Improved Differential-Linear Cryptanalysis of Reduced Rounds of ChaCha Permutation

抄録

ChaCha is a stream cipher that has been adopted in TLS1.3 and is widely used around the world. Therefore, any vulnerability in ChaCha has a significant global impact, making the security analysis of its permutation a critical issue. Currently, no analysis has successfully extended beyond 8 rounds of ChaCha, and reducing the computational complexity for fewer rounds remains a challenge for future research. The primary methods of analyzing ChaCha include differential analysis, which examines the relationship between input and output differences; linear analysis, based on linear approximations; and Differential-Linear analysis, a combination of both approaches. The computational complexity of Differential-Linear analysis depends heavily on the linear bias. Therefore, we focus on increasing the linear bias and aim to reduce the computational complexity by deriving a linear approximation with a larger bias. To achieve this, we first reduce the number of linear rounds to 3 or 3.5 in order to increase the bias. Then, we derive the linear approximation between 4 or 4.25 and 7 rounds of ChaCha and identify the corresponding input and output differences. Next, to further increase the number of analysis rounds, we extend the linear approximation derived from 7-round ChaCha analysis. We analyze the 7.25-round ChaCha Permutation with computational complexity of 2^182.57 and 2^104.20. In addition we perform Differential-Linear analysis for 7.5-round ChaCha with computational complexity of 2^222.54 and 2^132.18. Although our analysis is a distinguisher, it can be extended to a key recovery attacks or differential analysis by considering final adition, which would have a significant on the overall security analysis of ChaCha.