 99%

Differential Cryptanalysis of T-Function Based Stream Cipher TSC-4

Zhang

Wang

2007

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…The first attack was presented by Crowley [4] which could break the 5 round version of Salsa20 within claimed 3 165 trials. Later a four round differential was exploited by Fischer et al [6] to break 6 rounds in 2 177 trials and by Tsnunoo et al [11] to break 7 rounds in about 2 190 trials. The currently best attack by Aumasson et al [1] covers 8 round version of Salsa20 with estimated complexity of 2 251 .…”

Section: Introductionmentioning

confidence: 99%

Slid Pairs in Salsa20 and Trivium

Priemuth-Schmid

Biryukov

2008

Progress in Cryptology - INDOCRYPT 2008

View full text Add to dashboard Cite

Abstract. The stream ciphers Salsa20 and Trivium are two of the finalists of the eSTREAM project which are in the final portfolio of new promising stream ciphers. In this paper we show that initialization and key-stream generation of these ciphers is slidable, i.e. one can find distinct (Key, IV) pairs that produce identical (or closely related) key-streams. There are 2 256 and more then 2 39 such pairs in Salsa20 and Trivium respectively. We write out and solve the non-linear equations which describe such related (Key, IV) pairs. This allows us to sample the space of such related pairs efficiently as well as detect such pairs in large portions of key-stream very efficiently. We show that Salsa20 does not have 256-bit security if one considers general birthday and related key distinguishing and key-recovery attacks.

show abstract

“…2006.12 [14]: Fischer, Meier, Berbain, Biasse, and Robshaw reported a 2 177 -operation attack on Salsa20/6 (and a much faster attack on Salsa20/5, clearly breaking Salsa20/5) at the Indocrypt conference in Calcutta. The attack works forwards from a small known input difference to a biased bit 4 rounds later, and works 2 rounds backwards from an output after guessing 160 relevant key bits.…”

Section: Cryptanalysismentioning

confidence: 99%

The Salsa20 Family of Stream Ciphers

Bernstein

Lecture Notes in Computer Science

327

209

View full text Add to dashboard Cite

Abstract. Salsa20 is a family of 256-bit stream ciphers designed in 2005 and submitted to eSTREAM, the ECRYPT Stream Cipher Project. Salsa20 has progressed to the third round of eSTREAM without any changes. The 20-round stream cipher Salsa20/20 is consistently faster than AES and is recommended by the designer for typical cryptographic applications. The reduced-round ciphers Salsa20/12 and Salsa20/8 are among the fastest 256-bit stream ciphers available and are recommended for applications where speed is more important than confidence. The fastest known attacks use ≈ 2 153 simple operations against Salsa20/7, ≈ 2 249 simple operations against Salsa20/8, and ≈ 2 255 simple operations against Salsa20/9, Salsa20/10, etc. In this paper, the Salsa20 designer presents Salsa20 and discusses the decisions made in the Salsa20 design.

show abstract

Non-randomness in eSTREAM Candidates Salsa20 and TSC-4

Cited by 41 publications

References 7 publications

Differential Cryptanalysis of T-Function Based Stream Cipher TSC-4

Differential Cryptanalysis of T-Function Based Stream Cipher TSC-4

Slid Pairs in Salsa20 and Trivium

The Salsa20 Family of Stream Ciphers

Contact Info

Product

Resources

About