Latin Dances Reloaded: Improved Cryptanalysis Against Salsa and ChaCha, and the Proposal of Forró

Abstract

In this paper, we present 4 major contributions to ARX ciphers and in particular, to the Salsa/ChaCha family of stream ciphers:

1. (a)

   We propose an improved differential-linear distinguisher against ChaCha. To do so, we propose a new way to approach the derivation of linear approximations by viewing the algorithm in terms of simpler subrounds. Using this idea, we show that it is possible to derive almost all linear approximations from previous works from just 3 simple rules. Furthermore, we show that with one extra rule, it is possible to improve the linear approximations proposed by Coutinho and Souza at Eurocrypt 2021 (Coutinho and Neto, in: Canteaut, Standaert (eds) Advances in cryptology—EUROCRYPT 2021—40th annual international conference on the theory and applications of cryptographic techniques, Zagreb, Croatia, October 17–21, 2021, proceedings, Part I. Lecture notes in computer science, vol 12696, Springer, 2021).

2. (b)

   We propose a technique called Bidirectional Linear Expansions (BLE) to improve attacks against Salsa. While previous works only considered linear expansions moving forward into the rounds, BLE explores the expansion of a single bit in both forward and backward directions. Applying BLE, we propose the first differential-linear distinguishers reaching 7 and 8 rounds of Salsa and we improve Probabilistic Neutral Bit (PNB) key-recovery attacks against 8 rounds of Salsa.

3. (c)

   At Eurocrypt 2022 (Dey et al in Revamped differential-linear cryptanalysis on reduced round chacha, Springer, 2022), Dey et al. proposed a technique to combine two input–output positions in a PNB attack. In this paper, we generalize this technique for an arbitrary number of input–output positions. Combining this approach with BLE, we are able to improve key recovery attacks against 7 rounds of Salsa.

4. (d)

   Using all the knowledge acquired studying the cryptanalysis of these ciphers, we propose some modifications in order to provide better diffusion per round and higher resistance to cryptanalysis, leading to a new stream cipher named Forró. We show that Forró has higher security margin; this allows us to reduce the total number of rounds while maintaining the security level, thus creating a faster cipher in many platforms, especially in constrained devices.

5. (e)

   Finally, we developed CryptDances, a new tool for the cryptanalysis of Salsa, ChaCha, and Forró designed to be used in high performance environments with several GPUs. With CryptDances it is possible to compute differential correlations, to derive new linear approximations for ChaCha automatically, to automate the computation of the complexity of PNB attacks, among other features. We make CryptDances available for the community at https://github.com/murcoutinho/cryptDances.

Appendices

PNBs for Salsa Attack

We found the following PNBs in our attack against Salsa20/8:

Additional Proofs

1.1 Lemma 11

Proof

If we start from Lemma 10 then we want to expand the equation one more round. To do so, first note that since we are transitioning from round 7 to 8, we have \((a,b,c,d) \in \{(0,1,2,3),(5,6,7,4),(10,11,8,9),(15,12,13,14)\}\). Therefore, we can divide the factors of the equation into 4 distinct groups:

• Group I - \(x^{(7)}_{0}[0] \oplus x^{(7)}_{2}[12,13] \oplus x^{(7)}_{3}[17].\)

• Group II - \(x^{(7)}_{4}[7,18,19] \oplus x^{(7)}_{6}[25,26] \oplus x^{(7)}_{7}[26,31].\)

• Group III - \(x^{(7)}_{8}[13,14,19] \oplus x^{(7)}_{11}[31].\)

• Group IV - \(x^{(7)}_{12}[0,14] \oplus x^{(7)}_{14}[12,13] \oplus x^{(7)}_{15}[16,17] \).

The procedure to expand and compute the correlation is similar to that in the proof of Lemma 10, expanding adjacent pairs with Lemma 9 and the rest individually with Lemma 1. To simplify the notation, we will compute the probability given by the Piling-up Lemma by summing values k where the probability of a particular linear equation will be given by \(\frac{1}{2}\left( 1\pm \frac{1}{2^k}\right) \).

1. 1.

   For Group I, we expand \(x^{(7)}_{2,12} \oplus x^{(7)}_{2,13}\) using Lemma 9 (\(k=2\)), \(x^{(7)}_{0,0}\) using the expansion for \(x_{a,i}^{(m-1)}\) (\(k=1\)), and \(x^{(7)}_{3,17}\) using the expansion for \(x_{d,i}^{(m-1)}\) (\(k=1\)). Therefore, we get

   $$\begin{aligned} \begin{array}{c} x^{(7)}_{0}[0] \oplus x^{(7)}_{2}[12,13] \oplus x^{(7)}_{3}[17] = x^{(8)}_{0}[0,3,4] \oplus x^{(8)}_{2}[4,12,14,17,18] \oplus \\ x^{(8)}_{3}[14,18], \end{array}\nonumber \\ \end{aligned}$$

   (51)

   with probability \(\frac{1}{2}(1+\frac{1}{2^{4}})\).

