The Salsa20 Family of Stream Ciphers

DOI: 10.1007/978-3-540-68351-3_8

ABSTRACT Salsa20 is a family of 256-bit stream ciphers designed in 2005 and submitted to eSTREAM, the ECRYPT Stream Cipher Project.
Salsa20 has progressed to the third round of eSTREAM without any changes. The 20-round stream cipher Salsa20/20 is consistently
faster than AES and is recommended by the designer for typical cryptographic applications. The reduced-round ciphers Salsa20/12
and Salsa20/8 are among the fastest 256-bit stream ciphers available and are recommended for applications where speed is more
important than confidence. The fastest known attacks use ≈ 2153 simple operations against Salsa20/7, ≈ 2249 simple operations against Salsa20/8, and ≈ 2255 simple operations against Salsa20/9, Salsa20/10, etc. In this paper, the Salsa20 designer presents Salsa20 and discusses
the decisions made in the Salsa20 design.

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Data Warehouses (DWs) are the core of enterprise sensitive data, which makes protecting confidentiality in DWs a critical task. Published re-search and best practice guides state that encryption is the best way to achieve this and maintain high performance. However, although encryption algorithms strongly fulfill their security purpose, we demonstrate that they introduce mas-sive storage space and response time overheads, which mostly result in unac-ceptable security-performance tradeoffs, compromising their feasibility in DW environments. In this paper, we enumerate state-of-the-art data masking and en-cryption solutions and discuss the issues involving their use from a data ware-housing perspective. Experimental evaluations using the TPC-H decision sup-port benchmark and a real-world sales DW support our remarks, implemented in Oracle 11g and Microsoft SQL Server 2008. We conclude that the develop-ment of alternate solutions specifically tailored for DWs that are able to balance security with performance still remains a challenge and an open research issue.
    DAWAK 2012 - Int. Conference on Data Warehousing and Knowledge Discovery; 09/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: Stream cipher ZUC is the core component in the 3GPP confidentiality and integrity algorithms 128-EEA3 and 128-EIA3. In this paper, we present the details of our differential attacks against ZUC 1.4. The vulnerability in ZUC 1.4 is due to the non-injective property in the initialization, which results in the difference in the initialization vector being cancelled. In the first attack, difference is injected into the first byte of the initialization vector, and one out of 215.4 random keys result in two identical keystreams after testing 213.3 IV pairs for each key. The identical keystreams pose a serious threat to the use of ZUC 1.4 in applications since it is similar to reusing a key in one-time pad. Once identical keystreams are detected, the key can be recovered with average complexity 299.4. In the second attack, difference is injected into the second byte of the initialization vector, and every key can result in two identical keystreams with about 254 IVs. Once identical keystreams are detected, the key can be recovered with complexity 267. We have presented a method to fix the flaw by updating the LFSR in an injective way in the initialization. Our suggested method is used in the later versions of ZUC. The latest ZUC 1.6 is secure against our attacks.
    Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security; 12/2012
  • Source
    IACR Cryptology ePrint Archive. 01/2009; 2009:538.