Differential-Linear Cryptanalysis of Reduced Round ChaCha

. ChaCha is a well-known stream cipher that has been used in many network protocols and software. In this paper, we study the security of reduced round ChaCha. First, by considering the differential-linear hull effect, we improve the correlation of a four-round differential-linear distinguisher proposed at FSE 2023 by providing other intermediate linear masks. Then, based on the four-round differential-linear distinguisher and the PNB method, by using the assignment 100 · · · 00 for consecutive PNBs, higher backward correlation is obtained and improved key recovery attacks of 7-round and 7.25-round ChaCha are obtained with time complexity 2 189 . 7 and 2 223 . 9 , which improve the previously best-known attacks by 2 17 . 1 and 2 14 . 44 , respectively. Finally, we consider the equivalence of the security between ( R + 0 . 25)-round and ( R + 0 . 5) ⊕ -round ChaCha, and show that ( R + 0 . 25)-round and ( R + 0 . 5) ⊕ -round ChaCha provide the same security against chosen(known) plaintext attacks. As a result, improved differential-linear cryptanalysis of 7 . 5 ⊕ -round ChaCha can also be obtained similarly to that of 7.25-round ChaCha, which improves the previously best-known attack by 2 19 .

Both Salsa [Ber05] and ChaCha [Ber08] are well-known symmetric stream ciphers, where ChaCha has been implemented by many protocols and software [Cha], such as SSH, Noise, WireGard, and so on.ChaCha is in one of the cipher suites of TLS, which has been supported by Google.Salsa was introduced by Bernstein in 2005 as a candidate for the eSTREAM project and was selected as a finalist of the competition in April 2007.Bernstein later in 2008 introduced ChaCha as a Salsa variant, which can provide better diffusion without slowing down encryption.The total number of rounds is 20.These ciphers also have reduced round variants, such as the 12-round version.Both these ciphers have the 256-bit key version and the 128-bit key version, and the 256-bit key version of ChaCha is studied in this paper.
Differential cryptanalysis [BS90] and linear cryptanalysis [Mat93] are two fundamental methods for block ciphers.Differential-linear cryptanalysis was proposed based on differential cryptanalysis and linear cryptanalysis by Langford and Hellman [LH94], and has been widely used to attack many ciphers such as DES, Serpent and ICEPOLE [BDK02,Lu12,HTW15,BODKW19].
For differential-linear attacks on ARX ciphers, at EUROCRYPT 2016, Leurent [Leu16] used the partitioning technique [BC14] to improve the differential cryptanalysis and linear cryptanalysis of addition operations, and proposed an improved differential-linear attack on 7-round Chaskey.At CRYPTO 2020, Beierle et al. [BLT20] improved the partitioning technique and presented improved differential-linear attacks on 7-round Chaskey.In the extended version [BBC + 22], they further improved the methods of [BLT20], and presented a differential-linear attack on 7.5-round Chaskey.
At EUROCRYPT 2021, Liu et al. [LSL21, LNS + 23] proposed the rotational differentiallinear attacks by replacing the differential part of the differential-linear attacks with rotational differentials.They applied the technique to FRIET, Xoodoo, Alzette, and SipHash when the output linear masks are unit vectors, and obtained improved (rotational) differential-linear distinguishers.At CRYPTO 2022, Niu et al. [NSLL22] improved the technique to evaluate the correlations of ARX ciphers when the output linear masks are arbitrary vectors, and presented improved differential-linear distinguishers for Alzette, SipHash, ChaCha, and SPECK.
The concept of Probabilistic Neutral Bits(PNBs) was first introduced by Aumasson et al. in 2008 [AFK + 08], which was used to present the first attack on 8-round Salsa and 7-round ChaCha.In 2012, Shi et al. [SZFW13] introduced the idea of column chaining distinguisher(CCD) based on PNBs.In 2015, Maitra [Mai16] provided the idea of chosen IV based on key guessing and improved the attack on 7-round ChaCha with time complexity 2 238.9 .
In 2016, Choudhuri et al. [CM16] extended single-bit distinguisher to multi-bit distinguisher by using linear relation, and provided the first 6-round distinguisher for Salsa and five-round distinguisher for ChaCha.In 2017, Dey et al. [DS17] improved the attacks with better PNBs and then provided a proof of these distinguishers in [DS20].
