In this paper, we present an improved attack on the stream cipher Salsa20. Our improvements are based on two technical contributions. First, we make use of a distribution of a linear combination of several random variables that are derived from different differentials and explain how to exploit this in order to improve the attack complexity. Secondly, we study and exploit how to choose the actual value for so-called probabilistic neutral bits optimally. Because of the limited influence of these key bits on the computation, in the usual attack approach, these are fixed to a constant value, often zero for simplicity. As we will show, despite the fact that their influence is limited, the constant can be chosen in significantly better ways, and intriguingly, zero is the worst choice. Using this, we propose the first-ever attack on 7.5-round of the 128-bit key version of Salsa20. Also, we provide improvements in the attack against the 8-round of the 256-bit key version of Salsa20 and the 7-round of the 128-bit key version of Salsa20.

在本文中，我们提出了一种改进的流密码 Salsa20 攻击。我们的改进基于两项技术贡献。首先，我们利用了从不同差分得出的几个随机变量的线性组合的分布，并解释了如何利用这一点来提高攻击复杂性。其次，我们研究和探索如何以最佳方式选择所谓的概率中性位的实际值。由于这些关键位对计算的影响有限，因此在通常的攻击方法中，这些关键位被固定为一个常量值，为简单起见，通常为零。正如我们将要展示的，尽管他们的影响力是有限的，但可以用更好的方式选择常数，有趣的是，零是最糟糕的选择。利用这一点，我们提出了对 Salsa20 的 128 位密钥版本的 7.5 轮的首次攻击。此外，我们还改进了对 Salsa20 的 256 位密钥版本的 8 轮攻击和 Salsa20 的 128 位密钥版本的 7 轮攻击。