2. 2.

   For Group II, we expand \(x^{(7)}_{4,18} \oplus x^{(7)}_{4,19}\) and \( x^{(7)}_{6,25} \oplus x^{(7)}_{6,26} \) using Lemma 9 (\(k=1\) and \(k=3\), respectively), \(x^{(7)}_{4,7}\) using the expansion for \(x_{d,i}^{(m-1)}\) (\(k=1\)), \(x^{(7)}_{7,26}\) using the expansion for \(x_{c,i}^{(m-1)}\) (\(k=2\)) and \( x^{(7)}_{7,31}\) using the expansion for \(x_{c,i}^{(m-1)}\) (\(k=2\)). Therefore, we get

   $$\begin{aligned} \begin{array}{c} x^{(7)}_{4}[7,18,19] \oplus x^{(7)}_{6}[25,26] \oplus x^{(7)}_{7}[26,31] = x^{(8)}_{4}[0,1,4,7,31] \oplus \\ x^{(8)}_{5}[16,17,18,19,21,22] \oplus x^{(8)}_{6}[17,22] \oplus x^{(8)}_{7}[0,1,4], \end{array} \end{aligned}$$

   (52)

   with probability \(\frac{1}{2}(1+\frac{1}{2^{9}})\).

3. 3.

   For Group III, we expand \(x^{(7)}_{8,13} \oplus x^{(7)}_{8,14}\) using Lemma 9 (\(k=2\)), \(x^{(7)}_{8,19}\) using the expansion for \(x_{c,i}^{(m-1)}\) (\(k=2\)), and \( x^{(7)}_{11,31}\) using the expansion for \(x_{b,i}^{(m-1)}\) (\(k=3\)). Therefore, we get

   $$\begin{aligned} \begin{array}{c} x^{(7)}_{8}[13,14,19] \oplus x^{(7)}_{11}[31] = x^{(8)}_{8}[6,11,13,14,18,24] \oplus \\ x^{(8)}_{9}[6,18,19] \oplus x^{(8)}_{10}[4,5,9,10,23,24] \oplus x^{(8)}_{11}[4,5,11,31], \end{array} \end{aligned}$$

   (53)

   with probability \(\frac{1}{2}(1+\frac{1}{2^{7}})\).

4. 4.

   For Group IV, we expand \(x^{(7)}_{15,16} \oplus x^{(7)}_{15,17} \) using Lemma 9 (\(k=1\)), \(x^{(7)}_{12,0}\) using the expansion for \(x_{b,i}^{(m-1)}\) (\(k=3\)), \(x^{(7)}_{12,14}\) using the expansion for \(x_{b,i}^{(m-1)}\) (\(k=3\)), \(x^{(7)}_{14,12} \) using the expansion for \(x_{d,i}^{(m-1)}\) (\(k=1\)), and \(x^{(7)}_{14,13} \) using the expansion for \(x_{d,13}^{(m-1)}\) (\(k=0\)). Therefore, we get

   $$\begin{aligned} \begin{array}{cl} x^{(7)}_{12}[0,14] \oplus x^{(7)}_{14}[12,13] \oplus x^{(7)}_{15}[16,17] = x^{(8)}_{12}[11,12,14,25,26,30,31] \oplus \\ x^{(8)}_{13}[0,7,12,21,26,30] \oplus x^{(8)}_{14}[12,13,21,25,30,31] \oplus x^{(8)}_{15}[6,7,16,17,24,25], \end{array}\nonumber \\ \end{aligned}$$

   (54)

   with probability \(\frac{1}{2}(1+\frac{1}{2^{8}})\).

Finally, using the Piling-up Lemma we can combine the results from Lemma 10 and Eqs. (51)–(54), which leads to a correlation of \( \varepsilon _L = 1/2^{6+4+9+7+8} = 2^{-34}. \) \(\square \)

1.2 Lemma 13 - Rows 1 to 4

Proof

For \(x_{a,i}^{[s-1]}, x_{c,i}^{[s-1]}\) and \(x_{e,i}^{[s-1]}\), this result follows directly from Eq. (9) and the Piling-up Lemma. For \(x_{b,i}^{[s-1]},\) from Eq. (41) and using Eq. (9) on the last term we get

$$\begin{aligned} x_{b,i}^{[s-1]} = \mathcal {L}^{[s]}_{b,i} \oplus \Theta _i(x^{\prime [s-1]}_{c}, x^{[s]}_{d}) \oplus x^{\prime [s-1]}_{c,i-1} \end{aligned}$$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). Using Eq. (37)

$$\begin{aligned} x_{b,i}^{[s-1]} = \mathcal {L}^{[s]}_{b,i} \oplus \Theta _i(x^{\prime [s-1]}_{c}, x^{[s]}_{d}) \oplus x_{c,i-1}^{[s]} \oplus x_{d,i-1}^{[s]} \oplus \Theta _{i-1}(x^{\prime [s-1]}_{c}, x^{[s]}_{d}). \end{aligned}$$

