Salsa 20 cipher is one of the prominent ciphers which can replace the famous Advance Encryption Standard (AES).It was already selected by eSTREAM.It reached in round 3 under the software portfolio.

1. The Salsa20 Family of Stream Ciphers
Daniel J. Bernstein
PREPARED BY:-
NISARG SHAH
300031514

2. Outline
• Background
• Salsa20/r
• Proof of Security
• Conclusion
ELG 5373 2/2530-03-2017

3. Background
• Use of network applications are growing at a rapid speed .
• Pseudo-Random numbers are at the core of any network security application.
• GMR-1 and GMR-2 algorithms for secret key generation are prone to attacks sing cipher A5/1.
• Traditional ciphers like AES & RC4 are both proven to be vulnerable to attacks which are widely
used.
ELG 5373 3/2530-03-2017

4. Background
• Osvik, Shamir, and Tromer used cache-timing attacks to steal AES keys from a Linux disk-
encryption device.
• Serious key collision & leakage in the hardware implementation of AES ciphers were found.
• PPTP VPN service used by Microsoft is prone to Cipher Text Only Attack, which is based on
RC4 key exchange.
• A. Shamir, I Mantin and S Fluher revealed weaknesses in Key scheduling algorithm of RC4.
ELG 5373 4/2530-03-2017

5. Background
• Cipher should be “GENERIC” compatible on both Hardware and Software Platforms.
• Software point of view time to generate patterns very fast (to keep it attack resistant) and memory usage
also very low.
• Hardware designing part the circuit should be less complex as possible, yet making it computationally
complex.
• This way Salsa20 came to picture.
ELG 5373 5/2530-03-2017

6. Background
• A stream cipher is beneficial as compared to block cipher, due to following reasons:-
1) Stream ciphers are fast and small so beneficial in applications having limited computational resources.
2) When the amount of data to be delivered is not fixed, stream ciphers are beneficial particularly if they
are LFSR based.
3) A software optimized stream cipher needs very few processor instructions to encrypt one bit of
plaintext.
ELG 5373 6/2530-03-2017

7. Background
5) A hardware optimized stream cipher needs fewer gates than a block cipher
6) Block ciphers use more memory due to larger chunks of data and "carry over" from previous blocks,
stream ciphers work on only a few bits at a time so low memory requirements.
7) Block cipher is prone to noise in transmission ,stream cipher is no connection to other chunk.
ELG 5373 7/2530-03-2017

8. SALSA 20/r
• Salsa20/r is a software-oriented additive stream cipher proposed by Daniel J. Bernstein.
•
Fig1 :- Operation of Salsa[5]
ELG 5373 8/2530-03-2017

9. SALSA 20/r
• Long chain of simple operations, rather than a shorter chain of complicated operations.
• It undergoes the following set of operation[1]
i. 32-bit addition, producing the sum a + b mod 232 of two 32-bit words a, b;
ii. 32-bit exclusive-or, producing the xor a ⊕ b of two 32-bit words a, b; and
iii. Constant-distance 32-bit rotation, producing the rotation a<<< b of a 32-bit word a by b bits
to the left, where b is constant.
ELG 5373 9/2530-03-2017

10. SALSA 20/r
Fig:- 2 Initial State of 4*4 matrix[1]
• Four constants c0; : : : ; c3;
• 256-bit key k0; : : : ; k7,
• 64-bit nonce v0; v1
• 64-bit counter t0; t1.
• For 128 bit key we have ki = ki+4
• Salsa20 undergoes nonlinear operation called quarterround function.
• Each quarterround(a,b, c, d) consists of four ARX rounds.
• Addition (A), one cyclic left rotation (R) and one XOR (X) operation
• x[9] ^= (x[1]+x[5]) <<< 7
ELG 5373 10/2530-03-2017

