Related-Cipher Attack on Salsa20

Abstract

Salsa20 was proposed by Daniel Bernstein and is one of the finalists of eSTREAM project. Related-cipher attack was introduced by Hongjun Wu in 2002 and applied to block ciphers. The related ciphers can be considered as ciphers with the same round function, but with different round numbers. There has not been any related-cipher attack applied to Salsa20 stream cipher. In this paper, we apply related-cipher attack on stream cipher Salsa20, since Salsa20 uses flexible rounds (reduced-round versions of Salsa20) and the key schedule of Salsa20 is independent of the number of rounds. If a secret key is used in Salsa20/12 and Salsa20/8 to encrypt the same message, we can recover the 256-bit secret key with computational complexity of about 2224. The result shows that related-cipher attack may be also applied to stream ciphers.