Recent Results on Stream Ciphers

Subhamoy Maitra

Applied Statistics Unit

Indian Statistical Institute, Kolkata
[email protected]

26 August, 2020

Subhamoy Maitra Recent Results on Stream Ciphers Slide 1 of 71

 Stream Cipher

Subhamoy Maitra Recent Results on Stream Ciphers Slide 2 of 71

 Basic Idea

Parties: Alice (Sender/Receiver) and Bob (Receiver/Sender)

Procedure
Alice and Bob share a stream of random data (keystream) Ki ,
where i = 0, 1, . . .
The plaintext stream Mi is XOR-ed with Ki to generate the
cipher stream Ci . [Ci = Mi ⊕ Ki ]
The cipher stream Ci is XOR-ed with Ki to generate the
plaintext stream Mi . [Mi = Ci ⊕ Ki ]

Subhamoy Maitra Recent Results on Stream Ciphers Slide 3 of 71

 One Time Pad

Alice and Bob may sit on a table and toss an unbiased coin
enough number of times to generate the keystream bits.
Once some portion of the keystream is used for encryption, it
will never be used again.

Not practical!

Subhamoy Maitra Recent Results on Stream Ciphers Slide 4 of 71

 Pseudorandom Generator

Alice and Bob share a small key

E.g., toss the coin for 128 times to generate the secret key
Initialize some deterministic algorithm on a classical computer
with this secret key.
After the initialization, the algorithm will keep on generating
random-looking bitstream, the keystream bits Ki .
The small key and Ki should have a unique one-to-one
correspondence.
Key 128 bits, key-stream 2048 bits, not all the key-stream
patterns can be generated.

A practical solution!

Subhamoy Maitra Recent Results on Stream Ciphers Slide 5 of 71

 Cryptographic Security

Kerckhoff’s Principle: The security of a cipher should rely on

the secrecy of the key only!
Attacker knows every detail of the cryptographic algorithm
except the key.
Keeping the design secret in commercial domain has no
scientific justification. It may be leaked easily.
The design should be such that the designer himself cannot
break the system without knowing the key. No trapdoor.
Design should be known to everybody for evaluation.
For stream cipher the attacker will have access to certain
amount of key-stream

Obscurity is the opposite of “transparency” or “transparentness”.

This never helps to achieve cryptographic security.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 6 of 71

 Basic Design Ideas

Subhamoy Maitra Recent Results on Stream Ciphers Slide 7 of 71

 Initial Remarks

Involvement of linear and nonlinear elements together.

Efficiency on Hardware and Software Platforms.
In Hardware domain mostly LFSRs are used as linear elements
and combining functions (may be with some amount of
memory) are used as nonlinear elements.
The designs of SNOW and ZUC are advanced implementation
of this strategy. [May also be used efficiently in software]

Subhamoy Maitra Recent Results on Stream Ciphers Slide 8 of 71

 Hardware Stream Ciphers

LFSR, NFSR, Boolean Functions

Keys involved only during KSA
PRGA does not involve keys
The state size must be twice the key size to protect against
Generic TMDTO attack.
Total space required:
The space to store the key (might be non-volatile)
The space for LFSR, NFSR, Counter (volatile)

Subhamoy Maitra Recent Results on Stream Ciphers Slide 9 of 71

 Lightweight Stream Ciphers: New Direction

Secret key fixed with the device (Where is the key stored?)
Use secret key during PRGA
Cost of non-volatile memory less
Reduce size of volatile memory

Subhamoy Maitra Recent Results on Stream Ciphers Slide 10 of 71

 Comparisons

Cipher Key size IV size State size Initialization rounds

Lizard 120(80) 64 121 (90 NFSR + 31 NFSR) 256
Plantlet 80 90 101 (61 LFSR + 40 NFSR) 320
Sprout 80 70 80 (40 LFSR + 40 NFSR) 320
Grain v1 80 64 160 (80 LFSR + 80 NFSR) 160

Table: Comparison of Plantlet with its predecessors in terms of LFSR and

NFSR sizes.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 11 of 71

 Present Situation

Grain v1 had some cryptanalysis very recently

Sprout (FSE 2015) immediately attacked
Plantlet (based on Sprout) and Lizard were presented in FSE
2017
We have checked Plantlet is weaker than Sprout in terms of
Fault Attack (IEEE TC 2017)
We have mounted a TMDTO attack on Lizard (IEEE TC
2018)

