A new distinguishing attack on reduced round ChaCha permutation

This work concentrates on differential-linear distinguishing attacks on the prominent ARX-based permutation ChaCha. Here, we significantly improve the 7-round differential-linear distinguisher for ChaCha permutation by introducing a new path of linear approximation. We first introduce a new single-bit differential distinguisher for the 3.5th round of the permutation that assists us in inventing a new path for the differential-linear distinguisher. We show that one can distinguish a 7-round ChaCha permutation with time complexity of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{207}$$\end{document}2207. This improves the recent work of Coutinho et al. (in: Advances in Cryptology—ASIACRYPT 2022—28nd International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, December 5–9, 2012, Springer, 2022), which achieved time complexity \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{214}$$\end{document}2214. We also propose a distinguisher for the 7.25-round of ChaCha permutation and this is the first distinguishing attack for more than 7-round of ChaCha permutation. We provide theoretical proofs and the corresponding experimental results for the linear approximations that we use for differential-linear distinguisher. We point out that the existing multibit distinguishing attacks on the cipher ChaCha are invalid. These attacks are worked only for the ChaCha permutation.


Notations.
Here, we introduce some notations that we use throughout the paper.
• ⊞ denotes the addition modulo 2 32 , ⊕ denotes the XOR operation, x ≪ y denotes the left rotation of the word x by y bits.• S r denotes the 4 × 4 state matrix after r rounds and S r i for i ∈ {0, 1, . . ., 15} are 32 bits entries (word) of the state matrix.
• S r i [j] denotes the jth bit of the ith word of the state matrix after r rounds.• B y S r i [j 1 , j 2 , . . ., j n ] w e m e a n t h e XO R o f t h e b i t s S r i [j 1 ], S r i [j 2 ], . . ., S r i [j n ], i .e ., S r i [j 1 , j 2 , . . ., • (i, j) denotes the jth bit of the ith word.
• For two state matrices S and S , the differential state matrix is denoted by S = S ⊕ S.
• | S| denotes the Hamming weight of the differential state matrix S.

Design of ChaCha
In this section, we discuss the design of the well-known stream cipher ChaCha.
The state of ChaCha consists of 16 words that are represented in the form of a 4 × 4 matrix.In the state matrix of ChaCha, each word is of 32 bits, and the state size is 512 bits.The state matrix of ChaCha initializes with four constant words c 0 = 0x61707865, c 1 = 0x3320646e, c 2 = 0x79622d32, c 3 = 0x6b206574 in the first row, eight key words k 0 , k 1 , . . ., k 7 in the second and third row and one counter t 0 , three nonces v 0 , v 1 , v 2 in the fourth row.We treat the nonces and the counter as IVs.The initial state matrix (S 0 ) is given in the following.
The state matrix of ChaCha is updated using the quarter-round function (QRF), which operates on a 4-tuple (S r a , S r b , S r c , S r d ) in the following manner. i.e., The diagram of the quarter-round function (QRF) is presented in Fig. 1.The round function of ChaCha constitutes four simultaneous applications of the quarter-round function ( QRF ).The QRF operates on the four words of each column of the state matrix in odd rounds, and it operates on the four words of each diagonal of the state matrix in even rounds to update the state of the cipher.So, in the odd round or column round, the QRF applies on (S a , S b , S c , S d ) , where (a, b, c, d) ∈ {(0, 4, 8, 12), (1, 5, 9, 13), (2, 6, 10, 14), (3, 7, 11, 15)} and in the even round or diagonal round, QRF applies on (S a , S b , S c , S d ) , where (a, b, c, d) ∈ {(0, 5, 10, 15), (1, 6, 11, 12), (2, 7, 8, 13), (3, 4, 9, 14)} to update the state matrix of the cipher.
In this work, in the QRF operation, the update of (S r a , S r b , S r c , S r d ) to (S ) of the state matrix, we call this 0.25 round update of the cipher that we discuss in details at "Distinguisher for 7.25 rounds ChaCha permutation" section.The state matrix of ChaCha after r rounds is denoted by S r , which is given in the following.
The key stream of the steam cipher ChaCha is generated as Z = S 0 ⊞ S R , where S R denotes the updated state of the cipher after R-round and output of the R-round ChaCha permutation.From the QRF of the cipher, it is clear that if one knows the 4-tuple (S r+1 a , S r+1 b , S r+1 c , S r+1 d ) then he/she can find the value of the 4-tuple (S r a , S r b , S r c , S r d ).So, the QRF is reversible, and the round function of the cipher is reversible.For a more explicit discussion on the structure of ChaCha, we refer to 4 .

