Re-rolled Salsa20 function - sci.crypt

Message from discussion Re-rolled Salsa20 function

David Wagner

View profile

More options Sep 26 2005, 5:44 am

Newsgroups: sci.crypt

From: d...@taverner.cs.berkeley.edu (David Wagner)

Date: Mon, 26 Sep 2005 09:44:44 +0000 (UTC)

Local: Mon, Sep 26 2005 5:44 am

Subject: Re: Re-rolled Salsa20 function

  Reply to author
  |
  Forward
  | Print
  | View thread
  | Show original
  | Report this message
  | Find messages by this author
  

Paul Rubin wrote:
> for (i = 20; i > 0; i -= 2) {
> for (r=0; r<4; r++)
> for (c=0; c<4; c++)
> XX(r+c+1,r) ^= R(XX(r+c,r) + XX(r+c+3, r), z[c]);

> for (r=0; r<4; r++)
> for (c=0; c<4; c++)
> XX(r,r+c+1) ^= R(XX(r,r+c) + XX(r,r+c+3), z[c]);
> }

>Notice how the second half of each double round is the same as the
>first half, except the coordinates are swapped.

Interesting. It sounds like we can view each pair of double-rounds
as a single-round, followed by a 'matrix transpose', followed by another
single-round (the same as the first), followed by another matrix
transpose. In other words, we can equivalently view it as 20 iterations
of single-round + transpose, like this:
for (i = 20; i > 0; i--) {
for (r=0; r<4; r++)
for (c=0; c<4; c++)
XX(r+c+1,r) ^= R(XX(r+c,r) + XX(r+c+3, r), z[c]);

XX = transpose(XX);
}
where transpose(XX)(i,j) = XX(j,i). Does this sound right?

If this is right, then I notice that there doesn't seem to be any
round-dependence: all 20 rounds compute the same function. Don't we
have to worry about slide attacks? Has there been any analysis of
security against such attacks? The salsa20 security analysis claims
that slide differentials are hopeless, with no justification; I do
not understand where that statement comes from.

For instance, suppose that U[] is one input, and V[] is another input
derived by applying a single round and transpose to U[]. Compute UU =
salsa20(U) and VV = salsa20(V). Then we'd expect to find the relation
that VV-V is the result of applying a single round and transpose to UU-U.
This is a relationship that a random oracle wouldn't have. It's not
clear to me whether the salsa20 encryption algorithm allows inputs of
this form to be found; I don't see any obvious way to do it.

As another example, suppose that X is such that every word of X is the
value 0x80..0 (i.e., 1<<31). Then we find that a single round leaves
X unchanged. The same is true for the transpose. Thus salsa20(X) = X.
This is an extension of an example shown in the salsa20 spec, which
notes that salsa20(all-zeros) = all-zeros. I think these are the only
two trivial fix-points of this form. I note that the salsa20 encryption
algorithm doesn't allow inputs to be of this form.

Similarly, there is a differential characteristic of probability one for
salsa20: if dX = X ^ X' = (every word is 1<<31), and dY = salsa20(X) ^
salsa20(X') = dX with probability 1. The salsa20 encryption algorithm
doesn't allow inputs compliant with this differential characteristic.

This all makes clear that the salsa20 hash should not be used as a
general-purpose hash function, but it might be perfectly suitable for
its intended use in the salsa20 encryption algorithm (which is all that
has ever been claimed about the salsa20 hash, of course).

Reply to author Forward