## Abstract

We present several improvements to the framework of differential-linear attacks with a special focus on ARX ciphers. As a demonstration of their impact, we apply them to Chaskey and ChaCha and we are able to significantly improve upon the best attacks published so far.

### Similar content being viewed by others

## Notes

After presenting those results at CRYPTO 2020 [1], improved attacks on ChaCha have been proposed [26]. Later, [27] pointed out mistakes in some parts of [26], leading to an updated version that has been published on the Cryptology ePrint Archive [28]. Very recently, another improved differential-linear attack has been presented [25].

Under the assumption that the sets \(\{\langle \Gamma _{\mathrm {out}}, E(x) \rangle \oplus \langle \Gamma _{\mathrm {out}}, E(x \oplus \Delta _{\mathrm {in}}) \rangle \mid x \in {\mathcal {X}}\}\) and \(\{\langle \Gamma _{\mathrm {out}}, E(x) \rangle \oplus \langle \Gamma _{\mathrm {out}}, E(x \oplus \Delta _{\mathrm {in}}) \rangle \mid x \in {\mathcal {S}}\}\) are indistinguishable, where \({\mathcal {S}}\) denotes a set of uniformly chosen samples of the same size as \({\mathcal {X}}\).

Or at least with a cost much lower than \(p^{-1}\), see Sect. 5.2.

The first case is exactly the one shown in [19], but its correlation was reported as \(2^{-6.1}\). We are not sure about the reason for this gap, but we think that \(2^{-6.1}\) refers to the bias instead of the correlation.

This correlation is estimated originally when the key \(k_7\) changes randomly, but \(k_7\) is a fixed constant. These correlations are much higher or lower according to the fixed key, but on key average, which is the natural attack assumption for symmetric-key ciphers, the average correlation is \(-2^{-1}\).

Note that it means that the success probability is \(0.491 \times 2 = 0.982\) under the condition that the right pair is successfully obtained during \(2^{5}\) iterations.

This is the same attack proposed in our original paper [1].

Note that it means that the success probability is almost 1 under the condition that the right pair is successfully obtained during \(2^{5}\) iterations.

When we estimate \(\epsilon _a\), we used the average correlation. When we used the median instead of the average, \(\epsilon _a = 2^{-11.1687}\). Then, the data and time complexities are \(2^{49.7856}\) and \(2^{231.823}\), respectively.

Some follow-up works [25,26,27, 41] have been proposed after our original proposal [1]. Our attack is still the best for 6-round attack in the context of key recovery. Even for 7 rounds, there have not been follow-up works that essentially improve the complexity yet. On the other hand, Coutinho and Neto presented more efficient distinguishing attacks in [41], and Miyashita, Ito, and Miyaji showed the key-recovery attack on 7.25 rounds in [25].

Note that \({\mathcal {P}}\) is not necessarily a

*direct*sum of \({\mathcal {P}}_1\), \({\mathcal {P}}_2\), and \({\mathcal {P}}_3\). In other words, the dimension of \({\mathcal {P}}\) might be smaller than 6, for instance if \(i=j\), i.e., \(\zeta _1 = \zeta _2\).

## References

C. Beierle, G. Leander, Y. Todo, Improved differential-linear attacks with applications to ARX ciphers, in Micciancio, D., Ristenpart, T. (eds.)

*CRYPTO 2020, Proceedings, Part III. LNCS*, vol. 12172 (Springer, Cham, 2020), pp. 329–358M. Broll, F. Canale, N. David, A. Flórez-Gutiérrez, G. Leander, M. Naya-Plasencia, Y. Todo, Further improving differential-linear attacks: Applications to Chaskey and Serpent.

*IACR Cryptol*. ePrint Arch.**2021**, 820 (2021). https://eprint.iacr.org/2021/820A. Shimizu, S. Miyaguchi, Fast data encipherment algorithm FEAL, in Chaum, D., Price, W.L. (eds.)

*EUROCRYPT ’87, Proceedings*. LNCS, vol. 304 (Springer, Berlin, Heidelberg, 1987), pp. 267–278D.J. Bernstein, The Salsa20 family of stream ciphers, in Robshaw, M.J.B., Billet, O. (eds.)

