Improved Linear Approximations to ARX Ciphers and Attacks Against ChaCha

Abstract

In this paper, we present a new technique which can be used to find better linear approximations in ARX ciphers. Using this technique, we present the first explicitly derived linear approximations for 3 and 4 rounds of ChaCha and, as a consequence, it enables us to improve the recent attacks against ChaCha . Additionally, we present new differentials for 3 and 3.5 rounds of ChaCha that, when combined with the proposed technique, lead to further improvement in the complexity of the Differential-Linear attacks against ChaCha.

A Proofs

In this appendix, we expand the proof of Lemma 9 for each individual linear approximation.

1.1 A.1 Eq. (19)

Proof

Using Eqs. (9) and (10) we can write

$$ \begin{array}{ll} x_{b,i}^{(m-1)}\oplus x_{c,i}^{(m-1)} = &{} \mathcal {L}^{(m)}_{b,i} \oplus \varTheta _i(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \\ &{} \mathcal {L}^{(m)}_{c,i} \oplus \varTheta _i(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \varTheta _i(x^{(m-1)}_c, x^{\prime (m-1)}_{d}). \end{array} $$

Using the approximation of Eq. (17) we can write \(\varTheta _i(x^{(m-1)}_c, x^{\prime (m-1)}_{d}) = x^{\prime (m-1)}_{d,i-1}\) with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). Thus, using Eq. (7) and canceling out common factors we get

$$ x_{b,i}^{(m-1)}\oplus x_{c,i}^{(m-1)} = \mathcal {L}^{(m)}_{b,i} \oplus \mathcal {L}^{(m)}_{c,i} \oplus x^{(m)}_{a,i-1} \oplus x^{(m)}_{d,i+7} , $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \), which concludes the proof.\(\square \)

1.2 A.2 Eqs. (20) and (21)

Proof

Using Eqs. (9) and (12) we can write

$$ \begin{array}{ll} x_{a,i}^{(m-1)}\oplus x_{b,i}^{(m-1)} = &{} \mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{b,i} \oplus \varTheta _i(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \varTheta _i(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \\ &{} \varTheta _i(x^{\prime (m-1)}_{a}, x^{\prime (m-1)}_{b}) \oplus \varTheta _i(x^{(m-1)}_{a}, x^{(m-1)}_{b}). \end{array} $$

Cancelling out common factors, using the approximation of Eq. (17) and the Piling-up Lemma we can write

$$ \begin{array}{ll} x_{a,i}^{(m-1)}\oplus x_{b,i}^{(m-1)} =&\mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{b,i} \oplus x^{\prime (m-1)}_{b,i-1} \oplus x^{(m-1)}_{b,i-1} \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{2}}\right) \). Now we can replace \(x^{\prime (m-1)}_{b,i-1}\) using Eq. (5) and \(x^{(m-1)}_{b,i-1}\) using Lemma 3, which leads to

$$ \begin{array}{ll} x_{a,i}^{(m-1)}\oplus x_{b,i}^{(m-1)} =&\mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{b,i} \oplus x^{(m)}_{b,i+6} \oplus x^{(m)}_{c,i-1} \oplus \mathcal {L}^{(m)}_{b,i-1} \oplus x^{(m)}_{d,i-2}, \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{3}}\right) \) by the Piling-up Lemma. We can also use Lemma 1 in order to obtain

$$ \begin{array}{ll} x_{a,1}^{(m-1)}\oplus x_{b,1}^{(m-1)} =&\mathcal {L}^{(m)}_{a,1} \oplus \mathcal {L}^{(m)}_{b,1} \oplus x^{(m)}_{b,7} \oplus x^{(m)}_{c,0} \oplus \mathcal {L}^{(m)}_{b,0}, \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{2}}\right) \).\(\square \)

1.3 A.3 Eqs. (22) and (23)

Proof

Combining Eq. (10) and Eq. (12) we have

$$ \begin{array}{ll} x_{a,i}^{(m-1)}\oplus x_{c,i}^{(m-1)} = &{} \mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{c,i} \oplus \varTheta _i(x^{(m-1)}_c, x^{\prime (m-1)}_{d}) \oplus \\ &{} \varTheta _i(x^{\prime (m-1)}_{a}, x^{\prime (m-1)}_{b}) \oplus \varTheta _i(x^{(m-1)}_{a}, x^{(m-1)}_{b}). \end{array} $$