At CRYPTO 2020, Beierle et al. [BLT20] provided the first 3.5-round single-bit distinguisher for ChaCha, and improved the attack on 7-round ChaCha with time complexity 2 230.86 .This distinguisher was also observed by Coutinho et al. [CN20] independently.Some other 3.5-round distinguishers were presented by Coutinho et al. [CN21] at EURO-CRYPT 2021, and a further improvement was provided by using one of the distinguishers.However, Dey et al. [DDSM22] proved the improvement is invalid because the used distinguisher for key recovery is incorrect.
At EUROCRYPT 2022, Dey et al. [DGSS22] partition the key bits into memory key bits and non-memory key bits, and the right pairs can be constructed by guessing the memory key bits.They improved the key recovery attacks of 7-round ChaCha with time complexity 2 221.95 by the approach.In the extended version [DGSS23], they further present an improved key recovery attack of 7-round ChaCha with time complexity 2 218.92 by choosing a particular assignment 100 • • • 00 for consecutive PNBs.
At FSE 2023, Dey et al. [DGM23] applied a divide-and-conquer approach on 6-round ChaCha, and obtained an improved attack with time complexity 2 99.48 .For ChaCha with longer round, Miyashita et al. [MIM22] presented the first differential-linear attack on 7.25-round ChaCha with time complexity 2 255.62 and success probability 0.5.
At CRYPTO 2023, Wang et al. [WLHL23] introduced the syncopation technique, and presented a differential-linear attack on 7-round ChaCha with time complexity 2 210.3 .Towards a closer analysis of 8-round ChaCha, they analyzed 7.5 ⊕ -round ChaCha where four additions are added to 7.25-round ChaCha, and presented a differential-linear attack with time complexity 2 242.9 .At FSE 2023, Bellini et al. [BGG + 23] found a differential-linear distinguisher for four-round ChaCha with correlation 2 −34.15 , and presented differentiallinear attacks for 7-round and 7.25-round ChaCha with time complexity 2 206.8 and 2 238.34 , respectively.They also presented a differential-linear attack on 7.5 ⊕ -round ChaCha, and the time complexity is similar to that of 7.25-round ChaCha.
Our Contribution.In this paper, we study the security of reduced round ChaCha.Our results are summarized as follows, and a comparison of cryptanalysis for reduced round ChaCha is shown in Table 1.First, by considering the differential-linear hull effect, we improve the correlation of a four-round differential-linear distinguisher proposed at FSE 2023.When more intermediate linear masks are used, the correlation is improved from 2 −34.15 to 2 −32.2 .
Then, based on the four-round differential-linear distinguisher and the PNB method, by using the assignment 100 • • • 00 for consecutive PNBs, higher backward correlation is obtained.For 7-round ChaCha, backward correlation is improved from 2 −14.18 to 2 −11.855 , and the number of PNBs increases from 160 to 169.For 7.25-round ChaCha, backward correlation is improved from 2 −16.85 to 2 −11.25 .As a result, improved key recovery attacks of 7-round and 7.25-round ChaCha are obtained with time complexity 2 189.7 and 2 223.9 , which improve the previously best-known attacks by 2 17.1 and 2 14.44 , respectively.
Finally, we consider the equivalence of the security between (R + 0.25)-round and (R + 0.5) ⊕ -round ChaCha, and we show that (R + 0.25)-round and (R + 0.5) ⊕ -round ChaCha provide the same security against chosen(known) plaintext attacks.As a result, improved differential-linear attack of 7.5 ⊕ -round ChaCha can also be obtained similarly to that of 7.25-round ChaCha, which improves the previously best-known attack by 2 19 .
Organization of the Paper.In Section 2, some notations, a brief review of ChaCha and differential-linear cryptanalysis are presented.In Section 3, the correlation of a fourround differential-linear distinguisher is improved.In Section 4, improved differential-linear attacks on 7-round and 7.25-round ChaCha are presented.In Section 5, the equivalence between (R + 0.25)-round and (R + 0.5) ⊕ -round ChaCha is presented, and the improved differential-linear attack on 7.5 ⊕ -round ChaCha is presented.Finally, we conclude in Section 6.