Subhamoy Maitra Recent Results on Stream Ciphers Slide 12 of 71

 LFSR Based Stream Ciphers

Subhamoy Maitra Recent Results on Stream Ciphers Slide 13 of 71

 Bit-oriented LFSR

L
L
- b5 b4 b3 b2 b1 b0-

L
L
- b6 b5 b4 b3 b2 b1- b0

Figure: LFSR: One step evolution

Recurrence Relation: st+6 = st+4 ⊕ st+1 ⊕ st

Polynomial over GF (2): x 6 + x 4 + x 1 + 1

Subhamoy Maitra Recent Results on Stream Ciphers Slide 14 of 71

 Bit-oriented LFSR (cont’d.)

Primitive polynomial provides maximum length cycle, 2d − 1

for degree d. Well known as m-sequence.
By itself, not cryptographically secure, but useful building
block for pseudo randomness.
In the domain of communications, known as p-n sequence.
Easy and efficient implementation in hardware, using registers
(Flip Flops) and simple logic gates.
Deep mathematical development for a long time.
Elegant results in the area of Linear Complexity.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 15 of 71

 An Example: A5/1 (1987)

Used in GSM Mobile in Europe and USA.

64-bit key and 22-bit frame number.
Three irregularly clocked LFSR’s.

LFSR Length Connection polynomial Clocking bit

19 x 19 + x 5 + x 2 + x + 1 8
22 x 22 +x +1 10
23 x 23 + x 15 + x2 +x +1 10

Subhamoy Maitra Recent Results on Stream Ciphers Slide 16 of 71

 A5/1 (1987)

Subhamoy Maitra Recent Results on Stream Ciphers Slide 17 of 71

 Nonlinear Combiner Model

Take n LFSRs of different length (may be pairwise prime).

Initialize them with seeds.
In each clock, take the n-many outputs from the LFSRs,
which are fed as n-inputs to an n-variable Boolean function.
May be some memory element is added.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 18 of 71

 Nonlinear Filter-Generator Model

Take one LFSR.

Initialize that with a seed.
In each clock, take the n-many outputs from the LFSR from
different locations, which are fed as n-inputs to an n-variable
Boolean function.
May be considered with additional memory element.
The Boolean function and memory together form a Finite
State Machine.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 19 of 71

 Nonlinear Filter Generator Model With Memory

Subhamoy Maitra Recent Results on Stream Ciphers Slide 20 of 71

 Current Trend: State-of-the-art View

Concept: More than one bit processed together (32-bit words)

Use LFSRs over larger fields: need the LFSR evolution
operations to be efficient.
GF (232 ) or GF (231 − 1) to relate with 32-bit words of modern
processors. Are we moving towards 64-bit words?
FSM contains S-boxes and Registers.
Registers are memory words.
S-boxes are multiple output Boolean functions.
Here the Hardware is not constrained.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 21 of 71

 SNOW and ZUC: SAGE’s view

SAGE: Security Algorithms Group of Experts

One stated objective for the design was that the new
algorithms be substantially different from the first and second
LTE algorithm sets, in such a way that an attack on any one
algorithm set would be unlikely to lead to an attack on either
of the others.
In SAGEs view this objective is not fully met there are some
architectural similarities between ZUC and SNOW 3G, and it
is possible that a major advance in cryptanalysis might affect
them both.
However, there are important differences too, so ZUC and
SNOW 3G by no means “stand or fall together”.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 22 of 71

 SNOW 3G

Subhamoy Maitra Recent Results on Stream Ciphers Slide 23 of 71

 SNOW 3G Stream Cipher

LFSR based stream cipher: 32-bit words with 128-bit key.

An LFSR of 32-bit words, length 16
A Finite State Machine (FSM) as a non-linear model
Based on the earlier versions SNOW 1.0 and SNOW 2.0
Derived from the stream cipher SNOW 2.0, with
improvements against algebraic cryptanalysis and
distinguishing attacks.
SNOW 1.0, SNOW 2.0, and SNOW 3G are developed by
Thomas Johansson and Patrik Ekdahl.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 24 of 71

 SNOW 3G Structure

Subhamoy Maitra Recent Results on Stream Ciphers Slide 25 of 71

 SNOW 3G: Simple Analysis

Zt = (s15,t
R1t ) ⊕ R2t ⊕ s0,t

Approximation: Zt ≈ (s15,t ⊕ R1t ) ⊕ R2t ⊕ s0,t
1
If R1t = R2t (happens with probability 232
), then
Zt ≈ s15,t ⊕ s0,t .