Using the approximation of Eq. (17) and the Piling-up Lemma we can write

$$ \begin{array}{ll} x_{a,i}^{(m-1)}\oplus x_{c,i}^{(m-1)} =&\mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{c,i} \oplus x^{\prime (m-1)}_{d,i-1} \oplus x^{\prime (m-1)}_{b,i-1} \oplus x^{(m-1)}_{b,i-1} \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{3}}\right) \). Now we can replace \(x^{\prime (m-1)}_{d,i-1}\) using Eq. (7), \(x^{\prime (m-1)}_{b,i-1}\) using Eq. (5) and \(x^{(m-1)}_{b,i-1}\) using Lemma 3 if \(i>1\) or 1 if \(i=1\), which leads to

$$ \begin{array}{ll} x_{a,i}^{(m-1)}\oplus x_{c,i}^{(m-1)} = &{} \mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{c,i} \oplus x^{(m)}_{a,i-1} \oplus x^{(m)}_{d,i+7} \oplus x^{(m)}_{b,i+6} \\ {} &{} \oplus x^{(m)}_{c,i-1} \oplus \mathcal {L}^{(m)}_{b,i-1} \oplus x^{(m)}_{d,i-2}, \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{4}}\right) \) by the Piling-up Lemma or

$$ \begin{array}{ll} x_{a,1}^{(m-1)}\oplus x_{c,1}^{(m-1)} = &{} \mathcal {L}^{(m)}_{a,1} \oplus \mathcal {L}^{(m)}_{c,1} \oplus x^{(m)}_{a,0} \oplus x^{(m)}_{d,8} \oplus x^{(m)}_{b,7} \\ {} &{} \oplus x^{(m)}_{c,0} \oplus \mathcal {L}^{(m)}_{b,0}, \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{3}}\right) \). \(\square \)

1.4 A.4 Eq. (24)

Proof

Using Eq. (11) and Eq. (12) we can write

$$ \begin{array}{ll} x_{a,i}^{(m-1)}\oplus x_{d,i}^{(m-1)} =&\mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{d,i} \oplus \varTheta _i(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \varTheta _i(x^{(m-1)}_{a}, x^{(m-1)}_{b}). \end{array} $$

Using Eq. (17) we get

$$\begin{array}{ll} x_{a,i}^{(m-1)}\oplus x_{d,i}^{(m-1)} =&\mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{d,i} \oplus \varTheta _i(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus x^{(m-1)}_{b,i-1}, \end{array} $$

and from Eq. (9)

$$ \begin{array}{ll} x_{a,i}^{(m-1)}\oplus x_{d,i}^{(m-1)} = &{} \mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{d,i} \oplus \varTheta _i(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \\ {} &{} \mathcal {L}^{(m)}_{b,i-1} \oplus \varTheta _{i-1}(x^{\prime (m-1)}_c, x^{(m)}_{d}), \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). Thus, using the approximation of Eq. (18) and the Piling-up Lemma we can write

$$ \begin{array}{ll} x_{a,i}^{(m-1)}\oplus x_{d,i}^{(m-1)} =&\mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{d,i} \oplus \mathcal {L}^{(m)}_{b,i-1}, \end{array} $$

with probability \( \frac{1}{2}\left( 1+\frac{1}{2^2}\right) \).\(\square \)