Finally, using Eq. (10) and the Piling-up Lemma we get

$$\begin{aligned} x_{b,i}^{[s-1]} = \mathcal {L}^{[s]}_{b,i} \oplus x_{c,i-1}^{[s]} \oplus x_{d,i-1}^{[s]}, \end{aligned}$$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^2}\right) \). Next, for \(x_{d,i}^{[s-1]}\), from Eq. (43) and using Eq. (9) to replace \(\Theta _i(x^{\prime [s-1]}_{d}, x^{[s]}_{e})\) and \(\Theta _i(x^{[s-1]}_{d}, x^{[s-1]}_{e})\) we get

$$\begin{aligned} x_{d,i}^{[s-1]} = \mathcal {L}^{[s]}_{d,i} \oplus x^{[s]}_{e,i-1} \oplus \Theta _i(x^{\prime [s-1]}_{a}, x^{[s]}_{b}) \oplus x^{[s-1]}_{e,i-1}. \end{aligned}$$

Then, using Eq. (39) we get

$$\begin{aligned} x_{d,i}^{[s-1]} = \mathcal {L}^{[s]}_{d,i} \oplus x^{[s]}_{e,i-1} \oplus \Theta _i(x^{\prime [s-1]}_{a}, x^{[s]}_{b}) \oplus \mathcal {L}^{[s]}_{e,i-1} \oplus \Theta _{i-1}(x^{\prime [s-1]}_{a}, x^{[s]}_{b}). \end{aligned}$$

Finally, using Eq. (10) and the Piling-up Lemma we get

$$\begin{aligned} x_{d,i}^{[s-1]} = \mathcal {L}^{[s]}_{d,i} \oplus x^{[s]}_{e,i-1} \oplus \mathcal {L}^{[s]}_{e,i-1}, \end{aligned}$$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^3}\right) \). \(\square \)

1.3 Lemma 13 - Row 5

Proof

This proof follows directly from Eqs. (39) and (40) canceling out the term \(\Theta _i(x^{\prime [s-1]}_{a}, x^{[s]}_{b})\), using the approximation of Eq. (9) and the Piling-up Lemma. \(\square \)

1.4 Lemma 13 - Row 6

Proof

From Eq. (43) notice that using Eq. (9) we can write

$$\begin{aligned} x_{d,i}^{[s-1]}= & {} \mathcal {L}^{[s]}_{d,i} \oplus \Theta _i(x^{\prime [s-1]}_{d}, x^{[s]}_{e}) \oplus \Theta _i(x^{\prime [s-1]}_{a}, x^{[s]}_{b}) \oplus \Theta _i(x^{[s-1]}_{d}, x^{[s-1]}_{e})\\ {}= & {} \mathcal {L}^{[s]}_{d,i} \oplus \Theta _i(x^{\prime [s-1]}_{d}, x^{[s]}_{e}) \oplus \Theta _i(x^{\prime [s-1]}_{a}, x^{[s]}_{b}) \oplus x^{[s-1]}_{e,i-1}, \text{ w.p. } \frac{1}{2}\left( 1+\frac{1}{2}\right) . \end{aligned}$$

Thus, we have

$$\begin{aligned} x_{e,i}^{[s-1]}\oplus x_{e,i-1}^{[s-1]}\oplus x_{d,i}^{[s-1]} = x_{e,i}^{[s-1]} \oplus \mathcal {L}^{[s]}_{d,i} \oplus \Theta _i(x^{\prime [s-1]}_{d}, x^{[s]}_{e}) \oplus \Theta _i(x^{\prime [s-1]}_{a}, x^{[s]}_{b}). \end{aligned}$$

Next, using Eq. (39) and canceling out equal terms, we get

$$\begin{aligned} x_{e,i}^{[s-1]}\oplus x_{e,i-1}^{[s-1]}\oplus x_{d,i}^{[s-1]} = \mathcal {L}^{[s]}_{e,i} \oplus \mathcal {L}^{[s]}_{d,i} \oplus \Theta _i(x^{\prime [s-1]}_{d}, x^{[s]}_{e}). \end{aligned}$$

Finally, using Eq. (9) and the Piling-up Lemma, we complete the proof. \(\square \)

