 So hello everyone, the title of this work is Improved Linear Approximations to Arc Cyphers in Attacks Against Chacha. It's a joint work of myself, Murilo Coutinho and Susaneto. We are both researchers at the Research and Development Centre for Communication Security in Brazil. So let's start talking about the Stream Cypher Chacha. The Cypher was proposed by Bernstein in 2008 as an improvement of the Stream Cypher Salsa, which was one of the winners of the mainstream competition. Chacha consists of a series of arc operations, additional rotation and XOR, 32-bit words and it is highly efficient, both in software and in hardware. And as everyone knows, Chacha is heavily used. It's one of the Cypher suits in the TLS, for example, used on Chrome, Android, protocols such as SSH, noise, VPN applications such as WireGuard and actually also as a PRNG in Linux kernel, Newer Linux kernel. So of course, as Chacha is very important, then it's also important to understand very well its security. And these are the main results of crypt analysis of the reductions of Chacha. And as you can see here, this work improves the tax for six rounds and seven rounds. Of course, in the case of the tax for seven rounds, we have a trade-off on time and memory. But it's also the first work in which we can develop some linear approximations, which can get up to the seven round. Chacha, as I said, is on our Cypher and it's based on a function, which is called the quarter round function, which receives four integers and update these integers as these operations on the left side here. And these operations can be represented as the circuit on the right side. Also, Chacha is organized as a matrix, as the state of the Cypher, a four by four matrix. And each element of this matrix is an integer of a 32-bit long integer. And the quarter round function is then applied first on the columns, on other rounds, and in even rounds on the diagonals, respecting the colors that I plotted here in this slide. The initial state of Chacha is very simple. You initialize with some constants, the 256-bit key, and a nonce and a counter. Okay, after talking about Chacha, it's time to talk a little bit about the definition of linear cryptanalysis. Of course, the definition of cryptanalysis and the linear cryptanalyser are the most important tools for cryptanalysis since the 90s, if they work of Chamiere, Bihan, Matsui, and so on. So it's possible to combine both of these techniques, and then you divide your Cypher in two parts, which you will call E1 and E2, two sub-Cyphers, covering M and L rounds of the main Cypher. So you apply an input differential on the sub-Cypher E1, then you have a transition probability to another differential after those M rounds, and then you apply a linear mask, gamma M to gamma out, which occurs with probability Q. Sometimes you cannot actually divide the Cypher in three parts, as was done in the work of barely in crypto 2020 when attacking Chacha. And yeah, this is the basic review. Okay, so now we are going to talk a little bit about linear approximations to our Cypher and more specifically to the string Cypher-Chacha. So in previous work, in 2016, Shodihuri and Mitre developed a theory for selecting specific combinations of bits to give a higher correlations for Chacha, and they did that by exploring the mathematical structure of the algorithm. And of course, as expected, the difficult part is to deal with the addition operation, which is the nonlinear operation for our algorithms. Thus, let us define right now that the function theta of an X and Y is the carry function of the sum X plus Y. So we define that theta subscript i as the if bit of theta X and Y. So by definition, remember that theta zero is equal to zero. And then in that work in 2016, Shodihuri and Mitre showed that we can write a quarter on functions, equations of Chacha as these expressions. And more importantly, that these equations can be inverted so you can represent any bit of the state of Chacha in a round M minus 1 as a combination of bits in one round after. So here you cannot see that we have a linear part XOR and nonlinear part, which is represented as a combination of bits of carry bits and the function theta. And these are the linear expressions that we get for Chacha. And the important thing here is that using properties of theta is possible to obtain linear approximations for the quarter on function. And in previous work, Shodihuri used the following result in which you can approximate that theta in the position i has the bit Y in the position i minus 1 if correlation a half. For example, take the bit i of the word B when applied in the quarter on function as we saw in the previous slide, we have this expression. And then we have here a linear approximation to this bit with a correlation half. So in previous works of critical analysis of Xifers, authors concentrated in finding these linear approximations by using these equations for one round and repeating these equations for each round that you desire to expand. However, we showed in this work that we can actually create a strategy to improve linear approximations when considering more rounds by combining the following linear approximations for theta. The first one is the one that we saw previously. And the second one is new. And you can see that we have two adjacent bits of the carry. And they cancel out to zero with correlation half. So for example, again, consider the bit i of the word B as we did some moments ago. Then we're trying to find, suppose that we try to find an approximation to this linear combination of two adjacent bits of the word B. So in previous works, we would use the expansion that we are showing above here two times one for this bit and one for the second bit. And then we would get this linear expression below with correlation quarter. Instead, we could use the approximation that cancel out the nonlinear terms. In this case, it's easy to see that the expansion would be this one. So, of course, you can cancel out these two terms and this leads to this linear expression that does not only have fewer terms, it's a good thing when you are trying to expand further, but also has a higher correlation of a half. So why this is useful against arc ciphers? Because it is possible to reduce the complexity in several cases. For example, a very simple example here, consider the sum z equals 2x plus