significantly improved multi- bit differentials for ...achoud/fse2017_talk.pdfsalsa accepted into...
TRANSCRIPT
![Page 1: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/1.jpg)
Significantly Improved Multi-bit Differentials for Reduced
Round Salsa and ChaCha
Arka Rai Choudhuri
Johns Hopkins University
USA
Subhamoy Maitra
Indian Statistical Institute
India
FSE 2017, Tokyo
![Page 2: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/2.jpg)
Salsa and ChaCha
ARX based stream ciphers.
Designed by Dan Bernstein.
![Page 3: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/3.jpg)
Salsa and ChaCha
ARX based stream ciphers.
Designed by Dan Bernstein.
Salsa accepted into the eStream software portfolio (2007).
![Page 4: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/4.jpg)
Salsa and ChaCha
ARX based stream ciphers.
Designed by Dan Bernstein.
Salsa accepted into the eStream software portfolio (2007).
ChaCha designed to address some concerns about Salsa (2008).
![Page 5: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/5.jpg)
Motivation
![Page 6: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/6.jpg)
Motivation
Standardization process for inclusion of cipher suite based on ChaCha20-Poly1305 AEAD in TLS1.3 is almost complete.
![Page 7: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/7.jpg)
Motivation
Standardization process for inclusion of cipher suite based on ChaCha20-Poly1305 AEAD in TLS1.3 is almost complete.
Existing cryptanalysis treats ciphers as black-boxes.
![Page 8: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/8.jpg)
Motivation
Standardization process for inclusion of cipher suite based on ChaCha20-Poly1305 AEAD in TLS1.3 is almost complete.
Existing cryptanalysis treats ciphers as black-boxes.
Brute force search for multiple components in cryptanalysis.
![Page 9: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/9.jpg)
Structure
![Page 10: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/10.jpg)
Structure
https://en.wikipedia.org/wiki/File:Salsa_round_function.svg
![Page 11: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/11.jpg)
Structure
Easy to implement.
https://en.wikipedia.org/wiki/File:Salsa_round_function.svg
![Page 12: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/12.jpg)
Structure
Easy to implement.
Fast on PCs.https://en.wikipedia.org/wiki/File:Salsa_round_function.svg
![Page 13: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/13.jpg)
Structure
Easy to implement.
Fast on PCs.
No security guarantees.
https://en.wikipedia.org/wiki/File:Salsa_round_function.svg
![Page 14: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/14.jpg)
Non Randomness
![Page 15: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/15.jpg)
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
![Page 16: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/16.jpg)
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
![Page 17: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/17.jpg)
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
![Page 18: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/18.jpg)
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
Salsar
Salsar
![Page 19: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/19.jpg)
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
Salsar
Salsar
![Page 20: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/20.jpg)
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
Salsar
Salsar
![Page 21: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/21.jpg)
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
Salsar
Salsar
![Page 22: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/22.jpg)
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
Salsar
Salsar
![Page 23: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/23.jpg)
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
Salsar
Salsar
![Page 24: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/24.jpg)
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds
Ξ
![Page 25: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/25.jpg)
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds
π
Ξ
![Page 26: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/26.jpg)
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds
π
Ξ
![Page 27: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/27.jpg)
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds
π
Ξ
significant key bits
non-significant key bits
![Page 28: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/28.jpg)
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds R-r rounds
π
Ξ
significant key bits
non-significant key bits
![Page 29: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/29.jpg)
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds R-r rounds
π
Ξ
significant key bits
non-significant key bits
Complexity of attack increases with increase in number of significant bits.
![Page 30: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/30.jpg)
Salsa
4 rounds
![Page 31: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/31.jpg)
Salsa
4 rounds 4 rounds
![Page 32: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/32.jpg)
Salsa
4 rounds 4 rounds
3 rounds
ChaCha
![Page 33: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/33.jpg)
Salsa
4 rounds 4 rounds
4 rounds3 rounds
ChaCha
![Page 34: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/34.jpg)
Salsa update function
![Page 35: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/35.jpg)
Salsa update function π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
![Page 36: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/36.jpg)
Salsa update function π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
![Page 37: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/37.jpg)
Salsa update function π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
abcd
![Page 38: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/38.jpg)
Salsa update function π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
abcd
abc
d
![Page 39: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/39.jpg)
Salsa update function π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
abcd
ab
cda
bc
d
![Page 40: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/40.jpg)
Salsa update function π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
abcd
ab
cda
bc
d bcd
a
![Page 41: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/41.jpg)
Differential-Linear Biases
![Page 42: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/42.jpg)
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
r rounds
r rounds
![Page 43: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/43.jpg)
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
r rounds
r rounds
rβ rounds
![Page 44: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/44.jpg)
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
r rounds
r rounds
rβ rounds
![Page 45: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/45.jpg)
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
r rounds
r rounds
rβ rounds
Given ππ and ππΏ , we can find the differential-linear bias for r+rβrounds.