1.5 Lemma 13 - Row 7

Proof

From Eqs. (39) and (43) we can cancel out the term \(\Theta _i(x^{\prime [s-1]}_{a}, x^{[s]}_{b})\) and get

$$\begin{aligned} \begin{array}{l} x_{e,i}^{[s-1]}\oplus x_{d,i}^{[s-1]}\oplus x_{d,i \pm 1}^{[s-1]} = \mathcal {L}^{[s]}_{e,i} \oplus \mathcal {L}^{[s]}_{d,i} \oplus \Theta _i(x^{\prime [s-1]}_{d}, x^{[s]}_{e}) \oplus \Theta _i(x^{[s-1]}_{d}, x^{[s-1]}_{e}) \oplus \\ \mathcal {L}^{[s]}_{d,i \pm 1} \oplus \Theta _{i \pm 1}(x^{\prime [s-1]}_{d}, x^{[s]}_{e}) \oplus \Theta _{i \pm 1}(x^{\prime [s-1]}_{a}, x^{[s]}_{b}) \oplus \Theta _{i \pm 1}(x^{[s-1]}_{d}, x^{[s-1]}_{e}). \end{array} \end{aligned}$$

Using Eq. (10) to approximate \(\Theta _i(x^{\prime [s-1]}_{d}, x^{[s]}_{e}) \oplus \Theta _{i \pm 1}(x^{\prime [s-1]}_{d}, x^{[s]}_{e})\) and \(\Theta _i(x^{[s-1]}_{d},\) \(x^{[s-1]}_{e})\oplus \Theta _{i \pm 1}(x^{[s-1]}_{d}, x^{[s-1]}_{e})\), Eq. (9) to approximate \(\Theta _{i \pm 1}(x^{\prime [s-1]}_{a}, x^{[s]}_{b})\), and the Piling-up Lemma completes the proof. \(\square \)

1.6 Lemma 13 - Row 8

Proof

From Eqs. (41) and (42) we can cancel out the terms \(\Theta _i(x^{\prime [s-1]}_{c}, x^{[s]}_{d})\) and \(\Theta _{i-1}(x^{\prime [s-1]}_{c}, x^{[s]}_{d})\). Thus, we get

$$\begin{aligned} \begin{array}{l} x_{b,i}^{[s-1]}\oplus x_{c,i}^{[s-1]}\oplus x_{b,i - 1}^{[s-1]} \oplus x_{c,i - 1}^{[s-1]} = \mathcal {L}^{[s]}_{b,i} \oplus \Theta _i(x^{[s-1]}_{b}, x^{\prime [s-1]}_{c}) \oplus \mathcal {L}^{[s]}_{c,i} \oplus \\ \Theta _i(x^{\prime [s-1]}_{d}, x^{[s]}_{e}) \oplus \mathcal {L}^{[s]}_{b,i-1} \oplus \Theta _{i-1}(x^{[s-1]}_{b}, x^{\prime [s-1]}_{c}) \oplus \mathcal {L}^{[s]}_{c,i-1} \oplus \Theta _{i-1}(x^{\prime [s-1]}_{d}, x^{[s]}_{e}). \end{array} \end{aligned}$$

Applying Eq. (10) and the Piling-up Lemma completes the proof. \(\square \)

1.7 Lemma 15

Proof

From Eq. (49), we have that for subrounds 9 and 10 we do not update the word \(X_{10}\), then we get \( x_{10,0}^{[8]} = x_{10,0}^{[9]} = x_{10,0}^{[10]}. \) Now, in subround 11, we have that \((a,b,c,d,e) = (2,6,10,14,1)\). Thus, \(X_{10}\) is of type \(X_{c}\) and using Lemma 12 we have \(x_{10,0}^{[10]} = x^{[11]}_{1,0} \oplus x^{[11]}_{10,0} \oplus x^{[11]}_{14,0} \oplus x^{[11]}_{14,27}\), with probability 1.

In subround 12, words \(X_{1},X_{10}\) and \(X_{14}\) are not expanded. Thus, we get

$$\begin{aligned} x^{[11]}_{1,0} \oplus x^{[11]}_{10,0} \oplus x^{[11]}_{14,0} \oplus x^{[11]}_{14,27} = x^{[12]}_{1,0} \oplus x^{[12]}_{10,0} \oplus x^{[12]}_{14,0} \oplus x^{[12]}_{14,27}. \end{aligned}$$

In subround 13, we have \((a,b,c,d,e) = (0,5,10,15,3)\), and \(X_{10}\) is of type \(X_c\). Again, using Lemma 12 we have

$$\begin{aligned} \begin{array}{c} x^{[12]}_{1,0} \oplus x^{[12]}_{10,0} \oplus x^{[12]}_{14,0} \oplus x^{[12]}_{14,27} = \\ x^{[13]}_{1,0} \oplus x^{[13]}_{3,0} \oplus x^{[13]}_{10,0} \oplus x^{[13]}_{14,0} \oplus x^{[13]}_{14,27} \oplus x^{[13]}_{15,0} \oplus x^{[13]}_{15,27}, \end{array} \end{aligned}$$

with probability 1.