1.5 A.5 Eq. (25)

Proof

Using Eq. (12) and Eq. (10) and canceling out common factors we get

$$ \begin{array}{ll} x_{a,i-1}^{(m-1)}\oplus x_{a,i}^{(m-1)}\oplus x_{c,i}^{(m-1)} = &{} \mathcal {L}^{(m)}_{a,i-1} \oplus \mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{c,i} \oplus \\ {} &{} \varTheta _{i-1}(x^{\prime (m-1)}_{a}, x^{\prime (m-1)}_{b}) \oplus \varTheta _{i-1}(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \\ {} &{} \varTheta _{i-1}(x^{(m-1)}_{a}, x^{(m-1)}_{b}) \oplus \varTheta _{i}(x^{\prime (m-1)}_{a}, x^{\prime (m-1)}_{b}) \oplus \\ {} &{} \varTheta _{i}(x^{(m-1)}_{a}, x^{(m-1)}_{b}) \oplus \varTheta _i(x^{(m-1)}_c, x^{\prime (m-1)}_{d}) \end{array} $$

Using the approximation of Eq. (18) and the Piling-up Lemma we obtain

$$ \begin{array}{ll} x_{a,i-1}^{(m-1)}\oplus x_{a,i}^{(m-1)}\oplus x_{c,i}^{(m-1)} = &{} \mathcal {L}^{(m)}_{a,i-1} \oplus \mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{c,i} \oplus \\ {} &{} \varTheta _{i-1}(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \varTheta _i(x^{(m-1)}_c, x^{\prime (m-1)}_{d}) \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^2}\right) \). Using Eq. (17) and Eq. (7) we get

$$ \begin{array}{ll} x_{a,i-1}^{(m-1)}\oplus x_{a,i}^{(m-1)}\oplus x_{c,i}^{(m-1)} = &{} \mathcal {L}^{(m)}_{a,i-1} \oplus \mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{c,i} \oplus \\ {} &{} x^{(m)}_{d,i-2} \oplus x^{(m)}_{a,i-1} \oplus x^{(m)}_{d,i+7} \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^4}\right) \).\(\square \)

1.6 A.6 Eq. (26)

Proof

Using Eq. (9) and Eq. (12) and canceling out common factors we can write

$$ \begin{array}{l} x_{a,i}^{(m-1)}\oplus x_{a,i-1}^{(m-1)} \oplus x_{b,i}^{(m-1)} = \mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{a,i-1} \oplus \mathcal {L}^{(m)}_{b,i} \oplus \\ \varTheta _{i-1}(x^{\prime (m-1)}_{a}, x^{\prime (m-1)}_{b}) \oplus \varTheta _{i-1}(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \varTheta _{i-1}(x^{(m-1)}_{a}, x^{(m-1)}_{b}) \oplus \\ \varTheta _i(x^{\prime (m-1)}_{a}, x^{\prime (m-1)}_{b}) \oplus \varTheta _i(x^{(m-1)}_{a}, x^{(m-1)}_{b}). \end{array} $$

Using the approximation of Eq. (18) and the Piling-up Lemma we can write

$$ \begin{array}{ll} x_{a,i}^{(m-1)}\oplus x_{a,i-1}^{(m-1)} \oplus x_{b,i}^{(m-1)} = &{} \mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{a,i-1} \\ {} &{} \oplus \mathcal {L}^{(m)}_{b,i} \oplus \varTheta _{i-1}(x^{\prime (m-1)}_c, x^{(m)}_{d}). \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{2}}\right) \). Using the approximation of Eq. (17) we get

$$ \begin{array}{ll} x_{a,i}^{(m-1)}\oplus x_{a,i-1}^{(m-1)} \oplus x_{b,i}^{(m-1)} =&\mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{a,i-1} \oplus \mathcal {L}^{(m)}_{b,i} \oplus x^{(m)}_{d,i-2}. \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{3}}\right) \). \(\square \)

1.7 A.7 Eq. (27)

Proof

Using Eq. (11) and Eq. (12), and canceling out common factors we have

$$ \begin{array}{ll} x_{b,i-1}^{(m-1)} \oplus x_{a,i}^{(m-1)}\oplus x_{d,i}^{(m-1)} = &{} x_{b,i-1}^{(m-1)} \oplus \mathcal {L}^{(m)}_{a,i} \oplus \varTheta _i(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \\ {} &{} \varTheta _i(x^{(m-1)}_{a}, x^{(m-1)}_{b}) \oplus \mathcal {L}^{(m)}_{d,i} . \end{array} $$