*New Stream Cipher Designs - The eSTREAM Finalists*. LNCS, vol. 4986 (Springer, Berlin, Heidelberg, 2008), pp. 84–97D.J. Bernstein, ChaCha, a variant of Salsa20 (2008). http://cr.yp.to/chacha.html

J.-P. Aumasson, L. Henzen, W. Meier, R.C.-W. Phan, SHA-3 proposal Blake. Submission to NIST (2008)

J. Aumasson, S. Neves, Z. Wilcox-O’Hearn, C. Winnerlein, BLAKE2: simpler, smaller, fast as MD5, in Jr., M.J.J., Locasto, M.E., Mohassel, P., Safavi-Naini, R. (eds.)

*ACNS 2013, Proceedings*. LNCS, vol. 7954 (Springer, Berlin, Heidelberg, 2013), pp. 119–135D. Dinu, L. Perrin, A. Udovenko, V. Velichkov, J. Großschädl, A. Biryukov, Design strategies for ARX with provable bounds: Sparx and LAX, in Cheon, J.H., Takagi, T. (eds.)

*ASIACRYPT 2016, Proceedings, Part I*. LNCS, vol. 10031 (Springer, Berlin, Heidelberg, 2016), pp. 484–513C. Beierle, A. Biryukov, L.C. dos Santos, J. Großschädl, L. Perrin, A. Udovenko, V. Velichkov, Q. Wang, Lightweight AEAD and hashing using the Sparkle permutation family.

*IACR Trans. Symmetric Cryptol.***2020**(S1), 208–261 (2020)N. Mouha, B. Mennink, A.V. Herrewege, D. Watanabe, B. Preneel, I. Verbauwhede, Chaskey: An efficient MAC algorithm for 32-bit microcontrollers, in Joux, A., Youssef, A.M. (eds.)

*SAC 2014, Revised Selected Papers*. LNCS, vol. 8781 (Springer, Cham, 2014), pp. 306–323L.R. Knudsen, D.A. Wagner, Integral cryptanalysis, in Daemen, J., Rijmen, V. (eds.)

*FSE 2002, Revised Papers*. LNCS, vol. 2365 (Springer, Berlin, Heidelberg, 2002), pp. 112–127Y. Todo, G. Leander, Y. Sasaki, Nonlinear invariant attack: Practical attack on full SCREAM, iSCREAM, and Midori64.

*J. Cryptol.***32**(4), 1383–1422 (2019)D. Khovratovich, I. Nikolic, Rotational cryptanalysis of ARX, in Hong, S., Iwata, T. (eds.)

*FSE 2010, Revised Selected Papers*. LNCS, vol. 6147 (Springer, Berlin, Heidelberg, 2010), pp. 333–346E. Biham, A. Shamir, Differential cryptanalysis of DES-like cryptosystems.

*J. Cryptol.***4**(1), 3–72 (1991)M. Matsui, Linear cryptanalysis method for DES cipher, in Helleseth, T. (ed.)

*EUROCRYPT ’93, Proceedings*. LNCS, vol. 765 (Springer, Berlin, Heidelberg, 1993), pp. 386–397H. Lipmaa, S. Moriai, Efficient algorithms for computing differential properties of addition, in Matsui, M. (ed.)

*FSE 2001, Revised Papers*. LNCS, vol. 2355 (Springer, Berlin, Heidelberg, 2001), pp. 336–350J. Wallén, Linear approximations of addition modulo 2\({}^{\text{n}}\), in Johansson, T. (ed.)

*FSE 2003, Revised Papers*. LNCS, vol. 2887 (Springer, Berlin, Heidelberg, 2003), pp. 261–273S.K. Langford, M.E. Hellman, Differential-linear cryptanalysis, in Desmedt, Y. (ed.)

*CRYPTO ’94, Proceedings*. LNCS, vol. 839 (Springer, Berlin, Heidelberg, 1994), pp. 17–25G. Leurent, Improved differential-linear cryptanalysis of 7-round Chaskey with partitioning, in Fischlin, M., Coron, J. (eds.)

*EUROCRYPT 2016, Proceedings, Part I*. LNCS, vol. 9665 (Springer, Berlin, Heidelberg, 2016), pp. 344–371A.R. Choudhuri, S. Maitra, Significantly improved multi-bit differentials for reduced round Salsa and ChaCha.

*IACR Trans. Symmetric Cryptol.***2016**(2), 261–287 (2016)S. Dey, S. Sarkar, Improved analysis for reduced round Salsa and Chacha.

*Discrete Appl. Math.***227**, 58–69 (2017)J. Aumasson, S. Fischer, S. Khazaei, W. Meier, ,C. Rechberger, New features of Latin dances: Analysis of Salsa, ChaCha, and Rumba, in Nyberg, K. (ed.)

