D. J. Bernstein
Hash functions and ciphers
The Rumba20 compression function
The Rumba20 compression function maps a 192-byte (1536-bit) string
to a 64-byte (512-bit) string.
Rumba20 is designed to provide collision resistance at high speed.
Rumba20 reuses large components of the successful
Salsa20 stream cipher.
Implementors can reuse their Salsa20 speedups to save time in Rumba20,
and cryptanalysts can reuse some of their Salsa20 analysis to get a head start in analyzing Rumba20.
The following papers define Rumba20,
and present the best attack currently known against Rumba20:
The attack has price-performance ratio on the scale of 2^256
when the attacker has fewer than 2^85 processors;
price-performance ratio on the scale of 2^171
when the attacker has more than 2^114 processors;
and intermediate price-performance ratios for intermediate numbers of processors.
The attack obviously will not be carried out in the foreseeable future,
and would have to be dramatically improved before it becomes a threat.
D. J. Bernstein.
What output size resists collisions in a xor of independent expansions?
Document ID: dee774697b66f19a00071db1b0666cab.
D. J. Bernstein.
Better price-performance ratios for generalized birthday attacks.
Document ID: 7cf298bebf853705133a84bea84d4a07.
I've also given a talk on the same topic:
Rumba20 is not designed to provide
unpredictability, truncated collision resistance, etc.
These features must be provided by an appropriate output filter.
Rumba20's goal is to efficiently compress a long input
so that only a small amount of data has to be handled by the output filter.
Reduced-round Rumba20 variants
Rumba20 has 20 rounds, just like the full Salsa20/20.
This is many more rounds than I know how to break;
I'm a fan of confidence in cipher design,
so I recommend the full 20 rounds.
However, I presume that
users who need higher speed, and who don't care so much about confidence,
will consider reduced-round versions of Rumba20:
12-round Rumba12, for example, and 8-round Rumba8.
Note that the naming convention for reduced-round versions of Rumba20
differs from the naming convention for reduced-round versions of Salsa20:
Rumba8 corresponds to Salsa20/8,
for example, and
Rumba12 corresponds to Salsa20/12.
At the end of 2007,
I will award a $1000 prize
for the public Rumba20 cryptanalysis that I consider most interesting.
I won't make any promises regarding what I'll find interesting,
but here are some guidelines:
Cryptanalysts are also encouraged to consider variants of Rumba20,
for example replacing Salsa20 with ChaCha.
- Finding reduced-round collisions is the obvious way to start.
- Handling more rounds wins bonus points.
- Better price-performance ratio for a collision wins bonus points.
- Early publication wins bonus points. Don't hold back!
- New ideas win bonus points.
Yesterday I awarded the prize to
for the paper "New features of Latin dances: Analysis of Salsa, ChaCha, and Rumba."
of the 2007.12.18 version of the paper,
as posted on IACR's Cryptology ePrint Archive.