Notations
In this subsection, some notations used in this paper are introduced, which are shown in Table 2. the state matrix of the output of the r-round ChaCha X r i the i-th word of the state matrix X r Xi [j] the state matrix where the j-th bit of the i-th word is 1 and the other bits are 0 ∆ r the matrix of the output difference of the r-round ChaCha Γ r the matrix of the output linear mask of the r-round ChaCha ⊞ addition modulo 2 32 ⊟ subtraction modulo 2 32 x ≪ l left rotation of x by l bits x ≫ l right rotation of x by l bits ⊕ XOR operation xi the i-th bit of the n-bit vector x x • y the inner product of two n-bit vectors x and y, i.e.
For simplicity, for state matrices X and Y consisting of 16 words, X ⊞Y and X ⊟Y mean the word-based addition and subtraction, i.e.

Structure of ChaCha with 256-Bit Key
The stream cipher ChaCha operates on 32-bit words, which takes as input a 256-bit key k = (k 0 , k 1 , • • • , k 7 ), a 128-bit constant c = (c 0 , c 1 , c 2 , c 3 ) and a 128-bit initialization vector (IV) v = (t 0 , v 0 , v 1 , v 2 ).They are organised in a 4 × 4 matrix of the form X, where Each ChaCha round function Round consists of four QR function (a ′′ , b ′′ , c ′′ , d ′′ ) = QR(a, b, c, d) as shown in Figure 1.The QR function is given by the following equations: For odd round, the QR function is applied to four column vectors (X 0 , X 4 , X 8 , X 12 ), (X 1 , X 5 , X 9 , X 13 ), (X 2 , X 6 , X 10 , X 14 ), and (X 3 , X 7 , X 11 , X 15 ), respectively.On the other hand, for even round, the QR function is applied to the diagonal vectors (X 0 , X 5 , X 10 , X 15 ), (X 1 , X 6 , X 11 , X 12 ), (X 2 , X 7 , X 8 , X 13 ), and (X 3 , X 4 , X 9 , X 14 ), respectively.The initial state X is also denoted by X 0 , and X r denote the output of the r-round ChaCha, i.e.X r = Round r (X 0 ).The inverse of round function is denoted as Round −1 , then X 0 = Round −r (X r ).After R iterations of the ChaCha round functions, the final state X R is added word-wise (modulo 2 32 ) to the initial state X 0 to form the key stream For more details on ChaCha, please refer to [Ber08].

Differential-Linear Distinguisher
Differential-linear cryptanalysis [LH94] was introduced by Langford and Hellman.For given input difference ∆ in and output linear mask By preparing ϵc −2 input pairs (x, x ⊕ ∆ in ), where ϵ is a small constant, the cipher E can be distinguished from a pseudorandom permutation.Differential-linear distinguishers can be constructed with Differential-Linear Connectivity Table (DLCT) [BODKW19].Assume cipher E can be divided into three sub-ciphers and E 2 with probability p, correlation r and correlation q, respectively, i.e.
then there exists a differential-linear distinguisher ∆ in

Proposition 1. [BLN17] Assume cipher E can be divided into two sub-ciphers E
, where E 1 and E 2 are independent.For any ∆ m , Γ out ∈ F n 2 , we have where For simplicity, in this paper, Aut E1 (∆ m , Γ m ) and C E2 (Γ m , Γ out ) are also denoted by Aut(∆ m , Γ m ) and C(Γ m , Γ out ) when E 1 and E 2 are known.Step 1: Find an r-round differential-linear distinguisher ∆ 0 → Γ r with correlation ϵ d , i.e.