*FSE 2008, Revised Selected Papers*. LNCS, vol. 5086 (Springer, Berlin, Heidelberg, 2008), pp. 470–488Z. Shi, B. Zhang, D. Feng, W. Wu, Improved key recovery attacks on reduced-round Salsa20 and ChaCha, in Kwon, T., Lee, M., Kwon, D. (eds.)

*ICISC 2012, Revised Selected Papers*. LNCS, vol. 7839 (Springer, Berlin, Heidelberg, 2012), pp. 337–351S. Maitra, Chosen IV cryptanalysis on reduced round ChaCha and Salsa.

*Discrete Appl. Math.***208**, 88–97 (2016)S. Miyashita, R. Ito, A. Miyaji, Pnb-focused differential cryptanalysis of ChaCha stream cipher.

*IACR Cryptol.*ePrint Arch.**2021**, 1537 (2021). https://eprint.iacr.org/2021/1537 (to appear at ACISP 2022)M. Coutinho, T.C.S. Neto, Improved linear approximations to ARX ciphers and attacks against ChaCha, in Canteaut, A., Standaert, F. (eds.)

*EUROCRYPT 2021, Proceedings, Part I*. LNCS, vol. 12696 (Springer, Cham, 2021), pp. 711–740S. Dey, C. Dey, S. Sarkar, W. Meier, Revisiting cryptanalysis on ChaCha from Crypto 2020 and Eurocrypt 2021.

*IEEE Trans. Inf. Theory***68**(9),6114–6133 (2022). https://doi.org/10.1109/TIT.2022.3171865M. Coutinho, T.C.S. Neto, Improved linear approximations to ARX ciphers and attacks against ChaCha.

*IACR Cryptol*. ePrint Arch.**2021**, 224 (2021). https://eprint.iacr.org/2021/224E. Biham, Y. Carmeli, An improvement of linear cryptanalysis with addition operations with applications to FEAL-8X, in Joux, A., Youssef, A.M. (eds.)

*SAC 2014, Revised Selected Papers.*LNCS, vol. 8781 (Springer, Cham, 2014), pp. 59–76J. Neyman, E.S. Pearson, On the problem of the most efficient tests of statistical hypotheses.

*Philos. Trans. R. Soc. Lond. Ser. A Containing Papers of a Mathematical or Physical Character***231**, 289–337 (1933)T. Baignères, P. Junod, S. Vaudenay, How far can we go beyond linear cryptanalysis? in Lee, P.J. (ed.)

*ASIACRYPT 2004, Proceedings*. LNCS, vol. 3329 (Springer, Berlin, Heidelberg, 2004), pp. 432–450C. Blondeau, B. Gérard, K. Nyberg, Multiple differential cryptanalysis using LLR and \(\chi \) 2 statistics, in Visconti, I., Prisco, R.D. (eds.)

*SCN 2012, Proceedings*. LNCS, vol. 7485 (Springer, Berlin, Heidelberg, 2012), pp. 343–360B. Collard, F. Standaert, J. Quisquater, Improving the time complexity of Matsui’s linear cryptanalysis, in Nam, K., Rhee, G. (eds.)

*ICISC 2007, Proceedings*. LNCS, vol. 4817 (Springer, Berlin, Heidelberg, 2007), pp. 77–88E. Biham, O. Dunkelman, N. Keller, Enhancing differential-linear cryptanalysis, in Zheng, Y. (ed.)

*ASIACRYPT 2002, Proceedings*. LNCS, vol. 2501 (Springer, Berlin, Heidelberg, 2002), pp. 254–266A. Bar-On, O. Dunkelman, N. Keller, A. Weizman, DLCT: A new tool for differential-linear cryptanalysis, in Ishai, Y., Rijmen, V. (eds.)

*EUROCRYPT 2019, Proceedings, Part I*. LNCS, vol. 11476 (Springer, Cham, 2019), pp. 313–342S. Knellwolf, W. Meier, M. Naya-Plasencia, Conditional differential cryptanalysis of NLFSR-based cryptosystems, in Abe, M. (ed.)

*ASIACRYPT 2010, Proceedings*. LNCS, vol. 6477 (Springer, Berlin, Heidelberg, 2010), pp. 130–145C. Blondeau, G. Leander, K. Nyberg, Differential-linear cryptanalysis revisited.

