Boosting Differential-Linear Cryptanalysis of ChaCha7 with MILP

Authors

  • Emanuele Bellini Cryptography Research Centre, Technology Innovation Institute, Abu Dhabi, UAE
  • David Gerault Cryptography Research Centre, Technology Innovation Institute, Abu Dhabi, UAE
  • Juan Grados Cryptography Research Centre, Technology Innovation Institute, Abu Dhabi, UAE
  • Rusydi H. Makarim Independent Researcher
  • Thomas Peyrin Nanyang Technological University, Singapore, Singapore

DOI:

https://doi.org/10.46586/tosc.v2023.i2.189-223

Keywords:

Cryptanalysis, Differential-Linear Attack, ChaCha20

Abstract

In this paper, we present an improved differential-linear cryptanalysis of the ChaCha stream cipher. Our main contributions are new differential-linear distinguishers that we were able to build thanks to the following improvements: a) we considered a larger search space, including 2-bit differences (besides 1-bit differences) for the difference at the beginning of the differential part of the differential-linear trail; b) a better choice of mask between the differential and linear parts; c) a carefully crafted MILP tool that finds linear trails with higher correlation for the linear part. We eventually obtain a new distinguisher for ChaCha reduced to 7 rounds that requires 2166.89 computations, improving the previous record (ASIACRYPT 2022) by a factor of 247. Also, we obtain a distinguisher for ChaCha reduced to 7.5 rounds that requires 2251.4 computations, being the first time of a distinguisher against ChaCha reduced to 7.5 rounds. Using our MILP tool, we also found a 5-round differential-linear distinguisher. When combined with the probabilistic neutral bits (PNB) framework, we obtain a key-recovery attack on ChaCha reduced to 7 rounds with a computational complexity of 2206.8, improving by a factor 214.2 upon the recent result published at EUROCRYPT 2022.

Published

2023-06-16

Issue

Section

Articles

How to Cite

Boosting Differential-Linear Cryptanalysis of ChaCha7 with MILP. (2023). IACR Transactions on Symmetric Cryptology, 2023(2), 189-223. https://doi.org/10.46586/tosc.v2023.i2.189-223