Better understanding of R1, R2 may provide nontrivial results

relating the keystream words and LFSR words.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 26 of 71

 SNOW 3G: Simple Analysis (cont’d.)

Zt = (s15,t
R1t ) ⊕ R2t ⊕ s0,t

Two values directly from the LFSR
Two values from the registers
Let us have the term “directly use” for the LFSR words that
are XOR-ed/Added to generate the keystream words. Here
such terms are s15,t , and s0,t .
A word of the LFSR is “directly used” twice to generate two
different keywords which are 15 clocks apart.
Let us have the term “indirectly use” for the words that are
flowed to the FSM. Here such term is s5,t .

Subhamoy Maitra Recent Results on Stream Ciphers Slide 27 of 71

 SNOW 3G: Simple Analysis (cont’d.)

Zt = (s15,t
R1t ) ⊕ R2t ⊕ s0,t ≈ (s15,t ⊕ R1t ) ⊕ R2t ⊕ s0,t

Zt+15 ≈ (s15,t+15 ⊕ R1t+15 ) ⊕ R2t+15 ⊕ s0,t+15 =
(s15,t+15 ⊕ R1t+15 ) ⊕ R2t+15 ⊕ s15,t
Zt ⊕Zt+15 ≈ (s0,t ⊕s15,t+15 )⊕(R1t ⊕R2t ⊕R1t+15 ⊕R2t+15 ).
If (R1t ⊕ R2t ⊕ R1t+15 ⊕ R2t+15 ) = 0 (happens with
probability 2132 ), then Zt ⊕ Zt+15 ≈ (s0,t ⊕ s15,t+15 )

Better understanding of R1, R2 may provide nontrivial results

relating the keystream words and LFSR words.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 28 of 71

 SNOW 3G: Fault Analysis

B. Debraize, I. M. Corbella: Fault Analysis of the Stream

Cipher SNOW 3G. FDTC 2009.
The attack claims to recover the secret key with only 22 fault
injections.
No other attack is known against SNOW 3G today.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 29 of 71

 ZUC

Subhamoy Maitra Recent Results on Stream Ciphers Slide 30 of 71

 ZUC Algorithm

LFSR based Stream Cipher

31-bit LFSR words
32-bit keystream words
128-bit key
A Finite State Machine (FSM) as a non-linear core

Subhamoy Maitra Recent Results on Stream Ciphers Slide 31 of 71

 ZUC Algorithm

Subhamoy Maitra Recent Results on Stream Ciphers Slide 32 of 71

 ZUC LFSR

Mentioned in Design and Evaluation Report (v1.1, pp. 17/40)

Period of each coordinate sequence generated by ZUC is
around 2496 .
p(p 16 −1)
Linear complexity of the coordinate sequences is 2(p−1) ,
where p = 231 − 1.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 33 of 71

 LFSR loading

k = k0 kk1 kk2 k . . . kk15

k = iv0 kiv1 kiv2 k . . . kiv15
si = ki kdi kivi
31 = 8 + 15 + 8
What if di ’s are created by some mixing of kj and ivl ? As
example: di = di0 k(kj
ivl ), di0 is 7 bits.
This may produce certain kinds of repetition of the key bits as
in software stream ciphers RC4 & HC-128.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 34 of 71

 ZUC BR (Bit Reorganization)

X0 = S15H kS14L ;
X1 = S11H kS9H ;
X2 = S7L kS5H ;
X3 = S2L kS0H ;

Subhamoy Maitra Recent Results on Stream Ciphers Slide 35 of 71

 ZUC Analysis

(15) (16) (15) (31) (0)

S15,t = X0,t = X0,t+1 = X1,t+4 = X1,t+6
(31) (0) (31) (0)
= X2,t+8 = X2,t+10 = X3,t+13 = X3,t+15

(16) (15) (31) (0) (15)

Note that X0,t = X0,t+1 = X3,t+13 = X3,t+15 = S15,t are used
directly from the LFSR.