Differential-linear attack scenario
In this section, we review the two significant cryptanalysis techniques and their consequences.The two main statistical cryptanalysis techniques for symmetric key primitives are differential cryptanalysis and linear cryptanalysis.
At Crypto 1990 28 , Biham and Shamir proposed the idea of differential cryptanalysis for security analysis of DES-like ciphers.Later this concept was used for security analysis of various types of symmetric key ciphers.In a differential attack, the attacker's target is to identify an input difference that produces a fixed output difference with high probability.For that, the attacker has to generate many plaintexts with a fixed difference and then check using encryption oracle whether it returns ciphertexts with a fixed difference with high probability or not.Suppose one tracks the relationship between differences in input and differences in the corresponding output with a high probability for r rounds of the cipher; then we say that the cipher is distinguishable up to r rounds.Further, this high probability distinguisher helps to recover the secret key.
In 1993, Matsui 29 introduced the notion of linear cryptanalysis and applied this technique to attack DES block cipher.The main idea of this attack is to find linear approximations across the rounds of the cipher that hold with high probability.Then the attacker tries to obtain the secret key using known plaintext ciphertext pairs and the linear approximation with a high probability.
In the following, we discuss how to combine differential attack and linear attack for further improvement of the attack.
Differential-linear attack.In the paper 30 , Langford and Hellman proposed the idea of differential-linear attack.Here we discuss their idea of differential-linear attack.In their setting of differential-linear attack, the cipher E is divided into two parts, E 1 and E 2 , i.e., E = E 2 • E 1 .The first part, E 1 , corresponds to the differential distinguisher and the second part, E 2 , corresponds to the linear distinguisher.Suppose E 1 consists of r 1 rounds of the cipher where r 1 rounds differential distinguisher is constructed and the next part E 2 consists of r 2 rounds where r 2 rounds linear distinguisher is constructed.The total r 1 + r 2 rounds of differential-linear distinguishers are provided by the combination of both distinguishers.
At Crypto 2020 22 , Beirele et al. modified the classical setting of differential-linear attack by dividing the cipher into three parts: where the first part (E 1 ) and middle part (E m ) correspond to differential attack and the last part (E 2 ) correspond to linear attack.Here E 1 and E m consist of r 1 and r m rounds, respectively, of the cipher where r 1 + r m rounds differential distinguisher is constructed and the next part E 2 consists of r 2 rounds where r 2 rounds linear distinguisher is constructed.The combination of these distinguishers provides the total r 1 + r m + r 2 rounds differential-linear distinguisher.
Complexity analysis for distinguisher.Here, we explain how to calculate the complexity of the differentiallinear attack.We start with two initial states of the cipher S 0 and S 0 , where S 0 = S 0 ⊕ S 0 and S 0 is the input difference.Then for the two-state matrices S r and S r after the r rounds of the cipher, we consider the www.nature.com/scientificreports/differential state matrix as S r = S r ⊕ S r .The entries of the differential state matrix S r are denoted as S r i , where S r i = S r i ⊕ S r i and S r i , S r i are the entries of the state matrices S r and S r respectively.Suppose we consider two bits, i.e., the jth bits S r i [j] and S r i [j] of the words S r i and S r i respectively.Then the differential of the jth bit is defined by S r i [j] = S r i [j] ⊕ S r i [j].We denote the linear combination of the bits of states S r i and S r i as σ and σ respectively, where σ = i,j S r i [j] and σ = i,j S r i [j].The linear combination of the differential of the bits is defined by �σ = σ ⊕ σ = i,j �S r i [j].For input difference S 0 , let the probability of the r rounds differential distinguisher with the differential correlation ǫ d is Now we extend this r rounds differential distinguisher to a few more rounds, i.e., R(> r) rounds using the idea of linear cryptanalysis.For this, we find linear approximations between the states S r and S R of the cipher, and the same linear approximation holds between the states S r and S R .Let the linear combination of the bits of the states S R and S R are denoted by ρ and ρ respectively, where similarly as above.Suppose the linear approximation between the states S r and S R holds with probability 1 2 (1 , where ǫ l is the linear correlation, and also this same linear approximation holds between the states S r and S R .The differential-linear attack scenario is shown in Fig. 2. We aim to compute the differential-linear correlation of the R round differential-linear attack.We denote the differential-linear correlation by ǫ.For this, we have to find the probability of the event �ρ = 0 with the given input difference S 0 .So, for the differential-linear correlation ǫ , the probability of the event �ρ = 0 is Pr(�ρ = 0) = 1 2 (1 + ǫ).In the following, we compute the correlation ǫ in terms of differential correlation ǫ d and linear correlation ǫ l .Now, Then, . ) .For a more detailed explanation of the differential-linear attack, we refer to 31 .Also, from the paper 32 , we know that for distinguishing between two events, where one event happens with probability p, and the other happens with probability p(1 + q), where q is small, we need O( 1 pq 2 ) random samples that give the constant probability of success.