![Page 46: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/46.jpg)
Linear approximation with ππΏ = 1
Letβs look at the Salsa update function again
![Page 47: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/47.jpg)
Linear approximation with ππΏ = 1
Letβs look at the Salsa update function again
![Page 48: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/48.jpg)
Letβs look at the Salsa update function again
![Page 49: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/49.jpg)
Get rid of the carry.
![Page 50: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/50.jpg)
Move things around, from the linearity of XOR
![Page 51: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/51.jpg)
Move things around, from the linearity of XOR
π
![Page 52: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/52.jpg)
Move things around, from the linearity of XOR
π π
![Page 53: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/53.jpg)
Move things around, from the linearity of XOR
π π
Lets us search over 8 possible bits instead of 5123
3 bit
combinations.
![Page 54: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/54.jpg)
Similar idea for ChaCha, but involves more bits because of a more involved state update function.
![Page 55: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/55.jpg)
Similar idea for ChaCha, but involves more bits because of a more involved state update function.
βUnlike Salsa20, our exhaustive search showed no bias in 4-round ChaCha, be it with one, two, or three target output bits.β
![Page 56: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/56.jpg)
Reference π
Tsunoo et al. (2007) 2β5.24
Aumasson et al. (2008) 2β2.93
Maitra, Paul, Meier (2015) 2β2.35
Maitra (2016) 2β2.12
Reference π
Fischer et al. (2006) 2β10.34
Maitra, Paul, Meier (2015) 2β9.05
Salsa
4 rounds
5 rounds
![Page 57: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/57.jpg)
Reference π
Tsunoo et al. (2007) 2β5.24
Aumasson et al. (2008) 2β2.93
Maitra, Paul, Meier (2015) 2β2.35
Maitra (2016) 2β2.12
This work β ππ
Reference π
Fischer et al. (2006) 2β10.34
Maitra, Paul, Meier (2015) 2β9.05
This work β πβπ.ππ
Salsa
4 rounds
5 rounds
![Page 58: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/58.jpg)
Reference π
Tsunoo et al. (2007) 2β5.24
Aumasson et al. (2008) 2β2.93
Maitra, Paul, Meier (2015) 2β2.35
Maitra (2016) 2β2.12
This work β ππ
Reference π
Fischer et al. (2006) 2β10.34
Maitra, Paul, Meier (2015) 2β9.05
This work β πβπ.ππ
Salsa
Reference π
Aumasson et al. (2008) 2β5.26
Maitra (2016) 2β2.83
Reference π
ChaCha
4 rounds
5 rounds
3 rounds
4 rounds
![Page 59: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/59.jpg)
Reference π
Tsunoo et al. (2007) 2β5.24
Aumasson et al. (2008) 2β2.93
Maitra, Paul, Meier (2015) 2β2.35
Maitra (2016) 2β2.12
This work β ππ
Reference π
Fischer et al. (2006) 2β10.34
Maitra, Paul, Meier (2015) 2β9.05
This work β πβπ.ππ
Salsa
Reference π
Aumasson et al. (2008) 2β5.26
Maitra (2016) 2β2.83
This work ππ
Reference π
This work β πβπ.ππ
ChaCha
4 rounds
5 rounds
3 rounds
4 rounds
![Page 60: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/60.jpg)
Reference π
Tsunoo et al. (2007) 2β5.24
Aumasson et al. (2008) 2β2.93
Maitra, Paul, Meier (2015) 2β2.35
Maitra (2016) 2β2.12
This work β ππ
Reference π
Fischer et al. (2006) 2β10.34
Maitra, Paul, Meier (2015) 2β9.05
This work β πβπ.ππ
Salsa
Reference π
Aumasson et al. (2008) 2β5.26
Maitra (2016) 2β2.83
This work ππ
Reference π
This work β πβπ.ππ
ChaCha
4 rounds
5 rounds
3 rounds
4 rounds
Distinguisher with complexity β 28
247 improvement
![Page 61: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/61.jpg)
Reference π
Tsunoo et al. (2007) 2β5.24
Aumasson et al. (2008) 2β2.93
Maitra, Paul, Meier (2015) 2β2.35
Maitra (2016) 2β2.12
This work β ππ
Reference π
Fischer et al. (2006) 2β10.34
Maitra, Paul, Meier (2015) 2β9.05
This work β πβπ.ππ
Salsa
Reference π
Aumasson et al. (2008) 2β5.26
Maitra (2016) 2β2.83
This work ππ
Reference π
This work β πβπ.ππ
ChaCha
4 rounds
5 rounds
3 rounds
4 rounds
Distinguisher with complexity β 28
247 improvement
Distinguisher with complexity β 26
![Page 62: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/62.jpg)
Linear approximation with ππΏ < 1
![Page 63: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/63.jpg)
Linear approximation with ππΏ < 1
![Page 64: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/64.jpg)
Linear approximation with ππΏ < 1
![Page 65: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/65.jpg)
Linear approximation with ππΏ < 1
![Page 66: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/66.jpg)
Linear approximation with ππΏ < 1