PNB-Based Key Recovery
where r < R, (X, X ′ ) is the input pair of ChaCha, and (X r , X ′r ) is the output pair of r-round ChaCha.
Step 2: Select the PNBs by a threshold γ.Construct multiple input pairs (X, X ′ ), where X ′ = X ⊕ ∆ 0 , and generate corresponding output key streams (Z, Z ′ ), i.e.Z = X ⊞ X R and Z ′ = X ′ ⊞ X ′R .Construct pairs (X, X ′ ) from (X, X ′ ) such that the i-th key bit is complemented while the other bits take the same values.Compute When γ i > γ, the i-th key bit is selected as a PNB, otherwise the i-th key bit is a non-PNB.
Step 3: Evaluate the backward correlation.Construct multiple input pairs (X, X ′ ), where X ′ = X ⊕ ∆ 0 , and generate corresponding output key streams (Z, Z ′ ), i.e.Z = X ⊞ X R and Z ′ = X ′ ⊞ X ′R .Construct pairs ( X, X′ ) from (X, X ′ ) such that all PNBs are assigned fixed value (or random value) while the other bits take the same values as (X, Then by equations ( 8) and (10), and the Piling-up lemma, we have Online Stage: Recovering the Correct Key.
In the actual attack, all PNBs are assigned the same fixed value as in Step 3 (or random values).We guess partial key bits, i.e. the non-PNBs in X, and compute the probability When the key bits are correctly guessed, the equation (11) holds.Otherwise, a random event will be observed, i.e.
We set a predetermined threshold, and count the number that Γ r • ( Ŷ ⊕ Ŷ ′ ) = 0 occurs when multiple input pairs are used.If the number is larger than the threshold, the guess for the non-PNBs is selected as a candidate key.The unique correct key can be further recovered from the remaining candidate keys by exhaustive search.New Assignment for PNBs.
In Step 3 of the pre-processing stage or the online stage, the assignments for PNBs are usually all zeros or random values.In [DGSS23], Dey et al. proposed a new assignment for the PNBs.For a set of consecutive PNBs {a, a − 1, a − 2, • • • }, the assignment for the a-th PNB is 1 and the assignments for the remaining PNBs are 0. Dey et al. find this assignment 100 • • • 00 can provide a better backward correlation than the all zero assignment and the random assignment.

Complexity of PNB-Based Key Recovery
Assume cipher E can be divided into three sub-ciphers There exists a differential characteristic and a differential-linear distinguisher for E 1 and E m with probability p and forward correlation ϵ d , respectively.For E 2 , backward correlation ϵ a is obtained with n PNBs.
The total correlation for E 2 • E m is ϵ d ϵ a .Using the Neyman-Pearson lemma, for advantage α, required number of input pairs By [AFK + 08], the time complexity for By using the technique in [BLT20], the attack needs to be repeated for p −1 times.Thus the total data complexity is p −1 N , and the total time complexity is 3 More Accurate Correlation of the Differential-Linear Distinguisher for Four-Round ChaCha At FSE 2023, Bellini et al. [BGG + 23] found a two-round differential-linear distinguisher ∆ 1 − → Γ 3 0 with the correlation 2 −30.15 from the second round to the third round and a two-round linear approximation Γ 3 0 − → Γ 5 with the correlation 2 −2 from the fourth round to the fifth round, and obtained a four-round differential-linear distinguisher ∆ 1 − → Γ 5 with the correlation 2 −30.15 • (2 −2 ) 2 = 2 −34.15 by splicing the two-round differential-linear distinguisher and the two-round linear approximation, where In this paper, we find that the intermediate linear mask Γ 3 0 can be replaced by other linear masks.From Proposition 1 we know that the correlation of ∆ 1 − → Γ 5 can be improved with the differential-linear hull as follows.
We use the automatic tool SAT to search for the linear approximation Γ 3 − → Γ 5 from the fourth round to the fifth round when the output linear mask is fixed as Γ 5 in the equation ( 16).Using a similar method as in [LWR16,SWW21], the propagation of a linear approximation can be transformed into the SAT instance.Then the SAT solver CryptoMiniSat [SNC09] is used to solve the SAT instance.If the SAT instance is satisfiable, then the SAT solver will return a solution related to the linear approximation Γ 3 − → Γ 5 .The detailed search process for the linear approximation is presented in Appendix A. Multiple linear masks Γ 3 i are obtained when the correlations C(Γ 3 i , Γ 5 ) in the SAT instance are restricted as ±2 −2 and ±2 −3 .The detailed linear masks Γ 3 i are shown in Table 3 and Table 4.
To use the differential-linear hull as in equation ( 17), we need to compute the correlation Aut(∆ 1 , Γ 3 i ) by experiments.However, it's difficult to directly evaluate the correlation Aut(∆ 1 , Γ 3 i ) by experiments because the correlation is too small.To overcome this, Bellini et al. [BGG + 23] partitioned the masks Γ 3 0 into several partitions, and used the Piling-up Lemma to evaluate the correlation Aut(∆ 1 , Γ 3 ).The same method is also used to evaluate the correlation Aut(∆ 1 , Γ 3 i ) in this paper.
represents the linear mask for the seventh word X 3 7 , and Γ 3 i,1 represents the linear mask for the other word.For example, Γ 3 0,0 = X 7 [20, 4, 0], and ) and Aut(∆ 1 , Γ 3 i,1 ) are evaluated by experiments with 2 48 samples, and the correlation Aut(∆ ) by the Piling-up Lemma.The detailed correlations are shown in Table 5.Therefore, the correlation Aut(∆ 1 , Γ 5 ) can be evaluated as by the differential-linear hull.
To verify the effect of the differential-linear hull, we estimate the correlations Aut(∆ 1 , Γ 5 ) with 2 32 samples when the differences ∆ respectively.The detailed correlations are shown in Table 6, where DL means that the correlation Aut(∆ 1 , Γ 5 ) is evaluated by the single differentiallinear distinguisher as and DLH 1 and DLH 2 mean that the correlation Aut(∆ 1 , Γ 5 ) is evaluated by the differentiallinear hull as follows, From Table 6 we know that the differential-linear hull provides closer correlations to the experimental correlations than a single differential-linear distinguisher.Particularly, the more intermediate linear masks Γ 3 i are used, the closer the evaluated correlations are to the experimental correlations.Also, there exists a gap between the experimental method and the differential-linear hull method.We conjecture this happens because some intermediate linear masks are not used in our differential-linear hull.

