Slid Pairs in Salsa20 and Trivium
نویسندگان
چکیده
The stream ciphers Salsa20 and Trivium are two of the finalists of the eSTREAM project which are in the final portfolio of new promising stream ciphers. In this paper we show that initialization and key-stream generation of these ciphers is slidable, i.e. one can find distinct (Key, IV) pairs that produce identical (or closely related) key-streams. There are 2 and more then 2 such pairs in Salsa20 and Trivium respectively. We write out and solve the non-linear equations which describe such related (Key, IV) pairs. This allows us to sample the space of such related pairs efficiently as well as detect such pairs in large portions of key-stream very efficiently. We show that Salsa20 does not have 256-bit security if one considers general birthday and related key distinguishing and key-recovery attacks.
منابع مشابه
The Salsa20 Family of Stream Ciphers
Salsa20 is a family of 256-bit stream ciphers designed in 2005 and submitted to eSTREAM, the ECRYPT Stream Cipher Project. Salsa20 has progressed to the third round of eSTREAM without any changes. The 20-round stream cipher Salsa20/20 is consistently faster than AES and is recommended by the designer for typical cryptographic applications. The reduced-round ciphers Salsa20/12 and Salsa20/8 are ...
متن کاملImproving the Diffusion of the Stream Cipher Salsa20 by Employing a Chaotic Logistic Map
The stream cipher Salsa20 and its reduced versions are among the fastest stream ciphers available today. However, Salsa20/7 is broken and Salsa20/12 is not as safe as before. Therefore, Salsa20 must completely perform all of the four rounds of encryption to achieve a good diffusion in order to resist the known attacks. In this paper, a new variant of Salsa20 that uses the chaos theory and that ...
متن کاملSalsa20 security
If the Salsa20 key k is a uniform random sequence of bytes, and the same nonce is never used for two different messages, then the Salsa20 encryption function is conjectured to produce ciphertexts that are indistinguishable from perfect ciphertexts, i.e., uniform random strings independent of the plaintexts. At a lower level, the random function n 7→ Salsa20k(n) from {0, 1, . . . , 255} 16 to {0...
متن کاملExtending the Salsa20 nonce
This paper introduces the XSalsa20 stream cipher. XSalsa20 is based upon the Salsa20 stream cipher but has a much longer nonce: 192 bits instead of 64 bits. XSalsa20 has exactly the same streaming speed as Salsa20, and its extra nonce-setup cost is slightly smaller than the cost of generating one block of Salsa20 output. This paper proves that XSalsa20 is secure if Salsa20 is secure: any succes...
متن کاملSurvey: Image Encryption Using Salsa20
In present times, multimedia protection is becoming increasingly jeopardized. Therefore numerous ways of protecting information are being utilized by individuals, businesses, and governments. In this paper, we survey Salsa20 as a method for protecting the distribution of digital images in an efficient and secure way. So, we performed a series of tests and some comparisons to justify salsa20 eff...
متن کامل