![Page 67: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/67.jpg)
![Page 68: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/68.jpg)
![Page 69: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/69.jpg)
![Page 70: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/70.jpg)
![Page 71: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/71.jpg)
Combination of 19 bits from the subsequent round
![Page 72: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/72.jpg)
Reference π
This work β πβππ.ππ
Reference π
This work β πβππ.ππ
Salsa
6 rounds 7 rounds
![Page 73: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/73.jpg)
Reference π
This work β πβππ.ππ
Reference π
This work β πβππ.ππ
Salsa
Reference π
This work β πβπ.π
Reference π
This work β πβππ.π
ChaCha
6 rounds 7 rounds
5 rounds 6 rounds
![Page 74: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/74.jpg)
Reference π
This work β πβππ.ππ
Reference π
This work β πβππ.ππ
Salsa
Reference π
This work β πβπ.π
Reference π
This work β πβππ.π
ChaCha
6 rounds 7 rounds
5 rounds 6 rounds
Distinguisher with complexity β 232
241 improvement
![Page 75: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/75.jpg)
Reference π
This work β πβππ.ππ
Reference π
This work β πβππ.ππ
Salsa
Reference π
This work β πβπ.π
Reference π
This work β πβππ.π
ChaCha
6 rounds 7 rounds
5 rounds 6 rounds
Distinguisher with complexity β 232
241 improvement
Distinguisher with complexity β 216
![Page 76: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/76.jpg)
Reference π
This work β πβππ.ππ
Reference π
This work β πβππ.ππ
Salsa
Reference π
This work β πβπ.π
Reference π
This work β πβππ.π
ChaCha
6 rounds 7 rounds
5 rounds 6 rounds
Distinguisher with complexity β 232
241 improvement
Distinguisher with complexity β 216 Distinguisher with complexity β 2116
220 improvement
![Page 77: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/77.jpg)
Implications to the key recovery attack
![Page 78: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/78.jpg)
Salsa
4 rounds 4 rounds
![Page 79: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/79.jpg)
Salsa
4 rounds 4 rounds
6 rounds
![Page 80: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/80.jpg)
Salsa
4 rounds 4 rounds
6 rounds
![Page 81: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/81.jpg)
Salsa
4 rounds 4 rounds
6 rounds
But...
![Page 82: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/82.jpg)
Salsa
4 rounds 4 rounds
6 rounds 2 rounds
![Page 83: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/83.jpg)
Salsa
4 rounds 4 rounds
5 rounds 3 rounds
![Page 84: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/84.jpg)
4 rounds3 rounds
ChaCha
![Page 85: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/85.jpg)
4 rounds3 rounds
ChaCha
2.5 rounds4.5 rounds
![Page 86: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/86.jpg)
Reference Time
Aumasson et al. (2008) 2151
Shi et al. (2012) 2148
Reference Time
Aumasson et al. (2008) 2251
Shi et al. (2012) 2250
Maitra(2016) 2245.5
Salsa
7 rounds
8 rounds
![Page 87: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/87.jpg)
Reference Time
Aumasson et al. (2008) 2151
Shi et al. (2012) 2148
This work ππππ
Reference Time
Aumasson et al. (2008) 2251
Shi et al. (2012) 2250
Maitra(2016) 2245.5
This work ππππ.π
Salsa
7 rounds
8 rounds
![Page 88: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/88.jpg)
Reference Time
Aumasson et al. (2008) 2151
Shi et al. (2012) 2148
This work ππππ
Reference Time
Aumasson et al. (2008) 2251
Shi et al. (2012) 2250
Maitra(2016) 2245.5
This work ππππ.π
Salsa
Reference Time
Aumasson et al. (2008) 2139
Shi et al. (2012) 2136
Reference Time
Aumasson et al. (2008) 2248
Shi et al. (2012) 2246.5
Maitra(2016) 2238.9
ChaCha
7 rounds
8 rounds
6 rounds
7 rounds
![Page 89: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/89.jpg)
Reference Time
Aumasson et al. (2008) 2151
Shi et al. (2012) 2148
This work ππππ
Reference Time
Aumasson et al. (2008) 2251
Shi et al. (2012) 2250
Maitra(2016) 2245.5
This work ππππ.π
Salsa
Reference Time
Aumasson et al. (2008) 2139
Shi et al. (2012) 2136
This work ππππ.π
Reference Time
Aumasson et al. (2008) 2248
Shi et al. (2012) 2246.5
Maitra(2016) 2238.9
This work ππππ.π
ChaCha
7 rounds
8 rounds
6 rounds
7 rounds
![Page 90: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/90.jpg)
Conclusion
![Page 91: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/91.jpg)
![Page 92: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/92.jpg)
We obtain biases in Salsa and ChaCha not obtained for almost a decade. Develop a theory on how to do this.