Attack scenario for ChaCha
In this section, we discuss the differential-linear attack framework for the cipher.As discussed in the previous section, here we divide the cipher into three subparts E 1 , E m , and E 2 , where E 1 consists of the first round, E m consists of the next 2.5 rounds, and E 2 consists of the last linear part of the cipher.Here the targeted rounds for differential-linear attacks are 7 and 7.25 rounds of the ChaCha permutation.
Differential distinguisher for the 3.5 rounds ChaCha.At Crypto 2020 22 , Beierle et al. obtained some 3.5 rounds of single-bit differential distinguishers experimentally.They chose input differences at (p, 6) for p ∈ {12, 13, 14, 15} and found differential correlation of 2 −8.3 ≈ 0.00317 at (i, 0) for i ∈ {1, 2, 3, 0} respectively.In their attack, they minimized the Hamming weight of the differential state matrix after one round, i.e., after the E 1 subpart of the cipher in search of a better correlation at targeted rounds.They considered the Hamming weight 10 after one round, i.e., | S 1 | = 10 that holds with probability 2 −5 on average, and for a detailed discus- sion on it, we refer to 22 .In the following, we highlight some of our observations regarding differential correlation for various input-output difference positions.For these observations, we have also minimized the Hamming weight (|�S 1 | = 10) of the differential state matrix after one round.
Similarly, from Observation 1 and Observation 2, we can derive the 3.5 rounds differential distinguishers with the same differential correlation as above for other pairs of input-output difference positions.
Linear approximations for ChaCha.For ARX-based ciphers, the only nonlinear operation is the addition operation.In the addition of two 32 bits numbers x and y, the carry function is calculated as Car(x, y) = x ⊕ y ⊕ (x ⊞ y) and Car(x,y)[i] denotes the ith carry bit and also for the 0th bit Car(x, y)[0] = 0.At Eurocrypt 2021 24 , Coutinho and Souza introduced the following linear approximations: According to Coutinho and Souza, these two probabilistic conditions are very useful for constructing linear approximations for more rounds of ARX-based ciphers.Here, we recall the work described in Refs. 19,24.In those (1) (2) papers, the authors proposed many results to find linear approximations.In the following, we concentrate on some of their results that we will use to derive the linear approximations throughout this paper.We introduce a new path of differential-linear distinguisher using the following proposed lemmas.
Lemma 1 19,24 For one active input bit in round r and multiple active output bits in round r + 1 , the following linear approximations hold for i > 0 . 1.
Here we rewrite Lemma 7 of 27 into two different following lemmas with modified notations for the flow of our work.
Lemma 2 For two consecutive active bits in round r and multiple active output bits in r + 1 2 rounds in the following linear approximations holds with probability 1 2 (1 holds with probability

Lemma 3
For two consecutive active bits in round r + 1 2 and multiple active output bits in r + 1 rounds in the fol- lowing linear approximations holds with probability 1 2 (1 + 1 2 ) for i > 0.
Proof We refer to Lemma 7 of 27 for the proof.Q.E.D.
In an earlier analysis of linear approximations (Lemma 1), there were probabilistic linear approximations for a single bit active of one round with multiple active bits of the next round.The Lemma 7 of the paper 24 presents the linear approximation between two consecutive active bits of one round and multiple active bits of the next round.Later, at Asiacrypt 2022 27 , Coutinho et al. proposed linear approximations (Lemmas 2, 3) between two consecutive active bits of one round and multiple active bits of the next half round.In the following, we present a lemma that forms a bridge between two consecutive active bits of one round and multiple active output bits of the next round with the same probability as Lemma 7 of 24 but less number of active bits in the next round.

