Non-randomness in eSTREAM Candidates Salsa20 and TSC-4.
S. Fischer, W. Meier, C. Berbain, J.-F. Biasse, and M. Robshaw.
Abstract:

Stream cipher initialisation should ensure that the initial state or keystream is not detectably related to the key and initialisation vector. In this paper we analyse the key/IV setup of the eSTREAM Phase 2 candidates Salsa20 and TSC-4. In the case of Salsa20 we demonstrate a key recovery attack on six rounds and observe non-randomness after seven. For TSC-4, non-randomness over the full eight-round initialisation phase is detected, but would also persist for more rounds.