11. SALSA 20/r
• Each columnround and rowround works as four quarterrounds on each of the four columns and
rows of the state matrix.
• Each column and row round will undergo 32 modification which is 2 rounds of Salsa.
• Keystream block of 16 words or 512 bits is obtained Z = X + X(R):
X(R) = No. of rounds on the initial state matrix.
•The Salsa20 stream cipher has the advantage that its key setup time is negligible.
30-03-2017 ELG 5373 11/25

12. SALSA 20/r
Cycles/byte[14]
=
𝑐𝑦𝑐𝑙𝑒𝑠 𝑝𝑒𝑟 𝑠𝑒𝑐𝑜𝑛𝑑 (𝐶𝑝𝑆)
𝑠𝑝𝑒𝑒𝑑 (𝑆)
.
Speed
=
data size (DS )
𝑇𝑖𝑚𝑒(𝑇)
Fig:- 2 : Software Speeds on different platforms[1]
ELG 5373 12/2530-03-2017

13. SALSA 20/r
• Two families of FPGA devices from Xilinx Spartan 3 newer Spartan 6
Fig:- 4 Implementation result of the pipelined architecture[10]
ELG 5373 13/2530-03-2017

14. SALSA 20/r
• Salsa20/20 runs at 3.93 cycles/byte for long streams AES fastest is 9.2 cycles/byte for just 10 rounds of
long streams.[1]
• 3 cycles/byte for cryptography on Core 2 Salsa20/12 rounds takes 2.8 cycles/byte, you can afford at most
3 rounds of AES for any security at all.
• Salsa20 is also better than AES on small CPUs, on FPGAs, and in dedicated circuits.
• Salsa20 runs at only 5.14 cycles/byte on a Qualcomm Snapdragon S4 processor, compared to 18.62
cycles/byte for AES-128 in counter mode
ELG 5373 14/2530-03-2017

15. Proof of Security
• Security against differential cryptanalysis and linear cryptanalysis attacks is major design criterion for
modern symmetric-key ciphers.
• Differential attack involves comparing the XOR of two inputs to the XOR of the corresponding outputs
which is a chosen-plaintext attack.
• SAT solver to find differential characteristics up to a certain weight W.[10]
• A complete SAT solver returns unsatisfiable, this proves that no such differential characteristics exists.
• ELG 5373 15/2530-03-2017

16. Proof of Security
• Differential characteristic didn’t exists for 15 rounds of Salsa20 with a higher probability than
2−130 with a security margin of 5 rounds for Salsa20/20.[10]
• A uniform random 16-byte-to-64-byte function has collision probability only about 2-256
• The current best differential attack on Salsa20 is on eight rounds though key taken into
consideration is 128 bit key instead of 256 bit key.
• Security vs. performance trade-off.
ELG 5373 16/2530-03-2017

17. Proof of Security
• Vulnerability of Salsa20 stream cipher against power analysis attacks, especially against correlation
power analysis (CPA).
• Power consumption L of the target cryptographic device depends on some intermediate state Sk∗ (X)
X is the input plaintext.
• The power consumption at an intermediate state of quarter-round operation can be represented as P = L
◦ Sk∗ (X) + N[12]
N is random noise with Gaussian distribution with zero mean and standard deviation σ
ELG 5373 17/2530-03-2017

18. Proof of Security
• Correlation analysis DPA on all the eight key words of the Salsa20 stream cipher.
• Key 7 has the highest success rate of .9 while Key 2 & 4 have success rate of .2
ELG 5373 18/2530-03-2017
Fig :- 5 Success ratio for key determination[12]

19. Proof of Security
• Salsa20/5 with an estimated time complexity of 2^165.
• In 2006 attack on Salsa20/6 with estimated time complexity of 2^177, and a related-key attack on
Salsa20/7 with estimated time complexity of 2^217.
• In 2012 the attack by Aumasson et al. was improved by Shi et al. aainst Salsa20/7 (128-bit key) to
a time complexity of 2^109 and Salsa20/8 (256-bit key) to 2^250.
• 2 ^ 80 operations is considered to be somewhat achievable currently
30-03-2017 ELG 5373 19/25