Using the approximation of Eq. (17) we have \(\varTheta _i(x^{(m-1)}_{a}, x^{(m-1)}_{b}) = x^{(m-1)}_{b,i-1}\) occurring with probability \(\frac{1}{2}\left( 1+\frac{1}{2^2}\right) \). Then

$$ \begin{array}{ll} x_{b,i-1}^{(m-1)} \oplus x_{a,i}^{(m-1)}\oplus x_{d,i}^{(m-1)} =&\mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{d,i} \oplus \varTheta _i(x^{\prime (m-1)}_c, x^{(m)}_{d}) . \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). Finally, using the approximation of Eq. (17) and the Piling-up Lemma we get

$$ \begin{array}{ll} x_{b,i-1}^{(m-1)} \oplus x_{a,i}^{(m-1)}\oplus x_{d,i}^{(m-1)} =&\mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{d,i} \oplus x^{(m)}_{d,i-1} . \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{2}}\right) \). \(\square \)

1.8 A.8 Eq. (28)

Proof

Using Eq. (9) and Eq. (10), we can write

$$ \begin{array}{l} x_{b,i-1}^{(m-1)} \oplus x_{b,i}^{(m-1)} \oplus x_{c,i-1}^{(m-1)}\oplus x_{c,i}^{(m-1)} = \mathcal {L}^{(m)}_{b,i-1} \oplus \varTheta _{i-1}(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \mathcal {L}^{(m)}_{b,i} \oplus \\ \varTheta _i(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \mathcal {L}^{(m)}_{c,i-1} \oplus \varTheta _{i-1}(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \varTheta _{i-1}(x^{(m-1)}_c, x^{\prime (m-1)}_{d}) \oplus \\ \mathcal {L}^{(m)}_{c,i} \oplus \varTheta _i(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \varTheta _i(x^{(m-1)}_c, x^{\prime (m-1)}_{d}). \end{array} $$

Canceling out common factors we get

$$ \begin{array}{ll} x_{b,i-1}^{(m-1)} \oplus x_{b,i}^{(m-1)} \oplus x_{c,i-1}^{(m-1)}\oplus x_{c,i}^{(m-1)} = &{} \mathcal {L}^{(m)}_{b,i-1} \oplus \mathcal {L}^{(m)}_{b,i} \oplus \mathcal {L}^{(m)}_{c,i-1} \oplus \mathcal {L}^{(m)}_{c,i} \oplus \\ {} &{} \varTheta _{i-1}(x^{(m-1)}_c, x^{\prime (m-1)}_{d}) \oplus \\ {} &{} \varTheta _i(x^{(m-1)}_c, x^{\prime (m-1)}_{d}) . \end{array} $$

Thus, using the approximation of Eq. (18) we get

$$ \begin{array}{ll} x_{b,i-1}^{(m-1)} \oplus x_{b,i}^{(m-1)} \oplus x_{c,i-1}^{(m-1)}\oplus x_{c,i}^{(m-1)} =&\mathcal {L}^{(m)}_{b,i-1} \oplus \mathcal {L}^{(m)}_{b,i} \oplus \mathcal {L}^{(m)}_{c,i-1} \oplus \mathcal {L}^{(m)}_{c,i} . \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). \(\square \)

1.9 A.9 Eq. (29)

Proof

Using Eqs. (9), (10) and (12)

$$ \begin{array}{l} x_{a,i}^{(m-1)}\oplus x_{a,i-1}^{(m-1)} \oplus x_{b,i}^{(m-1)} \oplus x_{c,i-1}^{(m-1)} = \mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{a,i-1} \oplus \mathcal {L}^{(m)}_{b,i} \oplus \mathcal {L}^{(m)}_{c,i-1} \oplus \\ \varTheta _i(x^{\prime (m-1)}_{a}, x^{\prime (m-1)}_{b}) \oplus \varTheta _i(x^{(m-1)}_{a}, x^{(m-1)}_{b}) \oplus \varTheta _{i-1}(x^{\prime (m-1)}_{a}, x^{\prime (m-1)}_{b}) \oplus \\ \varTheta _{i-1}(x^{(m-1)}_{a}, x^{(m-1)}_{b}) \oplus \varTheta _{i-1}(x^{(m-1)}_c, x^{\prime (m-1)}_{d}) . \end{array} $$