In subround 14, we have \((a,b,c,d,e) = (1,6,11,12,0)\), and \(X_{1}\) is of type \(X_a\). Using Lemma 12 we have

$$\begin{aligned} \begin{array}{c} x^{[13]}_{1,0} \oplus x^{[13]}_{3,0} \oplus x^{[13]}_{10,0} \oplus x^{[13]}_{14,0} \oplus x^{[13]}_{14,27} \oplus x^{[13]}_{15,0} \oplus x^{[13]}_{15,27} = \\ x^{[14]}_{1,8} \oplus x^{[14]}_{3,0} \oplus x^{[14]}_{10,0} \oplus x^{[14]}_{11,0} \oplus x^{[14]}_{14,0} \oplus x^{[14]}_{14,27} \oplus x^{[14]}_{15,0} \oplus x^{[14]}_{15,27} \end{array} \end{aligned}$$

with probability 1.

In subround 15, we have \((a,b,c,d,e) = (2,7,8,13,1)\), and \(X_{1}\) is of type \(X_e\). Using Lemma 13. 1 we have

$$\begin{aligned} \begin{array}{c} x^{[14]}_{1,8} \oplus x^{[14]}_{3,0} \oplus x^{[14]}_{10,0} \oplus x^{[14]}_{11,0} \oplus x^{[14]}_{14,0} \oplus x^{[14]}_{14,27} \oplus x^{[14]}_{15,0} \oplus x^{[14]}_{15,27} = x^{[15]}_{1,8} \oplus \\ x^{[15]}_{2,16} \oplus x^{[15]}_{3,0} \oplus x^{[15]}_{7,7} \oplus x^{[15]}_{7,8} \oplus x^{[15]}_{10,0} \oplus x^{[15]}_{11,0} \oplus x^{[15]}_{14,0} \oplus x^{[15]}_{14,27} \oplus x^{[15]}_{15,0} \oplus x^{[15]}_{15,27}, \end{array} \end{aligned}$$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \).

Finally, in subround 16, we have \((a,b,c,d,e) = (3,4,9,14,2)\). Then, we have to expand the terms \(x^{[15]}_{2,16}, x^{[15]}_{3,0}, x^{[15]}_{14,0}\) and \(x^{[15]}_{14,27}\). Using Lemma 12 we can expand \(x^{[15]}_{3,0}\) and \(x^{[15]}_{14,0}\) with probability 1, and using Lemma 13 we can expand \(x^{[15]}_{2,16}\) and \(x^{[15]}_{14,27}\) with probabilities \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \) and \(\frac{1}{2}\left( 1+\frac{1}{2^3}\right) \), respectively. Therefore, by the Piling-up Lemma, we have

$$\begin{aligned} \begin{array}{l} x^{[15]}_{1}[8] \oplus x^{[15]}_{2}[16] \oplus x^{[15]}_{3}[0] \oplus x^{[15]}_{7}[7,8] \oplus x^{[15]}_{10}[0] \oplus x^{[15]}_{11}[0] \oplus x^{[15]}_{14}[0,27] \oplus \\ x^{[15]}_{15}[0,27] = x^{[16]}_{1}[8] \oplus x^{[16]}_{2}[16] \oplus x^{[16]}_{3}[2,3,24] \oplus x^{[16]}_{4}[0,15,16,26,27] \oplus \\ x^{[16]}_{7}[7,8] \oplus x^{[16]}_{9}[0] \oplus x^{[16]}_{10}[0] \oplus x^{[16]}_{11}[0] \oplus x^{[16]}_{14}[22,27] \oplus x^{[16]}_{15}[0,27] \end{array} \end{aligned}$$

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^4}\right) \). Aggregating the correlation with the Piling-up Lemma completes the proof. \(\square \)

1.8 Lemma 16

Proof

In subround 17, we have \((a,b,c,d,e) = (0,4,8,12,3)\). Thus, we have to expand the terms \(x^{[16]}_{3}[2,3,24]\) and \(x^{[16]}_{4}[0,15,16,26,27]\). Here, we use Lemma 12 to expand \(x^{[16]}_{4,0}\) with probability 1, and Lemma 14 to expand pairs \(x^{[16]}_{3}[2,3]\), \(x^{[16]}_{4}[15,16]\) and \(x^{[16]}_{4}[26,27]\), with probabilities \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \), \(\frac{1}{2}\left( 1+\frac{1}{2^2}\right) \) and \(\frac{1}{2}\left( 1+\frac{1}{2^2}\right) \), respectively. Additionally, with Lemma 13.1 we can expand \(x^{[16]}_{3,24}\) with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). Thus, from the Piling-up Lemma we have that

$$\begin{aligned} \begin{array}{l} x^{[16]}_{1}[8] \oplus x^{[16]}_{2}[16] \oplus x^{[16]}_{3}[2,3,24] \oplus x^{[16]}_{4}[0,15,16,26,27] \oplus x^{[16]}_{7}[7,8] \oplus \\ x^{[16]}_{9}[0] \oplus x^{[16]}_{10}[0] \oplus x^{[16]}_{11}[0] \oplus x^{[16]}_{14}[22,27] \oplus x^{[16]}_{15}[0,27] = x^{[17]}_{0}[0,10,11] \oplus \\ x^{[17]}_{1}[8] \oplus x^{[17]}_{2}[16] \oplus x^{[17]}_{3}[2,3,24] \oplus x^{[17]}_{4}[2,3,4,5,10,23,24,25,26] \oplus \\ x^{[17]}_{7}[7,8] \oplus x^{[17]}_{8}[0,4,5,10,15,16,25,27] \oplus x^{[17]}_{9}[0] \oplus x^{[17]}_{10}[0] \oplus x^{[17]}_{11}[0] \oplus \\ x^{[17]}_{12}[0,15,16,26,27] \oplus x^{[17]}_{14}[22,27] \oplus x^{[17]}_{15}[0,27], \end{array} \end{aligned}$$

(55)

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^6}\right) \).

