To investigate the process of cube attack in the world of wireless networks, Nikolaos Petrakos modeled E0 encryption function and implemented cube attack on E0 by performing linear testing which results the number of operations for computational process is 2 21.1. The output of the LFSRs has ended with 12 superpolys or linear coefficients based on the following unknown variables as x5, x6, x7, x8, x9, x10, x11, x12. This way 8 variables out of 16 variables are computed. In this paper, by using Nikolaos Petrakos modeled E0 encryption function and implemented the process of cube attack on E0 by performing quadraticity testing. The output of the LFSRs has ended with 23 superpolys or quadratic coefficients, based on the following unknown variables as x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15, x16. Finally, we were able to compute all the 16 variables with the same time complexity of 2 21.1.

Lin Ding presented improved related cipher attack (IRCA) on 256-bit key Salsa20, by considering same secret key with two separate IVs used in Salsa20/12 and Salsa20/8 and recovered secret key with time complexity 2 193.58. Presented an algorithm to find unknown key words based on exhaustive search for 256-bit Salsa20. In this paper, similar to Lin Ding, IRCA on 128- bit key Salsa20 is applied by considering same secret key with one IV used in Salsa20/12 and Salsa20/10 and recovered secret key with time complexity 2 96. To achieve this, one forward round from (R10(m)) to (R11(m)) and one reverse round from (R12(m))-1 to (R11(m))-1 is applied. The same idea is utilized to find the unknown key words based on exhaustive search for 128-bit key Salsa20. Similarly, IRCA on 256-bit key ChaCha is applied by considering same secret key with two separate IVs used in ChaCha4 and ChaCha8 and secret key is recovered with time complexity 2 225. To achieve this, two forward round from (R4(m)) to (R6(m)) and two reverse round from (R8(m))-1 to (R6(m))-1 is applied. The same idea is utilized to find the unknown key words based on exhaustive search for 256-bit key ChaCha.

Maitra et al. (WCC-2015) proposed the characterisation of valid states by reversing the one round of Salsa20. When revisited, a mistake was found in the one bit change of eighth and ninth word while reversing the one round result to a valid initial state. It was mentioned in WCC-2015 that it would be an interesting combinatorial problem to characterise all such states. Thus, nine more values were characterised, leading to valid initial states. Aumasson et al. (FSE-2008) attacked 128-bit key Salsa20/7 with 2111 time and ChaCha6 with 2107 time. In this study, the attack was improved on 128-bit key Salsa20/7 with 2107 time and ChaCha6 with 2102 time. Maitra (DAM-2016) improved the attack on 256-bit key Salsa20/8 and ChaCha7 by choosing the proper initialisation vectors. In congruence with this, 128-bit key Salsa20/7 was attacked with 2104 time and ChaCha6 with 2101 time. Choudhuri and Maitra (FSE 2017) developed theoretical results on the differential-linear cryptanalysis and thus improved the biases on Salsa/ChaCha. Theoretical work had been extended with triple bits from m − 1 round to one bit m round of Salsa with the linear approximation holding the probability 1. In consideration of the linear approximation which holds the probability <1, linear approximation for three rounds from m to m + 3 for Salsa and ChaCha was exhibited.

Stream cipher is one of the basic cryptographic primitives that provide the confidentiality of communication through insecure channel. EU ECRYPT network has organized a project for identifying new stream suitable for widespread adoption where the ciphers can provide a more security levels. Finally the result of the project has identified new stream ciphers referred as eSTREAM. Salsa20 is one of the eSTREAM cipher built on a pseudorandom function. In this paper our contribution is two phases. First phase have two parts. In WCC 2015, Maitra et al. [9] explained characterization of valid states by reversing one round of Salsa20. In first part, we have revisited the Maitra et al. [9] characterization of valid states by reversing one round of Salsa20. We found there is a mistake in one bit change in 8th and 9th word in first round will result in valid initial state. In second part, Maitra et al. [9] as mentioned that it would be an interesting combinatorial problem to characterize all such states. We have characterized nine more values which lead to valid initial states. The combinations (s4, s7), (s2, s3), (s13, s14), (s1, s6), (s1, s11), (s1, s12), (s6, s11), (s6, s12) and (s11, s12) which characterized as valid states. In second phase, FSE 2008 Aumasson et al. [1] attacked 128-key bit of Salsa20/7 within 2111 time and ChaCha6 in within 2107 time. After this with best of our knowledge there does not exist any improvement on this attack. In this paper we have attacked 128-key bit of Salsa20/7 within 2107 time and ChaCha6 within 2102 time. Maitra [8] improved the attack on Salsa20/8 and ChaCha7 by choosing proper IVs corresponding to the 256-key bit. Applying the same concept we have attacked 128-key bit of Salsa20/7 within time 2104 and ChaCha7 within time 2101.