Proving the biases of Salsa and ChaCha in differential attack
- PDF / 669,437 Bytes
- 30 Pages / 439.37 x 666.142 pts Page_size
- 83 Downloads / 197 Views
Proving the biases of Salsa and ChaCha in differential attack Sabyasachi Dey1 · Santanu Sarkar2 Received: 19 June 2019 / Revised: 21 November 2019 / Accepted: 5 February 2020 © Springer Science+Business Media, LLC, part of Springer Nature 2020
Abstract Salsa and ChaCha are two of the most famous stream ciphers in recent times. Most of the attacks available so far against these two ciphers are differential attacks, where a difference is given as an input in the initial state of the cipher and in the output some correlation is investigated. This correlation works as a distinguisher. All the key recovery attacks against these ciphers are based on these observed distinguishers. However, the distinguisher in the differential attack was purely an experimental observation, and the reason for this bias was unknown so far. In this paper, we provide a full theoretical proof of both the observed distinguishers for Salsa and ChaCha. In the key recovery attack, the idea of probabilistically neutral bit also plays a vital role. Here, we also theoretically explain the reason of a particular key bit of Salsa to be probabilistically neutral. This is the first attempt to provide a theoretical justification of the idea of differential key recovery attack against these two ciphers. Keywords Salsa · ChaCha · Probabilistic neutral bits · Bias · Theoretical justification Mathematics Subject Classification 94A60
1 Introduction Salsa20 was designed by D. Bernstein in the year 2005 as a candidate for the eStream [2] project organised in Europe by EU ECRYPT. It was one of the finalists in this competition.
The first version of this work [30] was presented in the “Eleventh International Workshop on Coding and Cryptography (WCC 2019)”. This is one of several papers published in Designs, Codes and Cryptography comprising the “Special Issue on Coding and Cryptography 2019”.
B
Santanu Sarkar [email protected] Sabyasachi Dey [email protected]
1
Department of Mathematics, Birla Institute of Technology and Science Pilani, Hyderabad, Jawahar Nagar, Hyderabad 500078, India
2
Department of Mathematics, Indian Institute of Technology Madras, Sardar Patel Road, Chennai 600036, India
123
S. Dey, S. Sarkar
The original version of Salsa has 20 rounds. However, the designer submitted the 12 rounds version in eStream. The first cryptanalysis against Salsa was presented by Crowley [5], who attacked it up to five rounds. Later, six rounds and seven rounds Salsa were attacked respectively by Fischer et al. [12] and Tsunoo et al. [20]. ChaCha is a variant of Salsa, designed in 2008 by Bernstein. ChaCha has a similar structure as Salsa, but uses a more complicated round function. ChaCha was begun to be adopted in Chrome in 2013 [3]. It officially became an IETF RFC for use in TLS, adopted by Google and many others, in 2016. So far, Salsa and ChaCha have been attacked only up to eight and seven rounds, respectively. The central ideas of most of the attacks are based on differential distinguisher. In this attack procedure, a d
Data Loading...