In subround 18, we have \((a,b,c,d,e) = (1,5,9,13,0)\). Thus, we have to expand the terms \(x^{[17]}_{0}[0,10,11]\), \(x^{[17]}_{1,8}\) and \(x^{[17]}_{9,0}\). Here, we use Lemma 12 to expand \(x^{[17]}_{0,0}\) and \(x^{[17]}_{9,0}\) with probability 1, and Lemma 14 to expand the pair \(x^{[17]}_{0}[10,11]\) with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). Additionally, with Lemma 13. 2 we can expand \(x^{[17]}_{1,8}\) with probability \(\frac{1}{2}\left( 1+\frac{1}{2^2}\right) \). Thus, from the Piling-up Lemma we have that

$$\begin{aligned} \begin{array}{l} x^{[17]}_{0}[0,10,11] \oplus x^{[17]}_{1}[8] \oplus x^{[17]}_{2}[16] \oplus x^{[17]}_{3}[2,3,24] \oplus \\ x^{[17]}_{4}[2,3,4,5,10,23,24,25,26] \oplus x^{[17]}_{7}[7,8] \oplus x^{[17]}_{8}[0,4,5,10,15,16,25,27] \oplus \\ x^{[17]}_{9}[0] \oplus x^{[17]}_{10}[0] \oplus x^{[17]}_{11}[0] \oplus x^{[17]}_{12}[0,15,16,26,27] \oplus x^{[17]}_{14}[22,27] \oplus x^{[17]}_{15}[0,27] \\ =x^{[18]}_{0}[10,11] \oplus x^{[18]}_{1}[8,16,18,19] \oplus x^{[18]}_{2}[16] \oplus x^{[18]}_{3}[2,3,24] \oplus \\ x^{[18]}_{4}[2,3,4,5,10,23,24,25,26] \oplus x^{[18]}_{5}[0,10,11] \oplus x^{[18]}_{7}[7,8] \oplus \\ x^{[18]}_{8}[0,4,5,10,15,16,25,27] \oplus x^{[18]}_{9}[0,7,8] \oplus x^{[18]}_{10}[0] \oplus x^{[18]}_{11}[0] \oplus \\ x^{[18]}_{12}[0,15,16,26,27] \oplus x^{[18]}_{13}[0,27] \oplus x^{[18]}_{14}[22,27] \oplus x^{[18]}_{15}[0,27] \end{array} \end{aligned}$$

(56)

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^3}\right) \).

Next, in subround 19, we have \((a,b,c,d,e) = (2,6,10,14,1)\). Thus, we have to expand the terms \(x^{[18]}_{1}[8,16,18,19]\), \(x^{[18]}_{2}[16]\), \(x^{[18]}_{10}[0]\) and \(x^{[18]}_{14}[22,27]\). Here, we use Lemma 12 to expand \(x^{[18]}_{10,0}\) with probability 1. Then, we use Lemma 13. 5 to expand \(x^{[18]}_{1,16} \oplus x^{[18]}_{2,16}\) with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). Using Lemma 14 to expand \(x^{[18]}_{1}[18,19]\) with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). Additionally, with Lemma 13 we can expand \(x^{[18]}_{1,8}\) with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \), and \(x^{[18]}_{14,22}\) and \(x^{[18]}_{14,23}\) with probability \(\frac{1}{2}\left( 1+\frac{1}{2^3}\right) \). Thus, using the Piling-up Lemma we have that