Table 6: Comparison of the correlation Aut
The reduced round ChaCha E is divided into three parts − − → ∆ 1 with probability 2 −7 for E 1 and a four-round differential-linear distinguisher ∆ 1 Em − − → Γ 5 with correlation 2 −34.15 for E m , where By splicing the one-round differential distinguisher and the four-round differential-linear distinguisher, they obtained a five-round differential-linear distinguisher ∆ Based on the distinguisher, Bellini et al. evaluated the backward correlation of E 2 when all PNBs are assigned with 0, and presented differential-linear attacks for reduced round ChaCha with the PNB approach.
In this section, we use the five-round differential-linear distinguisher ∆ 0 Em•E1 − −−−− → Γ 5 to attack reduced round ChaCha with the PNB approach.By using the differential-linear hull as in Section 3, the correlation of the four-round differential-linear distinguisher ∆ 1 Em − − → Γ 5 is improved from 2 −34.15 to 2 −32.2 .The PNB approach is also used when 100 • • • 00 is assigned to consecutive PNBs as in [DGSS23], and 0 is assigned to PNBs that are not consecutive, the backward correlation of E 2 is improved.The time complexity is significantly reduced because of the differential-linear hull and the new assignment for PNBs.
To search for a better PNB set, the search process is divided into two steps, and two thresholds γ 0 and γ 1 are used, where γ 0 > γ 1 > 0. γ 0 is used to directly select PNBs, and γ 1 is used to select candidate PNBs that need further evaluation.In the first step, the key bit is selected in the PNB set P N B when it provides higher backward correlation than γ 0 , and the key bit is selected in the candidate PNB set P N B pre when the backward correlation is lower than γ 0 and higher than γ 1 .In the second step, a greedy algorithm is used by selecting the PNBs one by one.In the i-th iteration of the second step, a temporary PNB set P N B temp is constructed by adding a key bit from P N B pre into the PNB set P N B, and the backward correlation is tested with the temporary PNB set P N B temp .The key bit with the maximal backward correlation will be selected as the i-th PNB of the second step.The iteration is repeated until all PNBs are selected.The detailed search process is shown in Algorithm 1.