*J. Cryptol.***30**(3), 859–888 (2017)C. Carlet,

*Boolean Functions for Cryptography and Coding Theory*(Cambridge University Press, Cambridge, 2021)K. Nyberg, Linear approximation of block ciphers, in Santis, A.D. (ed.)

*EUROCRYPT 1994*. LNCS, vol. 950 (Springer, Berlin, Heidelberg, 1994), pp. 439–444N. Mouha, Chaskey: a MAC algorithm for microcontrollers - status update and proposal of Chaskey-12.

*IACR Cryptol*. ePrint Arch.**2015**, 1182 (2015). https://eprint.iacr.org/2015/1182M. Coutinho, T.C.S. Neto, New multi-bit differentials to improve attacks against ChaCha.

*IACR Cryptol*. ePrint Arch.**2020**, 350 (2020). https://eprint.iacr.org/2020/350

## Acknowledgements

We thank the reviewers for their detailed and helpful comments. We further thank Lukas Stennes for checking the application of our framework to ChaCha in a first version of this paper. We also thank Juan del Carmen Grados Vásquez for pointing out the use of the median to evaluate the PNB-based key recovery. This work was partially funded by *Deutsche Forschungsgemeinschaft (DFG)* under Germany’s Excellence Strategy - EXC 2092 CASA - 390781972. This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement no. 714294 - acronym QUASYModo).

## Author information

### Authors and Affiliations

### Corresponding author

## Additional information

## Appendices

### Summary of Partitioning

We summarize various partition rules for modular addition. Note that we can verify the correlation of each case experimentally because they have a very high absolute correlation.

### 1.1 Single Modular Addition

Let us start with the most simple case of a single modular addition. To compute the parity \(z_0[i]\) and \(z_0[i] \oplus z_0[i-1]\) (shortly denoted by \(z_0[i,i-1]\)) from \(c_0\) and \(c_1\) (see Fig. 15), we represent each element of \({\mathcal {P}}\) as two-bit values \(b_0b_1\), therefore dividing the whole set into four subsets

where \(s = {{\bar{y}}}_1 \oplus y_0\). Note that these partition can be constructed by guessing two bits of key information, i.e., \((k_1 \oplus k_0)[i-1]\) and \((k_1 \oplus k_0)[i-2]\). Linear masks used in the previous partitioning technique involves 4 bits, i.e., \(y_1[i]\), \(y_0[i]\), \(y_0[i-1]\), and \(y_0[i-2]\). Our new partitioning technique additionally involves \(y_0[i-3]\), and parities \(z_0[i]\) and \(z_0[i,i-1]\) are approximated to

where \(\gamma \) and the corresponding correlations are summarized in Fig. 15.

### 1.2 More Complicated Case

In a similar way, we can extend the technique for the case of two consecutive modular additions. A concrete example, which is used to attack 7-round Chaskey, is shown in Fig. 16.

The goal is to compute the parity \(z_2[11]\) and \(z_2[11,10]\) from \(c_1\), \(c_2\), and \(c_3\) (see Fig. 16). We split the ciphertext into \(2^5\) partitions (this time indexed by five-bit values \(b_0b_1b_2b_3b_4\) representing the generic element of \({\mathcal {P}}\)) in the following way:

where \(s = {{\bar{v}}}_1 \oplus v_2\). In order for previously discarded partition to be available, our new partitioning technique additionally involves \(v_2[8]\) and \(v_2[16]\), and parities \(z_2[11]\) and \(z_2[11,10]\) are approximated to

where \(\gamma \) is appropriately chosen following Fig. 16. We remark that this new way of partitioning the ciphertexts allows us to find high-absolute-correlation masks for all the 32 partitions, up from the 24 used with the original [1].

### Understanding Partition Points

### 1.1 A Simple Toy Example

We transfer the above terminology to the simple toy example given in Fig. 17 and already discussed earlier in Sect. 2.2. In this example, for a fixed \(i\ge 2\), we want to evaluate \(z_0[i]\) or \(z_0[i]\oplus z_0[i-1]\) by using the partitioning rules as expressed in Lemma 2 and Lemma 3. For this, we say that \((z_0[i],z_0[i]\oplus z_0[i-1])\) defines a *partition point* \(\zeta \). This partition point gives rise to a 2-dimensional subspace \({\mathcal {P}}\) which can be defined by two parity check equations, i.e., \({\mathcal {P}}\) is a complement space of the space

For example, \({\mathcal {P}}\) can be chosen as \(\{([],[]),([i-1],[]),([i-2],[]),([i-2,i-1],[])\}\).