Same LFSR bit used 4 times in 4 different keystream words.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 36 of 71

 ZUC FSM

Subhamoy Maitra Recent Results on Stream Ciphers Slide 37 of 71

 ZUC FSM

F (X0 , X1 , X2 )
W = (X0 ⊕ R1 )
R2 ;
W1 = R1
X1 ;
W2 = R2 ⊕ X2 ;
R1 = S(L1 (W1L kW2H ));
R2 = S(L2 (W2L kW1H ));

S is a 32 × 32 S-box, L1 and L2 are linear transformations.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 38 of 71

 S and L1 , L2

The S-Box:
S is composed by 4 juxtaposed 8 × 8 S-boxes,
S = (S0 , S1 , S0 , S1 ).
For S0 , its nonlinearity, differential uniformity, algebraic degree
and algebraic immunity are 96, 8, 5 and 2 respectively.
Suboptimal: for easy hardware implementation.
For S1 , its nonlinearity, differential uniformity, algebraic degree
and algebraic immunity are 112, 4, 7 and 2 respectively.

L1 (X ) = X ⊕ (X ≪ 2) ⊕ (X ≪ 10) ⊕ (X ≪ 18) ⊕ (X ⊕ 24)

L2 (X ) = X ⊕ (X ≪ 8) ⊕ (X ≪ 14) ⊕ (X ≪ 22) ⊕ (X ≪ 30)

Subhamoy Maitra Recent Results on Stream Ciphers Slide 39 of 71

 The Integrity Algorithm (Basic Idea)

Given a key, generate the keystream k0 , . . . , kt−1 , say.

Generate b-bit words w0 = k0 , . . . , kb−1 , w1 = k1 , . . . , kb , . . .,
wt−b = kt−b , . . . , kt−1 . Sliding technique.
Message m0 , . . . , mu−1 , u < t.
tag is b bit word, initialized to zero, say.
for i = 0 to u − 1, if mi = 1 the tag = tag ⊕ wi .

1
Hk (M) → tag : Universal hash function with collision probability 2b

EIA3: b = 32 is fixed. This gives a collision probability of 2−32 .

Subhamoy Maitra Recent Results on Stream Ciphers Slide 40 of 71

 Software Stream Ciphers

No space constraint
ARX strategy: Add, Rotate, XOR
Add is the only nonlinear operation
Very fast in any standard processor
Speed of KSA vs Speed of PRGA

Subhamoy Maitra Recent Results on Stream Ciphers Slide 41 of 71

 RC4

Subhamoy Maitra Recent Results on Stream Ciphers Slide 42 of 71

 RC4

Designed by Ron Rivest for RSA Data Security in 1987? (Alleged

RC4)
S-Box S = (S[0], . . . , S[N − 1]) of length N, each location
storing log2 N bits. (typically, N = 256)
A secret key k of size l bytes (typically, 5 ≤ l ≤ 16).
An array K = (K [0], . . . , K [N − 1d]) is used to hold the
secret key, where the key is repeated in K at key length
boundaries. i.e., K [y ] = k[y mod l] for 0 ≤ y ≤ N − 1.
Repetition of same key makes it hard to find collision (Matsui,
FSE 2009).

Subhamoy Maitra Recent Results on Stream Ciphers Slide 43 of 71

 RC4 KSA

Input: Secret Key Array K .

Output: Random looking S-Box S generated using K .

for i = 0, . . . , N − 1 S[i] = i;
Initialize counter: j = 0;
for i = 0, . . . , N − 1
j = j + S[i] + K [i];
Swap S[i] ↔ S[j];

Design Strategy:
Randomness is achieved by the secret key and swapping. The
secret key is used upto this stage, not after that.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 44 of 71

 RC4 PRGA

Input: Random looking S-Box S generated using K .

Output: Pseudorandom keystream bytes.

Initialize the counters: i = j = 0;
While you need keystream bytes
i = i + 1;
j = j + S[i];
Swap S[i] ↔ S[j];
Output Z = S[S[i] + S[j]];

Design Strategy:
Swap continues, one deterministic and one pseudorandom index.
Double indexing Z = S[S[i] + S[j]] provides the nonlinearity.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 45 of 71

 RC4 Cryptanalysis

More than 40 high quality publications in over two decades.

