The Salsa20 cipher core is reversible, so it almost looks like a weird block cipher running in counter mode to yield a stream cipher. It takes 128 bits of plaintext (the nonce and block counter) and yields 512 bits of ciphertext.
(Exercise: implement Salsa20 "decryption" by reversing its steps.)
Unfortunately, running the Salsa20 core backwards from the 512-bit ciphertext can be done without knowing the key. And doing so yields not just the plaintext but also the key.
No comments :
Post a Comment