A Proof that the ARX Cipher Salsa20 is Secure against Differential Cryptanalysis

An increasing number of cryptographic primitives are built using the ARX operations: addition modulo 2n, bit rotation and XOR. Because of their very fast performance in software, ARX ciphers are becoming increasingly common. However, not a single ARX cipher has yet been proven to be secure against one of the most common attacks in symmetrickey cryptography: differential cryptanalysis. In this paper, we prove that no differential characteristic exists for 15 rounds of Salsa20 with a higher probability than 2. Thereby, we show that the full 20-round Salsa20 with a 128-bit key is secure against differential cryptanalysis, with a security margin of 5 rounds. Our proof holds both in single-key and related-key settings. Furthermore, our proof technique only involves writing out simple equations for every addition, rotation and XOR operation in the cipher, and applying an off-the-shelf SAT solver. To prove that Salsa20 is secure against differential cryptanalysis requires only about 20 hours of computation on a single CPU core.