Conference ProceedingsOPEN ACCESS

On the Salsa20 core function

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (2008) 5086 LNCS 462-469
DOI: 10.1007/978-3-540-71039-4_29
10Citations
Citations of this article
38Readers
Mendeley users who have this article in their library.

This article is free to access.

Abstract

In this paper, we point out some weaknesses in the Salsa20 core function that could be exploited to obtain up to 231 collisions for its full (20 rounds) version. We first find an invariant for its main building block, the quarterround function, that is then extended to the rowround and columnround functions. This allows us to find an input subset of size 232 for which the Salsa20 core behaves exactly as the transformation f(x)∈=∈2x. An attacker can take advantage of this for constructing 231 collisions for any number of rounds. We finally show another weakness in the form of a differential characteristic with probability one that proves that the Salsa20 core does not have 2 nd preimage resistance. © 2008 Springer-Verlag Berlin Heidelberg.

Author supplied keywords

Cite

CITATION STYLE

APA

Hernandez-Castro, J. C., Tapiador, J. M. E., & Quisquater, J. J. (2008). On the Salsa20 core function. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 5086 LNCS, pp. 462–469). https://doi.org/10.1007/978-3-540-71039-4_29

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free