$$\begin{aligned} \begin{array}{l} x^{[18]}_{0}[10,11] \oplus x^{[18]}_{1}[8,16,18,19] \oplus x^{[18]}_{2}[16] \oplus x^{[18]}_{3}[2,3,24] \oplus \\ x^{[18]}_{4}[2,3,4,5,10,23,24,25,26] \oplus x^{[18]}_{5}[0,10,11] \oplus x^{[18]}_{7}[7,8] \oplus \\ x^{[18]}_{8}[0,4,5,10,15,16,25,27] \oplus x^{[18]}_{9}[0,7,8] \oplus x^{[18]}_{10}[0] \oplus x^{[18]}_{11}[0] \oplus \\ x^{[18]}_{12}[0,15,16,26,27] \oplus x^{[18]}_{13}[0,27] \oplus x^{[18]}_{14}[22,27] \oplus x^{[18]}_{15}[0,27] =\\ x^{[19]}_{0}[10,11] \oplus x^{[19]}_{1}[0,8,16,18,19] \oplus x^{[19]}_{2}[2,3,16,26,27,29,30] \oplus \\ x^{[19]}_{3}[2,3,24] \oplus x^{[19]}_{4}[2,3,4,5,10,23,24,25,26] \oplus x^{[19]}_{5}[0,10,11] \oplus \\ x^{[19]}_{6}[7,8,15,16,18,19,21,22,26,27] \oplus x^{[19]}_{7}[7,8] \oplus x^{[19]}_{8}[0,4,5,10,15,16,25,27] \oplus \\ x^{[19]}_{9}[0,7,8] \oplus x^{[19]}_{10}[0,15,16] \oplus x^{[19]}_{11}[0] \oplus x^{[19]}_{12}[0,15,16,26,27] \oplus \\ x^{[19]}_{13}[0,27] \oplus x^{[19]}_{14}[0,17,22,27] \oplus x^{[19]}_{15}[0,27] \end{array} \end{aligned}$$

(57)

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^9}\right) \).

Finally, in subround 20, we have \((a,b,c,d,e) = (3,7,11,15,2)\). Thus, we have to expand the terms \(x^{[19]}_{2}[2,3,16,26,27,29,30]\), \(x^{[19]}_{3}[2,3,24]\), \(x^{[19]}_{7}[7,8]\), \(x^{[19]}_{11}[0]\) and \(x^{[19]}_{15}[0,27]\). Here, we use Lemma 12 to expand \(x^{[19]}_{11,0}\) and \(x^{[19]}_{15,0}\) with probability 1. Then, we use Lemma 13.6 to expand \(x^{[19]}_{2}[26,27]\oplus x^{[19]}_{15,27}\) with probability \(\frac{1}{2}\left( 1+\frac{1}{2^2}\right) \). Next, we use Lemma 13.5 to expand \(x^{[19]}_{2}[2,3]\oplus x^{[19]}_{3}[2,3]\) with probability \(\frac{1}{2}\left( 1+\frac{1}{2^2}\right) \). Using Lemma 14 we can expand \(x^{[19]}_{2}[29,30]\) and \(x^{[19]}_{7}[7,8]\) with probabilities \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \) and \(\frac{1}{2}\left( 1+\frac{1}{2^2}\right) \), respectively. Additionally, with Lemma 13.1 we can expand \(x^{[19]}_{2}[16]\) with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \), and \(x^{[19]}_{3}[24] \) with probability \(\frac{1}{2}\left( 1+\frac{1}{2^2}\right) \). Thus, using the Piling-up Lemma we have that

$$\begin{aligned} \begin{array}{l} x^{[19]}_{0}[10,11] \oplus x^{[19]}_{1}[0,8,16,18,19] \oplus x^{[19]}_{2}[2,3,16,26,27,29,30] \oplus x^{[19]}_{3}[2,3,24] \oplus \\ x^{[19]}_{4}[2,3,4,5,10,23,24,25,26] \oplus x^{[19]}_{5}[0,10,11] \oplus x^{[19]}_{6}[7,8,15,16,18,19,21,22,26,27] \oplus \\ x^{[19]}_{7}[7,8] \oplus x^{[19]}_{8}[0,4,5,10,15,16,25,27] \oplus x^{[19]}_{9}[0,7,8] \oplus x^{[19]}_{10}[0,15,16] \oplus x^{[19]}_{11}[0] \oplus \\ x^{[19]}_{12}[0,15,16,26,27] \oplus x^{[19]}_{13}[0,27] \oplus x^{[19]}_{14}[0,17,22,27] \oplus x^{[19]}_{15}[0,27] =\\ x^{[20]}_{0}[10,11] \oplus x^{[20]}_{1}[0,8,16,18,19] \oplus x^{[20]}_{2}[0,2,3,16,26,27,29,30] \oplus x^{[20]}_{3}[0,5,6,8,24] \oplus \\ x^{[20]}_{4}[2,3,4,5,10,23,24,25,26] \oplus x^{[20]}_{5}[0,10,11] \oplus x^{[20]}_{6}[7,8,15,16,18,19,21,22,26,27] \oplus \\ x^{[20]}_{7}[0,2,3,15,16,17,18,29,30] \oplus x^{[20]}_{8}[0,4,5,10,15,16,25,27] \oplus x^{[20]}_{9}[0,7,8] \oplus \\ x^{[20]}_{10}[0,15,16] \oplus x^{[20]}_{11}[0,2,3,7,8,17,18,23,24] \oplus x^{[20]}_{12}[0,15,16,26,27] \oplus x^{[20]}_{13}[0,27] \oplus \\ x^{[20]}_{14}[0,17,22,27] \oplus x^{[20]}_{15}[0,7,8,22] \end{array} \end{aligned}$$

(58)

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{10}}\right) \).