20. Proof of Security
• Security from a theoretical perspective is validated now we have to apply in practical application.
• The key space is: 2(128+64) = 2192 which is very high making resistant to Brute Force attacks.
• The encrypted image histogram and the original histogram are based on following equation:
• No statistical similarities between original image and encrypted image.
ELG 5373 20/2530-03-2017

21. Proof of Security
Fig 6:- Histogram of original image[13] Fig 7:- Histogram of encrypted image[13]
ELG 5373 21/2530-03-2017

22. Proof of Security
• Entropy values for cipher images, which are very close to theoretical value of 8.
ELG 5373 22/2530-03-2017
Fig 8:- Entropy Value of the Cipher Images [13]

23. Conclusion
After going through all this literature we can definitely conclude the following point
• It’s faster and efficient compared to AES
• Been secure to both KPA and CPA.
• Efficient in both software and hardware
• Bruce force attack are not easily implementable.
30-03-2017 ELG 5373 Slide 23 of 26

24. Reference
[1] D. J. Bernstein, “The Salsa20 Family of Stream Ciphers,” New Stream Cipher Des., pp. 84–97, 2008.
[2] S. Maitra, G. Paul, and W. Meier, “Salsa20 Cryptanalysis : New Moves and Revisiting Old Styles,” Cryptol. ePrint
Arch. Rep. 2015/217, 2015.
[3] M. Wód t valueczak, “New Results in Dependability and Computer Systems,” Adv. Intell. Syst. Comput., vol. 224,
pp. 513–521, 2013.
[4] P. Yadav, “Salsa And ChaCha,” no. March, pp. 16–20, 2016.
[5] A. Security and C. Design, “18733 : Applied Cryptography Recitation,” 2017.
[6] A. P. S. Foundation, “No Title,” vol. 20.
[7] D. J. Bernstein, “Salsa20 specification,” eSTREAM Proj. algorithm Descr.pp. 2–10, 2005.
[8] S. Josefsson, J. Strombergson, and N. Mavrogiannopoulos, “THE SALSA20 STREAM CIPHER FOR TRANSPORT
LAYER SECURITY,” pp. 1–24.
[9] P. Crowley, “Truncated differential cryptanalysis of five rounds of Salsa20,” Work, no. October, pp. 1–5, 2005.
30-03-2017 ELG 5373 24/25

25. Reference
[10] Cryptanalysis, “A Proof that the ARX Cipher Salsa20 is Secure,” no. 270901, pp. 1–18, 2011.
[11] B. Schneier, “Differential and Linear Cryptanalysis,” Dr. Dobb’s J. Softw. Tools, vol. 21, no. 1, p. 42,44,46,48
[12] B. Mazumdar, S. S. Ali, and O. Sinanoglu, “Power analysis attacks on ARX: An application to Salsa20,” Proc. 21st IEEE Int. On-
Line Test. Symp. IOLTS 2015, pp. 40–43, 2015.
[13] A. Jolfaei and A. Mirghadri, “Survey : Image Encryption Using Salsa20,” Int. J. Comput. Sci. Issues, vol. 7, no. 5, pp. 213–
220, 2010.
[14] "Calculating cycles per byte." Stream cipher - Calculating cycles per byte - Cryptography Stack Exchange. N.p., 2 Oct. 2012.
Web. 3 Mar. 2017. <http://crypto.stackexchange.com/questions/3943/calculating-cycles-per-byte>.
[15] "How secure is Salsa20?" Algorithm design - How secure is Salsa20? - Cryptography Stack Exchange. N.p., 8 Oct. 2016. Web.
10 Mar. 2017. <http://crypto.stackexchange.com/questions/40542/how-secure-is-salsa20/40543>.
30-03-2017 ELG 5373 25/25