In this paper, we present 4 major contributions to ARX ciphers and in particular, to the Salsa/ChaCha family of stream ciphers:

1. (a)

   We propose an improved differential-linear distinguisher against ChaCha. To do so, we propose a new way to approach the derivation of linear approximations by viewing the algorithm in terms of simpler subrounds. Using this idea, we show that it is possible to derive almost all linear approximations from previous works from just 3 simple rules. Furthermore, we show that with one extra rule, it is possible to improve the linear approximations proposed by Coutinho and Souza at Eurocrypt 2021 (Coutinho and Neto, in: Canteaut, Standaert (eds) Advances in cryptology—EUROCRYPT 2021—40th annual international conference on the theory and applications of cryptographic techniques, Zagreb, Croatia, October 17–21, 2021, proceedings, Part I. Lecture notes in computer science, vol 12696, Springer, 2021).

2. (b)

   We propose a technique called Bidirectional Linear Expansions (BLE) to improve attacks against Salsa. While previous works only considered linear expansions moving forward into the rounds, BLE explores the expansion of a single bit in both forward and backward directions. Applying BLE, we propose the first differential-linear distinguishers reaching 7 and 8 rounds of Salsa and we improve Probabilistic Neutral Bit (PNB) key-recovery attacks against 8 rounds of Salsa.

3. (c)

   At Eurocrypt 2022 (Dey et al in Revamped differential-linear cryptanalysis on reduced round chacha, Springer, 2022), Dey et al. proposed a technique to combine two input–output positions in a PNB attack. In this paper, we generalize this technique for an arbitrary number of input–output positions. Combining this approach with BLE, we are able to improve key recovery attacks against 7 rounds of Salsa.

4. (d)

   Using all the knowledge acquired studying the cryptanalysis of these ciphers, we propose some modifications in order to provide better diffusion per round and higher resistance to cryptanalysis, leading to a new stream cipher named Forró. We show that Forró has higher security margin; this allows us to reduce the total number of rounds while maintaining the security level, thus creating a faster cipher in many platforms, especially in constrained devices.

5. (e)

   Finally, we developed CryptDances, a new tool for the cryptanalysis of Salsa, ChaCha, and Forró designed to be used in high performance environments with several GPUs. With CryptDances it is possible to compute differential correlations, to derive new linear approximations for ChaCha automatically, to automate the computation of the complexity of PNB attacks, among other features. We make CryptDances available for the community at https://github.com/murcoutinho/cryptDances.

在本文中，我们介绍了 ARX 密码的 4 个主要贡献，特别是流密码的 Salsa/ChaCha 系列：

1. （A）

   我们针对 ChaCha 提出了一种改进的微分线性区分器。为此，我们提出了一种新方法，通过根据更简单的子轮查看算法来推导线性近似值。使用这个想法，我们表明可以仅通过 3 个简单规则从以前的工作中推导出几乎所有线性近似值。此外，我们表明，通过一个额外的规则，可以改进 Coutinho 和 Souza 在 Eurocrypt 2021 上提出的线性近似（Coutinho 和 Neto，在：Canteaut，Standaert (eds) Advances in cryptology - EUROCRYPT 2021 - 40th annual international conference on the theory and applications of cryptographic techniques, Zagreb, Croatia, October 17–21, 2021, proceedings, Part I. Lecture notes in computer science, vol 12696, Springer, 2021).

2. （二）

   我们提出了一种称为双向线性扩展 (BLE) 的技术来改进对 Salsa 的攻击。虽然以前的工作只考虑向前移动到轮次的线性扩展，但 BLE 探索单个位在向前和向后方向上的扩展。应用 BLE，我们提出了第一个达到 7 轮和 8 轮 Salsa 的差分线性区分器，并且我们改进了针对 8 轮 Salsa 的概率中性位 (PNB) 密钥恢复攻击。

3. （C）

   在 Eurocrypt 2022（Dey 等人在 Revamped differential-linear cryptanalysis on reduced round chacha，Springer，2022）中，Dey 等人。提出了一种在 PNB 攻击中结合两个输入-输出位置的技术。在本文中，我们将这种技术推广到任意数量的输入输出位置。将这种方法与 BLE 相结合，我们能够改进针对 7 轮 Salsa 的密钥恢复攻击。

4. (四)

   利用研究这些密码的密码分析所获得的所有知识，我们提出了一些修改，以提供更好的每轮扩散和更高的密码分析抵抗力，从而产生了一种名为 Forró 的新流密码。我们证明 Forró 具有更高的安全边际；这使我们能够在保持安全级别的同时减少总轮数，从而在许多平台上创建更快的密码，尤其是在受限设备中。

5. (五)

   最后，我们开发了CryptDances，这是一种用于 Salsa、ChaCha 和 Forró 密码分析的新工具，旨在用于具有多个 GPU 的高性能环境。使用CryptDances可以计算微分相关性，自动为 ChaCha 推导新的线性近似值，自动计算 PNB 攻击的复杂性，以及其他功能。我们在 https://github.com/murcoutinho/cryptDances 上为社区提供CryptDances 。