Discussion of Algorithm 1
In this subsection, we will analyze the efficiency of Algorithm 1 by presenting an instance.From equation (10) of Subsection 2.4 we know that the backward correlation ϵ a is evaluated by Algorithm 1 The algorithm for searching a PNB set Input: Two threshold correlations γ 0 and γ 1 , a size n of a PNB set; Output: The PNB set and its backward correlation; 1: Initialize the PNB set P N B = ∅; 2: Initialize the candidate set P N B pre = ∅; Test the backward correlation ϵ i when the i-th key bit is selected as a PNB; Choose the index i with the maximal backward correlation ϵ i , P N B = P N B ∪ {i}; 17: end while 18: return the PNB set P N B and the corresponding backward correlation; Similar as in [WLHL23], under the assumption of independence, the backward correlation ϵ a can be computed by where ϵ ′ a is evaluated by Pr To show the efficiency of Algorithm 1, we construct a toy cipher as shown in Figure 2 by splicing the 1.5-round QR function, 0.5-round QR function and the last key addition operations.For the toy cipher, there exists a 1.5-round differential-linear distinguisher ∆ 0 → Γ 1.5 , where ∆ 0 = X 2 [31] and Γ We use the equation (24) to evaluate the backward correlation ϵ ′ a of the last 0.5-round toy cipher when the PNBs are selected from the keys k 1 and k 2 .
Now we consider three candidate PNBs k 1,17 , k 2,20 and k 2,21 , i.e. the 17th bit of k 1 , and the 20th and 21st bits of k 2 .We select one bit or two bits from the set {k 1,17 , k 2,20 , k 2,21 } as PNBs, and evaluate the backward correlation ϵ ′ a experimentally.The corresponding backward correlations are shown in Table 7.If we use a fixed threshold 0.5 to select two PNBs, the two bits k 1,17 and k 2,20 with higher backward correlations will be selected, and the backward correlation for the PNB set {k 1,17 , k 2,20 } is experimentally evaluated as 0.66 when the PNBs are assigned random value.If we use Algorithm 1 to select two PNBs with thresholds γ 0 = 0.6 and γ 1 = 0.2, the key bit k 2,20 with the highest backward correlation will be selected first.Then we evaluate the backward correlations for the temporary PNB sets {k 1,17 , k 2,20 } and {k 2,20 , k 2,21 } experimentally when the PNBs are assigned random value, and obtain backward correlations 0.66 and 0.688 respectively.Thus from Algorithm 1 we obtain a better PNB set {k 2,20 , k 2,21 } with a higher backward correlation 0.688.This improvement is related to the mutual influence of PNBs.When we compute Ŷ as in Subsection 2.4, random differences are introduced to PNBs, and propagate to the middle data pair (X 1.5 , Ŷ ).For the middle linear mask Γ 1.5 , the backward difference propagations of PNBs k 1,17 and k 2,20 have little mutual influence on each other.However, the backward difference propagations of k 2,20 and k 2,21 have much mutual influence on each other.Thus, when k 2,20 has been selected as a PNB, selecting k 2,21 as a PNB will be better than selecting k 1,17 although k 2,21 performs worse as a single PNB than k 1,17 .
Similarly, when more PNBs are used for ChaCha, many PNBs may have mutual influences.Some candidate bits may have better performance when certain PNBs have been selected.When this happens, Algorithm 1 may help to find a better PNB set.183,184,185,186,187,188,189,190,191,192,193,194,198,199,200,204,205,206,207,210,211,218,219,220,221,222,223,224,225,226,227,244,245,246,247,255,248,9,130,142,21,91,212,110,231,22,143,232,111,228,10,201,249,115,147,14,81,26.
To compare the effect of different methods, we also evaluate the backward correlation with other PNB set and assignment method.The detailed backward correlations are listed in Table 8.In Table 8, Experiment 1 is the method used in [BGG + 23] with 160 PNBs.When the assignment for consecutive PNBs is 10 • • • 00 as shown in Experiment 2, the backward correlation is improved from 2 −14.18 to 2 −9.29 .In this paper, we use the method in Experiment 3. Algorithm 1 is used to search PNBs with the two thresholds γ 0 = 0.5 and γ 1 = 0.2 in Experiment 3, and 169 PNBs are obtained with the backward correlation 2 −11.855 .Because the number of PNBs is improved in Experiment 3, the time complexity is further reduced.Complexity analysis.The correlation of four-round differential-linear distinguisher for E m is ϵ d = 2 −32.2 and the backward correlation is ϵ a = 2 −11.855 for 169 PNBs.When α = 80, from formula (13) in Subsection 2.5 we know that required number of input pairs is Since the differential probability for E 1 is 2 −7 , the attacks need to be repeated for 2 7 times.Then the total data complexity is 2 95.63 × 2 7 = 2 102.63 .From formula (15) in Subsection 2.5 we know that the total time complexity is 2 7 • 2 256−169 • N + 2 7 • 2 256−α = 2 189.7 .