To demonstrate the attack from the previous section, we split \({\mathbb {F}}_2^{2m}\) into the direct sum \({\mathcal {P}}\oplus {\mathcal {R}}\). By the isomorphism between \({\mathcal {P}}\) and \({\mathbb {F}}_2^2\), we can identify the elements \(p \in {\mathcal {P}}\) by two-bit values \(p \cong b_0b_1\), where \(b_0\) indicates the parity of \(x_0[i-1] \oplus {{\bar{x}}}_1[i-1]\) and \(b_1\) indicates the parity of \(x_0[i-2] \oplus {{\bar{x}}}_1[i-2]\). We then consider the following four tuples \(({\mathcal {T}}_{b_0b_1},\Gamma _{\mathrm {out}}^{(b_0b_1)},\gamma ^{(b_0b_1)})\) and corresponding \(\varepsilon _{b_0b_1}\), whose definition come from the properties presented in Lemmas 2 and 3:

and

For example, we give an intuition for the choice of the second tuple when \((y_1,y_0) \in {\mathcal {S}}_{\mathtt {01}}\). Lemma 2 tells us that \(\langle ([],[i]) ,(z_1,z_0) \rangle = \langle ([i],[i,i-1]), (y_1,y_0) \rangle \oplus 1\), i.e., \(\varepsilon _{\texttt {0}{} \texttt {1}} = {{\textbf {Cor}}}_{y \in {\mathcal {T}}_{\texttt {0}{} \texttt {1}}} [\langle ({[}{]},[i]),z \rangle \oplus \langle ([i],[i,i-1]),y \rangle ] = -1\). On the other hand, Lemma 3 tells us that there is no linear representation with absolute correlation 1. Thus, if available, we should use \(\Gamma _{\mathrm {out}}^{(\mathtt {01})} = ([],[i])\) for this subset.

We further have

and we could recover the three bits, \(k_0[i-1]\), \(k_0[i-2]\), and \(k_0[i-3]\), by the last step using the fast Walsh–Hadamard transform.

### 1.2 Toy Example Using Multiple Partition Points

Let us now look at another example which consists of two branches of the structure depicted in Fig. 17 in parallel, i.e., \((y_3,y_2,y_1,y_0) = (F(z_3,z_2),F(z_1,z_0))\) and \(c_i = y_i \oplus k_i\). By using a single partition point as done in the above example, we can only evaluate the parity of at most two (consecutive) bits of \(z = (z_3,z_2,z_1,z_0)\). Instead of just one single partition point, we can also consider multiple partition points. For example, if we want to evaluate the parity involving three non-consecutive bits of \(z = (z_3,z_2,z_1,z_0)\), we can use three partition points, i.e.,

where \(i,j,\ell \ge 3\). In a specific attack, the choice of the partition points depends on the definition of the linear trail. Those partition points give rise to three subspaces \({\mathcal {P}}_1\), \({\mathcal {P}}_2\), and \({\mathcal {P}}_3\), defined by two parity-check equations each, i.e., \({\mathcal {P}}_i\) is a complement space of \({\mathcal {R}}_i\), where

By defining^{Footnote 12}\({\mathcal {P}}= {\mathcal {P}}_1 \oplus {\mathcal {P}}_2 \oplus {\mathcal {P}}_3\) and \({\mathcal {R}}\) to be a complement space of \({\mathcal {P}}\), we split \({\mathbb {F}}_2^{4m}\) into the direct sum \({\mathcal {P}}\oplus {\mathcal {R}}\).

We can identify the elements \(p \in {\mathcal {P}}\) by \(n_{{\mathcal {P}}}\)-bit values \(p \cong b_0b_1\dots b_{n_{{\mathcal {P}}}-1}\). We can then again define tuples

by using the properties presented in Lemma 2 and Lemma 3. For example, if \(n_{{\mathcal {P}}} = 6\), we can define

\(\Gamma _{\mathrm {out}}^{(\mathtt {010101})} = ([],[\ell ],[],[i,j]), \quad \gamma ^{(\mathtt {010101})} = ([\ell ],[\ell ,\ell -1],[i,j],[i,i-1,j,j-1])\), and \(\varepsilon _{\mathtt {010101}} = -1\) by using the first case of Lemma 2.

We can also use the three partition points to compute the parity of more than three bits of *z*. For example, if \(n_{{\mathcal {P}}} = 6\), by using Lemma 2 and 3, we can define

and

which evaluates the parity of five bits of *z*. Again, several choices for the definition of the tuples in Eq. (9) are possible.

