Salsa and ChaCha are two of the most famous stream ciphers in recent times. Most of the attacks available so far against these two ciphers are differential attacks, where a difference is given as an input in the initial state of the cipher and in the output some correlation is investigated. This correlation works as a distinguisher. All the key recovery attacks against these ciphers are based on these observed distinguishers. However, the distinguisher in the differential attack was purely an experimental observation, and the reason for this bias was unknown so far. In this paper, we provide a full theoretical proof of both the observed distinguishers for Salsa and ChaCha. In the key recovery attack, the idea of probabilistically neutral bit also plays a vital role. Here, we also theoretically explain the reason of a particular key bit of Salsa to be probabilistically neutral. This is the first attempt to provide a theoretical justification of the idea of differential key recovery attack against these two ciphers.

中文翻译：

---

证明Salsa和ChaCha在差分攻击中的偏差

Salsa 和 ChaCha 是最近两个最著名的流密码。迄今为止，针对这两种密码的大多数攻击都是差分攻击，其中在密码的初始状态中将差异作为输入给出，并在输出中研究一些相关性。这种相关性用作区分符。针对这些密码的所有密钥恢复攻击都基于这些观察到的区分符。然而，差分攻击中的区分器纯粹是一个实验观察，导致这种偏差的原因目前尚不清楚。在本文中，我们提供了观察到的 Salsa 和 ChaCha 区分符的完整理论证明。在密钥恢复攻击中，概率中性位的思想也起着至关重要的作用。这里，我们还从理论上解释了 Salsa 的特定关键位在概率上是中性的原因。这是第一次尝试为针对这两种密码的差分密钥恢复攻击的想法提供理论依据。