To conclude, we compute the correlation by using the Piling-up Lemma and aggregating the correlations of Lemma 15 and Eqs. (55)–(58), thus we get \(\varepsilon _L = \frac{1}{2^{5+6+3+9+10}}\). \(\square \)

1.9 Lemma 17

Proof

In subround 21, we have \((a,b,c,d,e) = (0,5,10,15,3)\). Thus, from Eq. (58) we have to expand the terms \(x^{[20]}_{0}[10,11]\), \(x^{[20]}_{3}[0,5,6,8,24]\), \(x^{[20]}_{5}[0,10,11]\), \(x^{[20]}_{10}[0,15,16]\) and \(x^{[20]}_{15}[0,7,8,22]\). Here, we use Lemma 12 to expand \(x^{[20]}_{3,0}\), \(x^{[20]}_{5,0}\), \(x^{[20]}_{10,0}\) and \(x^{[20]}_{15,0}\) with probability 1. Then, we use Lemma 13. 7 to expand \(x^{[20]}_{15}[7,8]\oplus x^{[20]}_{3,8}\) with probability \(\frac{1}{2}\left( 1+\frac{1}{2^3}\right) \). Next, using Lemma 14 we can expand \(x^{[20]}_{0}[10,11]\), \(x^{[20]}_{5}[10,11]\) and \(x^{[20]}_{10}[15,16]\) with probabilities \(\frac{1}{2}\left( 1+\frac{1}{2^2}\right) \), and \(x^{[20]}_{3}[5,6]\) with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). Additionally, with Lemma 13 we can expand \(x^{[20]}_{3,24}\) and \(x^{[20]}_{15,22}\) with probabilities \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \) and \(\frac{1}{2}\left( 1+\frac{1}{2^3}\right) \), respectively. Thus, using the Piling-up Lemma we have that

$$\begin{aligned} \begin{array}{l} x^{[20]}_{0}[10,11] \oplus x^{[20]}_{1}[0,8,16,18,19] \oplus x^{[20]}_{2}[0,2,3,16,26,27,29,30] \oplus \\ x^{[20]}_{3}[0,5,6,8,24] \oplus x^{[20]}_{4}[2,3,4,5,10,23,24,25,26] \oplus x^{[20]}_{5}[0,10,11] \oplus \\ x^{[20]}_{6}[7,8,15,16,18,19,21,22,26,27] \oplus x^{[20]}_{7}[0,2,3,15,16,17,18,29,30] \oplus \\ x^{[20]}_{8}[0,4,5,10,15,16,25,27] \oplus x^{[20]}_{9}[0,7,8] \oplus x^{[20]}_{10}[0,15,16] \oplus \\ x^{[20]}_{11}[0,2,3,7,8,17,18,23,24] \oplus x^{[20]}_{12}[0,15,16,26,27] \oplus x^{[20]}_{13}[0,27] \oplus \\ x^{[20]}_{14}[0,17,22,27] \oplus x^{[20]}_{15}[0,7,8,22] =\\ x^{[21]}_{0}[0,13,14,15,18,19,29,30] \oplus x^{[21]}_{1}[0,8,16,18,19] \oplus x^{[21]}_{2}[0,2,3,16,26,27,29,30] \oplus \\ x^{[21]}_{3}[5,6,8,15,16,24] \oplus x^{[21]}_{4}[2,3,4,5,10,23,24,25,26] \oplus x^{[21]}_{5}[5,7,10,20,22,23,24] \\ \oplus x^{[21]}_{6}[7,8,15,16,18,19,21,22,26,27] \oplus x^{[21]}_{7}[0,2,3,15,16,17,18,29,30] \oplus \\ x^{[21]}_{8}[0,4,5,10,15,16,25,27] \oplus x^{[21]}_{9}[0,7,8] \oplus x^{[21]}_{10}[10,15,16,20,21] \oplus \\ x^{[21]}_{11}[0,2,3,7,8,17,18,23,24] \oplus x^{[21]}_{12}[0,15,16,26,27] \oplus x^{[21]}_{13}[0,27] \oplus x^{[21]}_{14}[0,17,22,27] \oplus \\ x^{[21]}_{15}[2,3,15,16,17] \end{array} \end{aligned}$$

(59)

with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{14}}\right) \). \(\square \)

Performance Measurements

See Tables 5, 6, 7, 8, 9, 10.

Table 5 Typical MTU of different types of networks

Table 6 Timings of Salsa, ChaCha and Forró’s reference implementations on an x86_64

Table 7 Timings of Salsa, ChaCha and Forró’s SIMD implementations on an x86_64

Table 8 Timings of Salsa, ChaCha and Forró’s reference implementations on an ARMv7

Table 9 Timings of ChaCha and Forró’s NEON implementations on an ARMv7

Table 10 Timings of Salsa, ChaCha and Forró’s reference implementations on an ARMv8