A new distinguishing attack on reduced round ChaCha permutation

Abstract

This work concentrates on differential-linear distinguishing attacks on the prominent ARX-based permutation ChaCha. Here, we significantly improve the 7-round differential-linear distinguisher for ChaCha permutation by introducing a new path of linear approximation. We first introduce a new single-bit differential distinguisher for the 3.5th round of the permutation that assists us in inventing a new path for the differential-linear distinguisher. We show that one can distinguish a 7-round ChaCha permutation with time complexity of 2^{207}. This improves the recent work of Coutinho et al. (in: Advances in Cryptology—ASIACRYPT 2022—28nd International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, December 5–9, 2012, Springer, 2022), which achieved time complexity 2^{214}. We also propose a distinguisher for the 7.25-round of ChaCha permutation and this is the first distinguishing attack for more than 7-round of ChaCha permutation. We provide theoretical proofs and the corresponding experimental results for the linear approximations that we use for differential-linear distinguisher. We point out that the existing multibit distinguishing attacks on the cipher ChaCha are invalid. These attacks are worked only for the ChaCha permutation.