![Page 93: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/93.jpg)
We obtain biases in Salsa and ChaCha not obtained for almost a decade. Develop a theory on how to do this.
Improve attacks on some reduced round versions, importantly moving some to practical realms.
![Page 94: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/94.jpg)
We obtain biases in Salsa and ChaCha not obtained for almost a decade. Develop a theory on how to do this.
Improve attacks on some reduced round versions, importantly moving some to practical realms.
A different method to partition the key space could potentially improve our attacks in both complexity and rounds.
![Page 95: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/95.jpg)
We obtain biases in Salsa and ChaCha not obtained for almost a decade. Develop a theory on how to do this.
Improve attacks on some reduced round versions, importantly moving some to practical realms.
A different method to partition the key space could potentially improve our attacks in both complexity and rounds.
(or is this inherent to this kind of cryptanalysis?)
![Page 96: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/96.jpg)
Thank you. Questions?
![Page 97: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/97.jpg)
References
![Page 98: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/98.jpg)
[C05] Paul Crowley. βTruncated differential cryptanalysis of five rounds of Salsa20". In: IACR Cryptology ePrint Archive 2005 (2005), p. 375. url: http : / /eprint.iacr.org/2005/375.
[FMB+06] Simon Fischer, Willi Meier, Come Berbain, Jean-Francois Biasse, and Matthew J. B. Robshaw. βNon-randomness in eSTREAM Candidates Salsa20 and TSC-4". In: Progress in Cryptology - INDOCRYPT 2006, 7th International Conference on Cryptology in India, Kolkata, India, December 11-13, 2006, Proceedings.
[TSK+07] Yukiyasu Tsunoo, Teruo Saito, Hiroyasu Kubo, Tomoyasu Suzaki, and Hiroki Nakashima. βDifferential Cryptanalysis of Salsa20/8β. 2007. url: http://ecrypt.eu.org/stream/papersdir/2007/010.pdf.
[AFK+08] Jean-Philippe Aumasson, Simon Fischer, Shahram Khazaei, Willi Meier, and Christian Rechberger. βNew features of Latin dances: analysis of Salsa, ChaCha, and Rumba". In: Fast Software Encryption. Springer. 2008.
[SZF+12] Zhenqing Shi, Bin Zhang, Dengguo Feng, and Wenling Wu. βImproved Key Recovery Attacks on Reduced-Round Salsa20 and ChaCha". In: Information Security and Cryptology - ICISC 2012 - 15th International Conference, Seoul, Korea, November 28-30, 2012, Revised Selected Papers.
![Page 99: Significantly Improved Multi- bit Differentials for ...achoud/FSE2017_talk.pdfSalsa accepted into the eStream software portfolio (2007). ChaCha designed to address some concerns about](https://reader033.vdocuments.net/reader033/viewer/2022051511/601baaf1c484bd593a5b9bc4/html5/thumbnails/99.jpg)
[MPM15] Subhamoy Maitra, Goutam Paul, and Willi Meier. βSalsa20 Cryptanalysis: New Moves and Revisiting Old Styles". In: WCC 2015, the Ninth International Workshop on Coding and Cryptography, April 13-17, 2015, Paris, France.
[Mai16] Subhamoy Maitra. βChosen IV cryptanalysis on reduced round ChaCha and Salsa". In: Discrete Applied Mathematics 208 (2016).