Using the approximation of Eq. (18) and the Piling-up Lemma we can write

$$ \begin{array}{ll} x_{a,i}^{(m-1)}\oplus x_{a,i-1}^{(m-1)} \oplus x_{b,i}^{(m-1)} \oplus x_{c,i-1}^{(m-1)} = &{} \mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{a,i-1} \oplus \mathcal {L}^{(m)}_{b,i} \oplus \mathcal {L}^{(m)}_{c,i-1} \oplus \\ {} &{} \varTheta _{i-1}(x^{(m-1)}_c, x^{\prime (m-1)}_{d}) . \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{2}}\right) \). Therefore, Eqs. (17) and (7) give us

$$ \begin{array}{ll} x_{a,i}^{(m-1)}\oplus x_{a,i-1}^{(m-1)} \oplus x_{b,i}^{(m-1)} \oplus x_{c,i-1}^{(m-1)} = &{} \mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{a,i-1} \oplus \mathcal {L}^{(m)}_{b,i} \oplus \mathcal {L}^{(m)}_{c,i-1} \oplus \\ {} &{} x^{(m)}_{a,i-2} \oplus x^{(m)}_{d,i+6} . \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{3}}\right) \). \(\square \)

1.10 A.10 Eq. (30)

Proof

Using Eqs. (10), (11) and (12), we can write

$$ \begin{array}{l} x_{a,i}^{(m-1)} \oplus x_{a,i-1}^{(m-1)}\oplus x_{c,i-1}^{(m-1)} \oplus x_{d,i}^{(m-1)} \oplus x_{d,i-1}^{(m-1)}= \mathcal {L}^{(m)}_{a,i-1} \oplus \mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{c,i-1} \oplus \\ \mathcal {L}^{(m)}_{d,i-1} \oplus \mathcal {L}^{(m)}_{d,i} \oplus \varTheta _{i-1}(x^{(m-1)}_{a}, x^{(m-1)}_{b}) \oplus \varTheta _i(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \\ \varTheta _i(x^{(m-1)}_{a}, x^{(m-1)}_{b}) \oplus \varTheta _{i-1}(x^{(m-1)}_c, x^{\prime (m-1)}_{d}). \end{array} $$

Using the approximation of Eq. (18) we have

$$ \begin{array}{l} x_{a,i}^{(m-1)} \oplus x_{a,i-1}^{(m-1)}\oplus x_{c,i-1}^{(m-1)} \oplus x_{d,i}^{(m-1)} \oplus x_{d,i-1}^{(m-1)}= \mathcal {L}^{(m)}_{a,i-1} \oplus \mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{c,i-1} \oplus \\ \mathcal {L}^{(m)}_{d,i-1} \oplus \mathcal {L}^{(m)}_{d,i} \oplus \varTheta _i(x^{\prime (m-1)}_c, x^{(m)}_{d}) \oplus \varTheta _{i-1}(x^{(m-1)}_c, x^{\prime (m-1)}_{d}) \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). Finally, by the Piling-up Lemma and using the approximation of Eq. (17) and Eq. (7), we get

$$ \begin{array}{l} x_{a,i}^{(m-1)} \oplus x_{a,i-1}^{(m-1)}\oplus x_{c,i-1}^{(m-1)} \oplus x_{d,i}^{(m-1)} \oplus x_{d,i-1}^{(m-1)}= \mathcal {L}^{(m)}_{a,i-1} \oplus \mathcal {L}^{(m)}_{a,i} \oplus \mathcal {L}^{(m)}_{c,i-1} \oplus \\ \mathcal {L}^{(m)}_{d,i-1} \oplus \mathcal {L}^{(m)}_{d,i} \oplus x^{(m)}_{d,i-1} \oplus x^{(m)}_{a,i-2} \oplus x^{(m)}_{d,i+6} \end{array} $$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{3}}\right) \). \(\square \)