Non-randomness in eSTREAM Candidates Salsa20 and TSC-4.
S. Fischer, W. Meier, C. Berbain, J.-F. Biasse, and M. Robshaw.

Stream cipher initialisation should ensure that the initial state or keystream is not detectably related to the key and initialisation vector. In this paper we analyse the key/IV setup of the eSTREAM Phase 2 candidates Salsa20 and TSC-4. In the case of Salsa20 we demonstrate a key recovery attack on six rounds and observe non-randomness after seven. For TSC-4, non-randomness over the full eight-round initialisation phase is detected, but would also persist for more rounds.