Lemma 4
The following linear approximations between two consecutive active bits in rth round and multiple active bits in r + 1 th round hold probabilistically for i > 0. 1.

4.
Proof For proving the lemma, we use the QRF and previous lemmas.The proofs are as follows: 1.

Distinguisher for 7 rounds ChaCha permutation.
Here we explain the differential-linear distinguisher for the 7 rounds ChaCha permutation using the above-discussed 3.5 rounds differential distinguisher in "Differential distinguisher for the 3.5 rounds ChaCha" section.
In the following, we discuss a few results that will show us the light for the path of linear approximation for 7 rounds of the permutation.The overall attack is framed in Fig. 4. The following Result 2 provides the linear approximation from the 4th round to the 5th round.

Result 2
The following relation holds with probability 1.
Now, by combining the above linear approximations of Column III and using the Pilling-up Lemma 29 , we get the following linear approximation that holds with probability 1 2 (1 + 1 2 17 ).(iv) For the bits presented in the group Column IV , the corresponding column is (S 6 3 , S www.nature.com/scientificreports/ The following Experiment 2 provides the computational result for the Result 3.
We have divided the linear approximation of Result 4 into four groups in the proof.The four groups have four different linear approximations which are Result 5, Result 6, Result 7 and Result 8. We have proved these linear approximations Result 5, Result 6, Result 7 and Result 8 theoretically in the Result 4 and the corresponding computational results Experiment 3, Experiment 4 are as follows.
Remark 1 In Experiment 3 and Experiment 4 one can see that there is a significant difference between theoretically and computationally obtained correlations.Theoretical proofs assume the hypothesis of independence through the Piling-Up Lemma, leading to some discrepancies when compared to experimental results.The large number of samples used in the experiments resulted in more accurate results than the theoretical ones.Therefore, computational results are used when determining attack complexities.Further research may be conducted to understand why ChaCha exhibits this behavior.Now we discuss the complexity analysis of the improved 7 rounds distinguisher.
Complexity.We experimented with all the required linear approximations to compute the differential-linear distinguisher for 7 rounds ChaCha permutation.Then using the above experiments Experiment 1, Experiment 2, Experiment 3 and Experiment 4, we get the linear correlation ǫ l = ǫ l1 ǫ l2 ǫ l3 ǫ l4 ǫ l5 ǫ l6 ǫ l7 ≈ 2 −36. 21and also we know the differential correlation ǫ d ≈ 2 −28.65 .Then we calculate ǫ d ǫ 2 l ≈ 2 −101 as the differential-linear correlation for the 7 rounds of the permutation.Hence the data and time complexity for 7 rounds differentiallinear distinguisher is 2 207 as the attack has to repeat 2 5 times on average.

Remark 2
In distinguishing attacks, the adversary generates ciphertexts from chosen plaintexts using the encryption machinery under the fixed secret key.In the case of the ChaCha permutation, the adversary chose the IVs to generate outputs and then tried to distinguish the permutation from a random permutation.But the total size of IV in the initial state of ChaCha is 128 bits.Nevertheless, in the above complexity analysis, we have seen that the required data is 2 207 .In the attack, one may not fix the secret key; otherwise, it is not possible to generate the huge data for the attack.So, we fix only the 64 bits of the secret key corresponding to the input difference column (S 0 2 , S 0 6 , S 0 10 , S 0 14 ).In the papers 24,26 , the authors have not clearly mentioned how the data is generated to mount the attack.In those papers 24,26 , the data complexities were 2 224 and 2 214 respectively.If the whole secret key is fixed for generating the data, this is impossible because IV size is 128 bits.We have pointed out this issue.
Note 1 Here, we explain that the previous multi-bits distinguishing attacks on the reduced round of the cipher ChaCha are invalid.These attacks are valid for ChaCha permutation only.The output of R-round ChaCha permutation is P = S R , and the output or key stream of R-round ChaCha cipher is Z = S 0 ⊞ S R .In the attack procedure, the linear relation is obtained with the permutation output, not with the key stream of the cipher.The multiple bits involved in the permutation output differ from the cipher output/key stream.Suppose S ′0 be another initial state, where S ′0 = S 0 ⊕ S 0 and S ′R is the corresponding updated state after R-round, i.e., P ′ = S ′R the permutation output after R-round.The key stream is Z ′ = S ′0 ⊕ S ′R .The targeted multiple bits involved in the permutation output difference P = P ⊕ P ′ = S R ⊕ S ′R are not identical with the bits involved in the key stream difference �Z = Z ⊕ Z ′ = (S 0 ⊞ S R ) ⊕ (S ′0 ⊞ S ′R ) for R = 7.