Most results identify weaknesses in the initial keystream bytes.
Example P(z2 = 0) ≈ N2 , Mantin-Shamir, FSE 2001.
Lesson: Run the PRGA for a few initial rounds and do not use
those bytes.
As if part of KSA. KSA requires more time.
Mantin’s distinguisher (ABTAB pattern, 226.5 bytes),
Eurocrypt 2005.
Maximov-Khovratovich state recovery attack, Time
complexity 2241 , Crypto 2008. Can be used to recover the
secret key: Maitra-Paul, SAC 2007.
Recent attacks on WPA and TLS; our work in JoC.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 46 of 71

 RC4: Current Status

The design is nice and simple.

That invites a lot of cryptanalytic results.
The cipher is well studied.
Requires discarding some amount of initial keystream bytes.
Needs to be replaced in several applications.
Possible replacement by ChaCha

Subhamoy Maitra Recent Results on Stream Ciphers Slide 47 of 71

 Not-So-Simple Designs

Consider that we need a word oriented (32-bit) stream cipher.

More speed and security required.
Not easy to maintain an array of 232 locations to implement a
32-bit instance of RC4.
More Security margin obviously requires more time/memory.
Efficient software implementation may reduce time.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 48 of 71

 The eSTREAM Project

An effort to get secure stream ciphers satisfying current

requirements:
ECRYPT Stream Cipher Project
http://www.ecrypt.eu.org/stream/

This multi-year effort running from 2004 to 2008 has identified a

portfolio of promising new stream ciphers.
It is expected that research on the eSTREAM submissions in
general, and the portfolio ciphers in particular, will continue.
It is also possible that changes to the eSTREAM portfolio
might be needed in the future.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 49 of 71

 The eSTREAM Portfolio

The eSTREAM Portfolio (revision 1) as of September 2008

The eSTREAM portfolio has been revised and the portfolio now
contains the following ciphers:

Profile 1 (SW) Profile 2 (HW)

HC-128 Grain v1
Rabbit MICKEY v2
Salsa20/12 Trivium
SOSEMANUK

Subhamoy Maitra Recent Results on Stream Ciphers Slide 50 of 71

 HC-128

Subhamoy Maitra Recent Results on Stream Ciphers Slide 51 of 71

 HC-128

Designed by Hongjun Wu
[Scaled down version of HC-256 (FSE 2004)]
Synchronous stream-cipher with 32-bit word output per step
A software stream cipher, available at
http://www.ecrypt.eu.org/stream/hcp3.html
128-bit secret key
The key and IV setup takes about 27,300 clock cycles
Encryption speed is 3.05 cycles/byte on Pentium M processor
No cryptanalytic result yet other than the claimed security
conjectures by the designer

Subhamoy Maitra Recent Results on Stream Ciphers Slide 52 of 71

 Notation

+ : x + y means x + y mod 232 , where 0 ≤ x, y < 232

 : x  y means x − y mod 512.
⊕ : bit-wise exclusive OR.
k : concatenation.
x  n : right shift operator, x being right shifted n bits.
x  n : left shift operator, x being left shifted n bits.
x ≫ n : right rotation operator. x ≫ n means
((x  n) ⊕ (x  (32 − n)), where 0 ≤ n < 32, 0 ≤ x < 232 .
≪ : left rotation operator. x ≪ n means
((x  n) ⊕ (x  (32 − n)).

Subhamoy Maitra Recent Results on Stream Ciphers Slide 53 of 71

 Data Structures

Two tables P and Q, each with 512 many 32-bit elements are
used as internal states of HC-128.
A 128-bit key array K [0, . . . , 3] and a 128-bit initialization
vector IV [0, . . . , 3] are used, where each entry of the array is a
32-bit element.
st denotes the keystream word generated at the t-th step,
t = 0, 1, 2, . . ..

