On the Salsa20 Core Function

Sleem

et al. 2017

Multimed Tools Appl

The protection of multimedia content has become a key area of research, since very often a user's privacy and confidentiality can be at risk. Although a large number of image encryption algorithms have recently emerged, only a subset of these algorithms are suitable for real applications. These algorithms however use non-integer operations such as chaotic solutions that introduce a sizeable overhead in terms of latency and resources, in addition to floating-point hardware that is costly to implement. Designing an efficient, lightweight, and secure image encryption algorithm is still a hard challenge; yet, it is crucial to have in order to meet the demands of recent multimedia applications running on energy-limited devices. In this paper, an efficient image encryption scheme based on a dynamic structure is proposed. The structure of the proposed cipher consists of two different lightweight rounds (forward and backward chaining blocks) and a block permutation process. In addition, a key derivation function is proposed to produce a dynamic key based on a secret key and a nonce. This key, according to its configuration, can be changed for each validate time (session) or for each new input image. Then, based on this key, the cipher layers are produced, which are an integer or a binary diffusion matrix and a substitution table S-box, together with a permutation table P-box. The proposed dynamic cipher is designed to provide high robustness against contemporary powerful attacks, and permits reducing the required number of rounds for achieving the lightweight property. Experimental simulations demonstrate the efficiency and robustness levels of the proposed scheme.

Section: Related Workmentioning

confidence: 99%

A new efficient lightweight and secure image cipher scheme

Sleem

et al. 2017

Multimed Tools Appl

“…In [14], the authors exhibit 2 an invariant for Salsa core main building block, the quarterround function, that is then extended to the row-round and column-round functions. This allows them to find an input subset of size 2 32 for which the Salsa20 core behaves exactly as the transformation f (x) = 2x.…”

Section: Introductionmentioning

confidence: 99%

“…They also show a differential characteristic with probability one that proves that the Salsa20 core does not have 2nd preimage resistance. In [7], it is pointed out that none of the results in [14] has an impact on security of Salsa20 stream cipher, due to the use of fixed constants in the input. Indeed, Salsa20 is not designed to be a collision-resistant compression function [9].…”

Section: Introductionmentioning

confidence: 99%

Rotational analysis of ChaCha permutation

Barbero¹,

Bellini²,

Makarim³

2023

AMC

<p style='text-indent:20px;'>We show that the underlying permutation of ChaCha20 stream cipher does not behave as a random permutation for up to 17 rounds with respect to rotational cryptanalysis. In particular, we derive a lower and an upper bound for the rotational probability through ChaCha quarter round, we show how to extend the bound to a full round and then to the full permutation. The obtained bounds show that the probability to find what we call a parallel rotational collision is, for example, less than <inline-formula><tex-math id="M1">\begin{document}$ 2^{-505} $\end{document}</tex-math></inline-formula> for 17 rounds of ChaCha permutation, while for a random permutation of the same input size, this probability is <inline-formula><tex-math id="M2">\begin{document}$ 2^{-511} $\end{document}</tex-math></inline-formula>. We remark that our distinguisher is not an attack against the ChaCha20 stream cipher, but rather a theoretical analysis of its internal permutation from the point of view of rotational cryptanalysis. Whenever possible, our claims are supported by experiments.</p>

“…Since their publication, Salsa20 has undergone significant cryptographic analysis. There are several works that have studied the cryptanalysis of Salsa20 [5]- [15]. The first attack was proposed by Crowley [5] in 2005.…”

mentioning

confidence: 99%

“…Recently, Dey et al [13] gave a new algorithm to construct Probabilistic Neutral Bits, and further improved it up to 2 243.67 . Besides, in FSE 2008, Hernandez-Castro et al [15] pointed out some weaknesses in the Salsa20 core function that could be exploited to obtain up to 2 31 collisions for its full (20 rounds) version. They also showed another weakness in the form of a differential characteristic with probability one that proves that the Salsa20 core does not have 2 nd preimage resistance.…”

mentioning

confidence: 99%

Improved Related-Cipher Attack on Salsa20 Stream Cipher

Ding

2019

IEEE Access

The Salsa20 stream cipher was designed by Bernstein in 2005 as a candidate for eSTREAM and Salsa20/12 was accepted in the eSTREAM software portfolio in 2008. In this paper, we present an improved related-cipher attack on Salsa20. If a secret key is used in Salsa20/12 and Salsa20/8 with 2 different IVs, we can recover the 256-bit secret key with time complexity of about 2 193.58 , which improves the existing attack by a factor of 2 30.42. To the best of our knowledge, this is the best related-cipher attack on Salsa20 so far. Furthermore, we build a binary integer optimization model to search for the best related-cipher attack on Salsa20. The results show that our attack is the best related-cipher attack on Salsa20 in this model. INDEX TERMS Cryptanalasis, related-cipher attack, Salsa20, stream cipher. I. INTRODUCTION The Salsa20 stream cipher, proposed by Bernstein [1], is one of the candidates for eSTREAM [2] project. Salsa20 offers a very simple, clean, and scalable design, and supports 128-bit and 256-bit keys in a very natural way. From a security standpoint Bernstein [3] recommends a 256-bit secret key. Original Salsa has 20 rounds. But later Salsa with 8 rounds (Salsa20/8) and 12 rounds (Salsa20/12) were also proposed by Bernstein [4]. After three evaluation phases, Salsa20/12 was selected into the final portfolio of the eSTREAM Project in 2008.