Remark 3
We use a heuristic approach to find linear approximations.Here we have presented the linear approximation (Lemma 5) starting from the bit (8, 0) of the 3.5th round to multiple bits in the 7th round.The linear approximation holds with the same probability if we start from the position (9, 0) or (10, 0) or (11, 0) of the 3.5th round instead of the position (8, 0) to different multiple bits of the 7th rounds.The diagonal round is operated for the update from 3rd to 4th round.If we consider a diagonal of the state matrix of the cipher according to diagonal round with indices (a, b, c, d), then from the QRF, we know that the word with index a is updated first, the word with index d is updated second, then the word with index c is updated, and in the last, the word with index b is updated.In our attack framework, we start the linear approximation from the 0th bit of the word with index c after the 3.5 rounds.In the existing works of differential-linear distinguishers, the authors started with the 0th bit of the word with index a after the 3.5 rounds.
Remark 4 One natural question arises in mind: why have we not started with the other bit positions instead of the 0th bit?If we use any bit positions other than 0th bit, then the linear approximation from the 3.5 rounds to the 4 rounds involves 3 bits; for example, suppose S 3.5 for i > 0 and the linear approximation holds with probability 0.75, but for the 0th bit, the number of involved bits is two, and it holds with probability 1.Another question is why we have not used the words with indices d and b.If we use the 0th bit of the word with index d after the 3.5 rounds, we get the linear approximation S 3.5 that holds with probability 1.But for the bit S 4 d [8] , the further linear approximations up to 7th hold with very less probability that does not improve the latest work.Also, after the 3.5 rounds, we cannot find observable bias for the 0th bit of the word with index b; this is why we do not consider the 0th bit of the word with index b.Distinguisher for 7.25 rounds ChaCha permutation.Here we discuss the extension of differentiallinear distinguisher from the 7th round to the 7.25th round of ChaCha permutation.
The quarter-round function (QRF 0.25 ) for 0.25 round is given below: i.e., Therefore, in the 0.25th round update of the state, for each 4-tuple (S r a , S r b , S r c , S r d ) only the words S r a and S r d is updated and other two words S r b and S r c remain unchanged as describe above.So, in the 0.25 round update, 8 words among 16 words of the state matrix are updated.Now from the QRF 0.25 , we get the following relations using the approximation of Eq. (1).

• • •
The round update from 7th round to 7.25th round ChaCha diagonal round occurs.The following linear approximation forms the probabilistic linear relation between the 7th round and the 7.25th round.
We prove the linear approximation from the 7th round to the 7.25th round of the permutation in Result 5.The corresponding computational linear correlation is provided in the following Experiment 5.
Complexity.Here we discuss the complexity of differential-linear distinguisher for the 7.25 rounds ChaCha permutation.The differential correlation (ǫ d ) for 3.5 rounds of the cipher is ǫ d = 2 −28.65 .Now, using the compu- tational linear correlations from Experiment 1, Experiment 2, Experiment 3, Experiment 4, and Experiment 5, we get the differential-linear correlation ǫ d (ǫ l ǫ l8 ) ≈ 2 −113 for the 7.25-round of the cipher.Therefore, the data and time complexity for the 7.25-round differential-linear distinguisher is 2 231 as the attack has to repeat 2 5 times on average.

Conclusion
In this paper, we present a new 3.5-round of single-bit differential distinguisher.Then using this differential distinguisher, we find a new path of linear approximation that yields a 2 7 times better differential-linear distin- guisher than 27 for 7-round ChaCha permutation.Also, we extend this 7-round distinguisher for the first time to a 7.25-round differential-linear distinguisher with data and time complexity 2 231 .We address the issue of massive data generation for the attack that was not mentioned in the previous distinguishing attack on ChaCha.The existing multibit distinguishing attacks on 7-round ChaCha 24,27 do not work for the cipher.We mention the reason that these attacks are only valid for the ChaCha permutation.

Figure 1 .
Figure 1.Diagram of quarter round function (QRF) applied on (S r a , S r b , S r c , S r d ).

Table 1 .
Comparison of attack complexities.