Slide 12
Slide 12 text
Ryoma Ito (NICT, Japan) December 17, 2020
Rotational Cryptanalysis of Salsa Core Function
Salsa stream cipher
12
n columnrounds (in the odd number rounds):
𝑥!
" , 𝑥#
" , 𝑥$
" , 𝑥%&
" , 𝑥'
" , 𝑥(
" , 𝑥%)
" , 𝑥%
" , 𝑥%!
" , 𝑥%#
" , 𝑥&
" , 𝑥*
" , 𝑥%'
" , 𝑥)
" , 𝑥+
" , 𝑥%%
"
n rowrounds (in the even number rounds):
𝑥!
" , 𝑥%
" , 𝑥&
" , 𝑥)
" , 𝑥'
" , 𝑥*
" , 𝑥+
" , 𝑥#
" , 𝑥%!
" , 𝑥%%
" , 𝑥$
" , 𝑥(
" , 𝑥%'
" , 𝑥%&
" , 𝑥%)
" , 𝑥%#
"
n output 512-bit keystream block: 𝑍 = 𝑋 ! + 𝑋 +
Preliminaries (2/7)
The quarterround function (Salsa Core Function)
vector 𝑥,
" , 𝑥-
" , 𝑥.
" , 𝑥/
" is updated as below:
𝑥-
"0% = 𝑥,
" + 𝑥/
" ⋘ 7 ⨁𝑥-
" ,
𝑥.
"0% = 𝑥-
"0% + 𝑥,
" ⋘ 9 ⨁𝑥.
" ,
𝑥/
"0% = 𝑥.
"0% + 𝑥-
"0% ⋘ 13 ⨁𝑥/
" ,
𝑥,
"0% = 𝑥/
"0% + 𝑥.
"0% ⋘ 18 ⨁𝑥,
" .