Learn More
The stream cipher Salsa20 was introduced by Bernstein in 2005 as a candidate in the eSTREAM project, accompanied by the reduced versions Salsa20/8 and Salsa20/12. ChaCha is a variant of Salsa20 aiming at bringing better diffusion for similar performance. Variants of Salsa20 with up to 7 rounds (instead of 20) have been broken by differential cryptanalysis,(More)
A recent framework for chosen IV statistical distinguishing analysis of stream ciphers is exploited and formalized to provide new methods for key recovery attacks. As an application, a key recovery attack on simplified versions of two eSTREAM Phase 3 candidates is given: For Grain-128 with IV initialization reduced to up to 180 of its 256 iterations, and(More)
In this paper, we present some reduced complexity attacks on the Alternating Step Generator (ASG). The attacks are based on a quite general framework and mostly benefit from the low sampling resistance of the ASG, and of an abnormal behavior related to the distribution of the initial states of the stop/go LFSR's which produce a given segment of the output(More)
ABC is a synchronous stream proposed as a candidate to ECRYPT Project. ABC gets a 128-bit key and a 128-bit IV and produces 1195 bits as the internal state of the cipher. Using some statistical simulations we show that one of the ABC components, a key-IV dependent function over GF(2 32) called C which is chosen randomly from a family of functions, is(More)
In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on lineariza-tion of compression functions in order to find low weight differential characteristics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a(More)
We construct a provably secure mix-net from any CCA2 secure cryp-tosystem. The mix-net is secure against active adversaries that statically corrupt less than λ out of k mix-servers, where λ is a threshold parameter, and it is robust provided that at most min(λ − 1, k − λ) mix-servers are corrupted. The main component of our construction is a mix-net that(More)