### 1.3 Analysis for Two Consecutive Modular Additions

To avoid the usage of long linear trails and to reduce the data complexity, we may use the partition technique for the more complicated structure of two consecutive modular additions. Inspired by the round function of Chaskey, we consider the case depicted in Fig. 16.

Suppose that we have two partition points, i.e.,

where \(i,j \ge 3\). We use the same strategy described in “Appendix B.2”. Namely, we identify the elements \(p \in {\mathcal {P}}\) by \((5+2)\)-bit values, where 5-bit and 2-bit indicators come from the partition point \(\zeta _1\) and \(\zeta _2\), respectively. The applied linear mask and corresponding correlation can be computed as depicted in Figs. 15 and 16.

### Exploiting the Conditions for Finding Chaskey Relations

In Fig. 18, we have depicted the relations and the influence of the input bits on the conditions of the differential path. The bits that stay white (and have no pink color beneath, coming from the carries of the furthest additions) are the bits that do not affect the differential transitions.

It is easy to see how the bits provided in [1] as available for sampling with probability one are the only white ones, and therefore not needed for the differential conditions: [31,30,25,24,23,22,20,19,18,17,16] from \(v_2\) and [23,22,20,19,18,17,16] from \(v_3\). The differences are represented in gray. Dependencies in colors. A ‘g’ in the position of a difference means that this difference will go away (be absorbed) after the next addition. An ‘s’ means that the difference stays where it is, while ‘m’ means that it moves one position to the left. The color of the bits with differences in each transition will be applied to all the bits that might affect this transition. Carries are not directly applied to the involved bits but to the upper row to report the difference this implies.

Please note that for instance bits 28 and 27 from \(v_2\) cannot be included as the carry of the position 29 is needed by the orange bit relations, i.e., the differences after one round at position 29 of \(v_2\) and \(v_3\), but as said in Sect. 5.3, the bits of previous positions to 26 and 27 will not affect this orange carry anymore due to the particular configuration of 26 and 27. The bits provided in [1] that are neutral with very high probability are 20 and 19 from \(v_1\) and 31, 20 and 19 from \(v_0\) and 25 and 24 of \(v_3\).

Let us now see how can we use the conditional differential ideas and Fig. 18 in order to recover for free the value of some keybits and also to find additional bits of information for sampling and increasing the dimension of \({\mathcal {U}}\) from 18 as given in [1] (and involving exclusively one-bit relations) to 22, or 23 if one-bit relation on the key is known.

*Additional space for sampling*

Using Fig. 18 we can try to exploit the conditions to find more evolved relations for increasing the size of \({\mathcal {U}}\). Let us provide an example: Let us imagine we flip the bit from \(v_0[8]\). The corresponding difference, marked with a ‘g’, will have a change of parity. In order for this difference to be absorbed, we need to also flip the other blue difference that will be used for absorbing this one: \(v_1[8]\). However, if we flip this one, the value of the bit \(v_1[13]\) after one round, that does not contain a difference, will be flipped also, as to produce it, \(v_1[8]\) is shifted of 5 positions and XORed with the sum of \(v_0\) and \(v_1\), that has a difference in position 13, marked with an ‘s’: these differences cancel out in both cases, but the value of the resulting bit will change with the parity of \(v_1[8]\), and the value of this pink will affect the final light-pink transition in the third round, as can be seen in the picture. In order to avoid this, we have to also flip \(v_1[13]\): the state \(v_1\) after 1 round will be known the same, but the orange bit \(v_2[29]\) after one round that contains a difference and a ‘g’ will have the parity changed. In order to make the related transition be satisfied, we need to also change the parity of the other orange bit with a ‘g’: we flip \(v_2[29]\) from the first round, that does not have a difference, but that will change the parity of \(v_3[29]\) after the XOR. This bit will not have any more influence in the remaining transitions, so we have found our close relation. In total, we found four new probability-one relations by hand using this same technique. We have verified these relations as well as exhaustively searched all the ones with weight at most 3, and found that no other such relations exist.

## Rights and permissions

Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

## About this article

### Cite this article

Beierle, C., Broll, M., Canale, F. *et al.* Improved Differential-Linear Attacks with Applications to ARX Ciphers.
*J Cryptol* **35**, 29 (2022). https://doi.org/10.1007/s00145-022-09437-z

Received:

Revised:

Accepted:

Published:

DOI: https://doi.org/10.1007/s00145-022-09437-z