 our idea on that, after that I will discussail test what is the problem between the total bit in short p n d s and I will discuss that our approach to find, p n d s then using this use this differential attack and probabilistic neutral bit. This both will merge both ideas and will try to find key better than exhaustive key search. So that is third part key recovery attack. Then after that our results in this direction and finally I will conclude my talk. So first is Chacha Cypher. So Chacha Cypher is like this. We have one matrix X or 4 cross 4, this is 4 cross 4 matrix and each entries are 32 bit and we call each cell one word. So we have total 16 words and 32 bits. So total we have 16 times 32, 512 bits. In this matrix first row is constant row. So this C0 to C0 C1 C2 C3 this is fixed constant. Second two rows are key rows and last row is public variable. T0 counter and BI's are non-cells. And for Chacha 256 that means 256 bit key, this first row these constants are something like this C0 to C3 are like this and for Chacha 128 so 128 bit key these constants are almost same only very slight difference. So here you can see C1 is 33 here 31 something like that and for Chacha 128 this second and third row should be identical. So K4 should be K0, K5 should be K1, K6, K2 like that. So we have for Chacha 128 we have 4 times 32 128 bit key. So that is Chacha matrix and we have to so this is our Chacha matrix, this matrix and we have to apply this function quarter round function on this Chacha columns. So this first column, second column, third column and fourth column after that we have to apply on diagonals like X0, X5, X10, X15, X1, X6, X11, X12 like that. So alternatively we have to apply column rounds and diagonal rounds. This we have to apply quarter round function and what is quarter round function? It has its input is 128 bit so ABCD all are 32 bit and output is also 128 bit, A double prime, B double prime, C double prime, D double prime and operation is like this. First we have to calculate A box plus B this means A plus B modulo 2 to the power 32 then that you call that is A dashed and then calculate this jaw operation and make cyclic rotate. So we are using addition mod 2 to the power 32 and jaw operation and cyclic rotation and we have to use this operation. So this is quarter round function as and I already told you we have to use this function over columns and diagonals alternatively. So say after our rounds we will have say new matrix XR. So initially we have some X0 and after our rounds we are XR and then output Z should be X0 box plus XR box plus means you have to make addition mod 2 to the power 32. So corresponding cells first cell of X0 and first cell of XR you have to add mod 2 to the power 32. So output is 512 bit. So this is something like this ABCD quarter round function and we have to apply this ARX operation and we after one round we will have again another 128 bit and it is not difficult to prove that this is this function operation is actually invertible. So if you know output you will get corresponding input. Since this is invertible so cha-cha round function is also invertible. So if you know XR just making inverts and you will get your original starting matrix X0. Now come to differential attack and our idea in this direction in this differential attack. So in differential attack we have to start with two cha-cha states and all bits are same except few positions and in actually in our case we only one bit is different and all other bits are same. So we have cha-cha matrix is 512 bit all 512 bits are same except one bit and that bit should be from public variable and we have to apply few rounds cha-cha rounds over this original matrix and that differential matrix and and we have to check say after all rounds whether there is any correlation among this two matrices. So here key should be same but IV should be different. So we have to start with some X0 and X dash 0. So and say after all rounds we are getting XR and X dash star then we calculate this differential state matrix delta R like this where delta RI is XIR and ZOR X dashed IR. So initially this since we are giving only one difference only one one delta IR should be only one should be non zero and all other are zero. So delta zero I all are zero except only one one I. So we have X0 and X dash 0 and we are giving input difference say at Z bit of I at word. So delta I J zero it is one then we apply all rounds and we calculate this probability. So after all rounds we calculate delta R PQ1 Qth bit of Pth word it is one given this is input difference is one here at Z bit I at word. Suppose this probability is half into one plus epsilon D then this epsilon D we call forward bias. And for attack we have to increase this epsilon D as much as possible. So again recall so this is our chacha matrix and we are giving difference only on the last row because last row is public variable row. And it is not difficult to prove that if you give one bit difference and apply one round on X and X dash. So after one round you will have 10 difference. So if you calculate X1 and X dash 1 you have total 512 bit and if you check only it can be minimum 10 difference it can be more than 10 difference. Now if you have 10 difference you will have better epsilon D you will have better forward bias. Now last year not last year two years back. So crypto 2020 barely Leander and Toto they showed that for 10 difference you can get back around 70 percent keys for 30 percent key you do not have any IV which can give you 10 difference. Now instead of and for that to get 10 difference on average you have to try 32 IVs and among the 32 one will give you 10 difference. Now instead of 10 difference if we go slightly more so 12 difference then one advantage is now not only 70 percent keys for 100 percent key you will have 12 difference after one round and also you do not need to try for 32 IVs unit on average unit only 9 IVs. So of course in this situation epsilon D is now less initially it was like this now you have like this but advantage here is this probability is now getting better and overall you can see that we can get slightly better probability so all together. So instead of 10 difference we can try 12 difference now using memory we can improve further. So again recall so our matrix is this and suppose we are giving difference at here this on V0 so one bit difference. Now K1 is 32 bit K5 is also 32 bit so instead of trying to find IV online phase you can make a table in offline phase so you have total 64 bit