Truncated differential cryptanalysis of five rounds of Salsa20

We present an attack on Salsa20 reduced to five of its twenty rounds. This attack uses many clusters of truncated differentials and requires 2 work and 2 plaintexts. 1 Definition of Salsa20 Salsa20 [1] is a candidate in the eSTREAM project to identify new stream ciphers that might be suitable for widespread adoption. For convenience, we recap here the parameterized family of variants Salsa20-w/r, with w the word size and r the number of rounds; Salsa20 itself is Salsa20-32/20. A word is an element of Z/2wZ. We omit the precise definitions of word-oriented operations here for brevity; addition (+), XOR (⊕) and rotation (≪) are defined in the usual way, and where words are mapped to bytes, a little-endian mapping is used. We define a bijective map S on four-element column vectors of words: Sa(( y0 y1 y2 y3 ) ) = ( y1 ⊕ ((y0 + y3) ≪ a) y2 y3 y0 ) and compose it four times to build this bijective map on the same: Q = S18 ◦ S13 ◦ S9 ◦ S7 (note that the constants given in the subscripts are appropriate for w = 32; different constants might be used for a different w) and compose it with a row and column rotate to get this bijective map on matrices: Q′(m) =  m1,1 m1,2 m1,3 q1 m2,1 m2,2 m2,3 q2 m3,1 m3,2 m3,3 q3 m0,1 m0,2 m0,3 q0  ∗[email protected]. Work sponsored by LShift Ltd, www.lshift.net