Subhamoy Maitra Recent Results on Stream Ciphers Slide 54 of 71

 Functions

f1 (x) = (x ≫ 7) ⊕ (x ≫ 18) ⊕ (x  3),

f2 (x) = (x ≫ 17) ⊕ (x ≫ 19) ⊕ (x  10),

g1 (x, y , z) = ((x ≫ 10) ⊕ (z ≫ 23)) + (y ≫ 8),

g2 (x, y , z) = ((x ≪ 10) ⊕ (z ≪ 23)) + (y ≪ 8),

h1 (x) = Q[x (0) ] + Q[256 + x (2) ],

h2 (x) = P[x (0) ] + P[256 + x (2) ],

where x = x (3) kx (2) kx (1) kx (0) is a 32-bit word with four bytes:
x (0) (least significant) , x (1) , x (2) and x (3) (most significant)

Subhamoy Maitra Recent Results on Stream Ciphers Slide 55 of 71

 Key and IV setup

Secret key: K [0, . . . , 3]

Initialization vector: IV [0, . . . , 3]
K [i + 4] = K [i] and IV [i + 4] = IV [i] for 0 ≤ i ≤ 3.
Repetition of same key & IV.
While coming back in KSA, one gets stuck here.

The key and IV are expanded into an array W [0, . . . , 1279] as:



 K [i] 0 ≤ i ≤ 7;


 IV [i − 8] 8 ≤ i ≤ 15;
W [i] =


 f2 (W [i − 2]) + W [i − 7]+

 f1 (W [i − 15]) + W [i − 16] + i 16 ≤ i ≤ 1279


Subhamoy Maitra Recent Results on Stream Ciphers Slide 56 of 71

 Key and IV setup (cont’d.)

Update the tables P and Q with the array W as follows.

P[i] = W [i + 256], for 0 ≤ i ≤ 511

Q[i] = W [i + 768], for 0 ≤ i ≤ 511

Run 1024 steps and use the outputs to replace the table elements:

P[i] = (P[i] + g1 (P[i  3], P[i  10], P[i  511])) ⊕ h1 (P[i  12])
for i = 0 to 511

Q[i] = (Q[i] + g2 (Q[i  3], Q[i  10], Q[i  511])) ⊕ h2 (Q[i  12])
for i = 0 to 511

Subhamoy Maitra Recent Results on Stream Ciphers Slide 57 of 71

 The Keystream Generation Algorithm

i = 0;
repeat until enough keystream bits are generated {
j = i mod 512;
if (i mod 1024) < 512 {
P[j] = P[j] + g1 (P[j  3], P[j  10], P[j  511]);
si = h1 (P[j  12]) ⊕ P[j];
}
else {
Q[j] = Q[j] + g2 (Q[j  3], Q[j  10], Q[j  511]);
si = h2 (Q[j  12]) ⊕ Q[j];
}
end-if
i = i + 1;
}
end-repeat

Subhamoy Maitra Recent Results on Stream Ciphers Slide 58 of 71

 Cryptanalytic Results on HC-128

Wu, the designer of HC-128, presented a distinguisher that

requires 2156 keystream words. That is based on the 0-th bit.
Extended to all other bits of the words by Maitra - Paul -
Raizada - Sen - Sengupta (WCC 2009, accepted in DCC).
Observation by Dunkelman in the eStream discussion forum:
A small observation on HC-128.
http://www.ecrypt.eu.org/stream/phorum/read.php?1,1143
(Date: November 14, 2007)
Shows that the keystream words of HC-128 leak information
regarding secret states.
Also been sharpened by Maitra-Paul-Raizada-Sen-Sengupta

Subhamoy Maitra Recent Results on Stream Ciphers Slide 59 of 71

 Salsa20

Subhamoy Maitra Recent Results on Stream Ciphers Slide 60 of 71

 Introduction

Salsa20 was designed by Bernstein in 2005 as a candidate for

eStream
http://cr.yp.to/snuffle.html
Salsa20/12 has been accepted in the eStream software
portfolio
Attacks till 8 rounds are known
Revised to design ChaCha, which is being used in many
standards now

Subhamoy Maitra Recent Results on Stream Ciphers Slide 61 of 71

 Data Structure

   
x x1 x2 x3 c k k1 k2
 0   0 0 
x x5 x6 x7  k3 c1
  v0 v1 
 4
X = = .

 x8 x9 x10 x11 
  t0 t1 c2 k4 

 
x12 x13 x14 x15 k5 k6 k7 c3

Each word is of 32 bits. Total 16 words.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 62 of 71