and you find corresponding IV this V0 so that after one round after one column round this column this difference is 10. So we can avoid this probability inverse random IV choice in the online phase and of course then you need table since you have 70 percent keys so table size will be like this now we can reduce further so these key bits these key bit positions you can partition into two sets like K mem and K N mem now you do not need to store K N mem but still you can find the corresponding IV. So for example suppose I am giving difference here 13 6 that means 13th word so this word and 6th bit now this set is like this so probability is 18 that means 64 minus 18 46 IVs are not free we have to track that IV properly so and for this positions it can be any value so you have to take that IV fixed and you have to you can take any any values from this position but you will get one unique key so now table size is now 2 to 46 but now instead of 70 percent it will use up to 62 percent so final table size will be like this. Now come to probability neutral bit idea and our approach to find PNBs so output in chacha is Z equal to X box plus XR so in probability neutral bit you have to find one key bit position K so that if you change if first you have to change that bit position on X and X dash so suppose this is X tilde and X dash tilde and calculate this thing Z minus X tilde and Z dash minus X dash tilde and go reverse R minus capital R minus smaller rounds suppose you are getting Y and Y dash and calculate this value if this value is same as your original differential value with with some good probability then we call that is probabilistic neutral bit so situation is something like this so we are starting with X 0 and X dash 0 we have to apply R chacha rounds so we are here XR and X dash R and calculate this value then we go forward and go up to capital R round so we are here and here Z equal to X 0 box plus XR and Z dash equal to X dash 0 box plus X dash R then we need to change one key bit value on both on X 0 and X dash 0 and calculate this value and apply reverse chacha round and check whether this value is same as your original value or not if this is same with high probability we call that is probabilistic neutral bit now using some conventional method crypto 2020 authors got something 74 PNBs so they got 74 PNBs now instead of that in the conventional method there is some threshold if bias is more than that threshold consider that is your one PNB like that now instead of that conventional idea we change little bit and we propose some new three step strategy and using this strategy we got better PNBs so now instead of 7 so in our first so this is in the first stage we got 68 second stage 8 and finally we got 3 so this all rates are we got from first stage these blues are from stage 2 and these greens are from stage 3 so we finally we got 79 yeah now come to key recovery attack so normally in using this PNBs idea we don't need to try to find key at once we we have no key into two sets one is PNB and another is non PNB and we first try to find non PNBs so we first try to guess this suppose number of PNBs N and suppose key is 256 so number of non PNBs 256 minus N and we first try to guess this non PNBs part and we use distinguisher that differential distinguisher to find this non PNBs and after that we will find the remaining key bits so normally it is multiplication but here is some sense addition now there can be two types of error that our guess is correct non PNB guess is correct but still bias is very small so we call that is probability of non detection and another is from non PNBs are not correct but still bias can be high and we call that is probability of false alarm so we have this two probabilities now using statistics it is not difficult to prove that if you use these many samples then you can bound both these errors and in that time come final time complexity will be like this now come to our result now we give distinguisher here 13th word 6 bit and we consider this output difference and forward bias is this so this is exactly like crypto paper now we take this PNB set so this 79 PNB set and we got this is backward bias and finally time complexity becomes like 2 to the power 221.95 but of course we need more data and more memory than that crypto paper so this is our result for Chacha 128 see up to 6 rounds existing data was something like this 2 to the power 105 now we got 2 to the power 84 and 2 to the power 81 if you use slightly large memory and for Chacha 6.5 this is first time we can crypto analyze and at a complexity is 2 to the power 123 and for Chacha 256 7 round existing was 2 to the power 230.86 now is 2 to the power 2 21.95 but now we are using memory existing was memory less or almost negligible memory yeah now come to conclusion so using memory we can improve time complexity and also we present new technique to get PNBs and using these two ideas idea 1 and idea 2 we got these times better time complexity for 7 round Chacha and also we got for 6 round Chacha we got huge improvement 2 to the power 23 and now for Chacha 128 we can analyze up to 6 and half round yeah that's all thank you are there any questions please if you can when you ask questions please come to the microphone sir hello sir hello sir hello sir this is Asma Shaheen from Pakistan thank you for the great talk I just want to ask you that you have introduced a new strategy the new technique with which you have reduced the complexity of differential attack have you tried it on any other algorithm or is it feasible to reduce the complexity for any other algorithm yeah I think we can try for other ARX algorithm where PNBs are used like salsa but I don't know because is very important I fast right there okay thank you sir okay as we're started late because of me and then because of technical issues one quick question if somebody has then I was curious to know if you think that there is any counter measure that could be added to Chacha to make this kind of attack more difficult yeah so instead of initial so Chacha output is Z equal to X plus XR so my feeling is instead of just X plus XR we can go one round X1 and if output is Z equal to X1 plus XR I don't think at least this kind of attack is possible this PNB attack because here we are out of 512 bit attack are getting 256 all free so that's our constant and last row is public variable so this instead of that we go up to one one round and but I don't know whether it is practical or not thank you let's thank the speaker so