Differential-Linear Attack on 7.25-Round ChaCha
The 7.25-round ChaCha is an extension of 7-round ChaCha by adding the 7.25-th functions as shown in Figure 3.For 7.25-round ChaCha, E 2 covers 2.25 rounds.We use Algorithm 1 to search PNBs with two thresholds γ 0 = 0.5 and γ 1 = 0.2.In the first step, 111 PNBs are selected.In the second step, the other 22 PNBs are selected.The 133 PNBs are listed below.When 100  172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,198,199,200,204,205,206,207 To compare the effect of different methods, we also evaluate the backward correlation with other PNB set and assignment method for 7.25-round ChaCha.The detailed backward correlations are listed in Table 9.In Table 9, Experiment 4 is the method used in [BGG + 23] with 133 PNBs.When the assignment for consecutive PNBs is 10 • • • 00 as shown in Experiment 5, the backward correlation is improved from 2 −16.85 to 2 −11.8 .In this paper, we use the method in Experiment 6. Algorithm 1 is used to search PNBs with the two thresholds γ 0 = 0.5 and γ 1 = 0.2 in Experiment 6, and 133 PNBs are obtained with backward correlation 2 −11.25 .Complexity analysis.The correlation of four-round differential-linear distinguisher for E m is ϵ d = 2 −32.2 and the backward correlation is ϵ a = 2 −11.25 for 133 PNBs.When α = 45, from formula (13) in Subsection 2.5 we know that required number of input pairs is Since the differential probability for E 1 is 2 −7 , the attacks need to be repeated for 2 7 times.Then the total data complexity is 2 93.8 × 2 7 = 2 100.8 .From formula (15) in Subsection 2.5 we know that the total time complexity is 2 7 • 2 256−133 • N + 2 7 • 2 256−α = 2 223.9 .

Equivalence of Reduced Round ChaCha
In this paper, we will present the equivalence between (R + 0.25)-round and (R + 0.5) ⊕round ChaCha, where R ∈ {1, 2, 3, • • • }.For simplicity, we directly consider the case of R = 7, and prove the equivalence between 7.25-round and 7.5 ⊕ -round ChaCha.For the other case with different R, the equivalence between (R + 0.25)-round and (R + 0.5) ⊕ -round ChaCha can be proved similarly.The 7.25-round ChaCha presented in [MIM22, BGG + 23, DGSS23] and the 7.5 ⊕ -round ChaCha presented in [BGG + 23, WLHL23] are both reduced round versions of 8-round ChaCha, which can also be seen as the extensions of 7-round ChaCha by adding the 7.25-th and 7.5 ⊕ -th round functions as shown in Figure 3 and Figure 4. Denote by X 7.25 the output of 7.25-round ChaCha, and Z 7.25 the key stream produced by 7.25-round ChaCha, that is, Z 7.25 = X 7.25 ⊞ X.Similarly, denote by X 7.5 ⊕ the output of 7.5 ⊕ -round ChaCha, and Z 7.5 ⊕ the key stream produced by 7.5 ⊕ -round ChaCha, that is, Z 7.5 ⊕ = X 7.5 ⊕ ⊞ X.Compared to 7.25-round ChaCha, 7.5 ⊕ -round ChaCha adopts four more additions.It seems that 7.5 ⊕ -round ChaCha provides more security than 7.25-round ChaCha.However, in this section, we will show that 7.5 ⊕ -round ChaCha and 7.25-round ChaCha provide Thus, when 7.25-round ChaCha can be attacked by certain chosen(known) plaintext method, 7.5 ⊕ -round ChaCha can also be attacked.On the other hand, when 7.5 ⊕ -round ChaCha can be attacked by certain chosen(known) plaintext method, 7.25-round ChaCha can also be attacked.Thus, 7.25-round ChaCha and 7.5 ⊕ -round ChaCha provide the same security against chosen(known) plaintext attacks.
The PNB-based differential-linear attack is one of the chosen plaintext attacks.Thus, (R + 0.25)-round ChaCha and (R + 0.5) ⊕ -round ChaCha provide the same security against the PNB-based differential-linear attack.On the other hand, we can also directly prove the equivalent security against the PNB-based differential-linear attack between 7.25-round ChaCha and 7.5 ⊕ -round ChaCha, and the detailed proof is presented in Appendix B. By the equivalent security, improved differential-linear attack of 7.5 ⊕ -round ChaCha can also be obtained based on the differential-linear attack of 7.25-round ChaCha as in Subsection 4.3.The time complexity is 2 223.9 , which improves the previously best-known attack by 2 19 .