 256-bit key

c0 = 0x61707865, c1 = 0x3320646e,
c2 = 0x79622d32, c3 = 0x6b206574,
256-bit key k0 , . . . , k7
64-bit nonce v0 , v1
64-bit counter t0 , t1
Since this is with 256-bit keys, we can refer it as 256-bit
Salsa20.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 63 of 71

 128-bit key

One can use the same cipher with 128-bit key, where
ki = ki+4 , for 0 ≤ i ≤ 3
c0 = 0x61707865, c1 = 0x3120646e,
c2 = 0x79622d36, c3 = 0x6b206574.
One may note the little differences in c1 , c2 for the 128-bit
and 256-bit version.

Subhamoy Maitra Recent Results on Stream Ciphers Slide 64 of 71

 Quarter Round

The basic nonlinear operation of Salsa20 is the

quarterround function.
Each quarterround(a, b, c, d) consists of four ARX rounds,
each of which comprises of one addition (A), one cyclic left
rotation (R) and one XOR (X) operation as given below.

b = b ⊕ ((a + d) ≪ 7),  



c = c ⊕ ((b + a) ≪ 9), 
(1)
d = d ⊕ ((c + b) ≪ 13),  


a = a ⊕ ((d + c) ≪ 18). 


Subhamoy Maitra Recent Results on Stream Ciphers Slide 65 of 71

 Row & Column Round

Each columnround works as four quarterrounds on each of the

four columns of the state matrix
Each rowround works as four quarterrounds on each of the
four rows of the state matrix
columnround, rowroundworks one after another
Salsa20/20: 10 columnround, 10 rowround interleaved

Subhamoy Maitra Recent Results on Stream Ciphers Slide 66 of 71

 Column Round & Transpose

In each round, first apply quarterround on all the four columns

in the following order:
quarterround(x0 , x4 , x8 , x12 ), quarterround(x5 , x9 , x13 , x1 ),
quarterround(x10 , x14 , x2 , x6 ), quarterround(x15 , x3 , x7 , x11 ),
And then a transpose(X ) as follows:
   
x0 x1 x2 x3 x x4 x8 x12
   0 
x
 4 x5 x6 x7  x1 x5 x9 x13 
 
X =  → XT =  .

 x8 x9 x10 x11  x2 x6 x10 x14 
   
x12 x13 x14 x15 x3 x7 x11 x15

Subhamoy Maitra Recent Results on Stream Ciphers Slide 67 of 71

 Number of Rounds

By X (r ) , we mean that r such rounds have been applied on

the initial state X .
X (0) is the same as the initial state X .
Finally, after R rounds we have X (R) .
Then a keystream block of 16 words or 512 bits is obtained as

Z = X + X (R) .

For Salsa20, R = 20.

The one accepted in eStream software portfolio is Salsa20/12,
where R = 12.
Naturally, more rounds will provide better security and less
rounds will provide higher speed.
No concept of different KSA/PRGA

Subhamoy Maitra Recent Results on Stream Ciphers Slide 68 of 71

 Reversible State Transition

Each Salsa20 round is reversible as the state-transition

operations are reversible.
If X (r +1) = round(X (r ) ), then X (r ) = reverseround(X (r +1) ),
where reverseround is the inverse of round and consists of first
transposing the state and then applying the inverse of
quarterround for each column as follows.

a = a ⊕ ((d + c) ≪ 18),  



d = d ⊕ ((c + b) ≪ 13), 
(2)
c = c ⊕ ((b + a) ≪ 9),  


b = b ⊕ ((a + d) ≪ 7). 


Subhamoy Maitra Recent Results on Stream Ciphers Slide 69 of 71

 Broad view

Hardware vs Software
Hardware vs Hardware (towards less gates in implementation)
Software vs Software (How many bytes/clock?)
Frequency of modification in Key/IV: relates to cost of Key
Scheduling Algorithm, encrypting long/short key stream
Reversibility (if not collision, if yes TMDTO)
Proof of security vs statistical analysis of algorithms
Issues of National/International Standardization
Authenticated Encryption with Associated Data (AEAD)

Subhamoy Maitra Recent Results on Stream Ciphers Slide 70 of 71

 Thank You

Subhamoy Maitra Recent Results on Stream Ciphers Slide 71 of 71