y. If you want a linear approximation to the bit, the seventh bits of z, then we can use the first approximation of the carry function to obtain by definition this expression. So this is by definition for the sum, of course, then with the first linear approximation to the carry bit, you get this expression in which you can see that you have two adjacent bits here as a given. So every time that you use the first expression, you get the second one for free. So in the second round, it would be way better to expand the equation using that expression instead of individually expanding with the linear approximation for one round. And this works because since the XOR operation will not change the indexes and the rotation will probably keep these two bits adjacent, then yeah, we can use the second approximation to cancel out the non-linear terms. And applying this idea, we derived and improved more than 15 new linear operations for one round of charge. For example, for multiple active input bits in route m minus 1 and multiple active output bits in route m, the following linear approximations hold for charge with correlation 1 over 2 to the power of k. So here we see three examples in which we have combinations of bits in a round. So even combinations of three bits with very high correlation, which is very good. So using these results that we proved in our work, we tried to improve our own previous work in 2020 and deriving the following in which we derived the following linear approximation. So in that work in 2020, we showed that this expansion for six rounds leads to a correlation of 2 to the power of minus 13. However, we can do better with the proposed technique and in fact we present here the first explicitly derived approximation ranging three complete rounds of charge and with correlation 2 to the power of minus 8. So this is the expression, it's a very beautiful expression as you can see and this was proven in our paper. The proof is there for anyone who is interested to understand and also we verified these results computationally. So now the challenge of course we had approximation up to six rounds and the challenge is to try to find a distinction for seven rounds because in 2016 should we remark that an expansion for this method to seven rounds would be very unlikely to be useful. Indeed, at Palais in this their technique as they presented in their work aggregated correlation for seven rounds would be 2 to the power of minus 109 does using this linear expression of course in a differential linear attack with a distinguishing complexity very high, no less than 2 to the power of 436 which is of course useless. However, using our linear approximations you can get a much better result and in fact we proved in our paper that the following linear approximation holds with correlation 1 over 2 to the power of 55 and again it's a very beautiful expression. It's hard to prove and but we did it and also verified the results computationally by segregating independent parts, completing the correlation and using the parallel ependema to get the final result. So using differential correlation of our previous work in 2020 we can create new distinguishers for six rounds with complexity 2 to the power of 51 which is way below anything we currently had against Chacha and for seven rounds for the first time a distinguishing using the the framework of Shrutiuri Mitra which was impossible to get a distinguishing for seven rounds now we have one with complexity 2 to the power of 224. So we showed in our paper that we can actually get linear approximations up to seven rounds with smaller correlations provided that we can get a differential for three and a half rounds. So we expect that it should be possible to improve a little bit for the attacks for anyone that is interested. So these were the the main results of our paper and but we additionally found some new differences. As in previous works these differences were found experimentally and to the test we divided the cipher in three parts as presented in Bayer early in crypto 2020 and in that work the author showed that the following differential characteristic occurs with probability 2 to the power of minus 5 on average for the quarter-hound function of Chacha and this procedure is computationally intensive as some of the correlations are very small and to achieve this amount of computation we use 8 nvd GPUs and we actually made this code publicly available on github anyone interested can get the link in our paper and as far as we know this is the first code publicly available of crypto analysis of Chacha and yeah this is the results of the differences that we could find for three and a half rounds. We should note that since the first version of this paper was published several independent researchers reviewed our results and code and we would like to thank Juan Vasquez who identified a small mistake in the code that we made publicly available it was just a plus one and on the line that we missed it but actually that affected the results of this table and actually they at all in 2021 independently noticed that the results reports were not accurate and computed an alternative version of this table so conclusions and future work this work represented a new technique to find linear approximations for arc ciphers and applying this technique we presented new linear approximations to the string cipher Chacha which gave us new and improved distinguishes and we expect that the proposed technique can be used to improve attacks against similar arcs based designs as the string cipher salsa and half function plague and additionally we believe that may be possible to improve further the attacks against Chacha because as we showed the the linear correlations for the the differential at position feet zero of the world five was higher than the one that you actually use to create the attack and the weight of the linear correlation under the complexity that arc is higher to the on the linear part then is in the differential part so maybe someone can find compromise there and it may be possible to improve a little bit more attacks to Chacha using these techniques so yes with that we we finish our presentation here are some references of course in the paper we you can get the full list of references and we would like to thank everyone that got to this point of the presentation thank you very much