Conclusion
In this paper, we study the security of reduced round ChaCha.First, based on the differential-linear hull, we improve the correlation of a four-round differential-linear distinguisher proposed at FSE 2023 by finding the other intermediate linear masks.Then, we present the differential-linear cryptanalysis of 7-round and 7.25-round ChaCha based on the PNB approach.By using the assignment 100 • • • 00 for consecutive PNBs, the backward correlation is significantly increased.Because of the improved correlation of the four-round differential-linear distinguisher and the improved backward correlation, improved key recovery attacks of 7-round and 7.25-round ChaCha are obtained.Finally, we show that (R+0.25)-round and (R+0.5)⊕ -round ChaCha provide the same security against chosen(known) plaintext attacks.As a result, improved key recovery attack of 7.5 ⊕ -round ChaCha is obtained based on the key recovery attack of 7.25-round ChaCha.How to present better differential-linear distinguishers and how to present longer differential-linear cryptanalysis for reduced round ChaCha will be our future work.
where ϵ is a small constant, the cipher E can be distinguished from a pseudorandom permutation.In this paper, we use the symbols Aut E1 (∆ m , Γ m ) and C E2 (Γ m , Γ out ) to represent the correlations of the differential-linear distinguisher ∆ m Em − − → Γ m and the linear approximation Γ m E2 − − → Γ out .By adopting all intermediate linear masks, Blondeau et al. [BLN17] presented the following proposition to compute the correlation of the differential-linear distinguisher based on the differential-linear hull.
At FSE 2008, Aumasson et al. [AFK + 08] presented the first attack on ChaCha by the probabilistic neutral bits (PNBs).The PNB-based key recovery of R-round ChaCha mainly consists of the following steps.Pre-processing Stage: Selecting PNBs and Evaluating the Backward Correlation.
= P N B ∪ {i}; 7: else if γ 1 ≤ ϵ i < γ 0 then 8: P N B pre = P N B pre ∪ {i}; 9: end if 10: end for 11: while #P N B < n do 12: for i ∈ P N B pre do 13: P N B temp = P N B ∪ {i}; 14: Test the backward correlation ϵ i with the PNB set P N B temp ;

Figure 3 :
Figure 3: The 7.25-th round function of ChaCha

Table 1 :
Summary of cryptanalysis for reduced round ChaCha

Table 5 :
Correlation with different intermediate linear masks where E 1 covers one round, E m covers four rounds, and E 2 covers the remaining rounds.At FSE 2023, Bellini et al. [BGG + 23] found a one-round differential distinguisher ∆ 0 E1

Table 7 :
Comparison of the backward correlations for the toy cipher

Differential-Linear Attack on 7-Round ChaCha For
7-round ChaCha, E 2 covers two rounds.We use Algorithm 1 to search PNBs with two thresholds γ 0 = 0.5 and γ 1 = 0.2.In the first step, 147 PNBs are selected.In the second step, the other 22 PNBs are selected.The 169 PNBs are listed below.To improve the backward correlation, we assign 100 • • • 00 to consecutive PNBs and assign 0 to PNBs that are not consecutive.When 2 36 samples are used, we can get a backward correlation 0.00027 = 2 −11.855 .

Table 8 :
Comparison of the PNBs and the backward correlation for 7-round ChaCha • • • 00 is assigned to consecutive PNBs, and 0 is assigned to PNBs that are not consecutive, we can get backward correlations 2 −11.25 when 2 36 samples are used.

Table 9 :
Comparison of the PNBs and the backward correlation for 7.25-round ChaCha