Analyzing the Probability of Key Recovery in the Differential Attacks Against ChaCha

The stream cipher ChaCha has been subjected to differential linear cryptanalysis since 2008. Aumasson et al. (2008) laid the groundwork for this attack, employing the concept of probabilistically neutral bits for key recovery. Subsequently, various enhancements have been made to this attack over the last few decades. These improvements are essentially refinements to the probabilistically neutral bit-based attack approach. Despite the proposed modifications in these improvements, which increase attack complexity, the consequential changes in the associated probability of key recovery have not been thoroughly examined. A comprehensive analysis of the probability of key recovery is lacking in all attacks within this domain. No systematic process is available in the existing works for analyzing the probability of key recovery. This paper addresses this gap by proposing a method for estimating the probability of key recovery in these attacks. Employing this method, we calculate an estimated interval for the probability of key recovery for both the original idea presented by Aumasson et al. (2008) and the subsequent modifications to this idea. This analysis allows us to understand the variations in probability associated with these modifications.

Since the introduction of ChaCha [6] in 2008, many cryptanalytic techniques have been applied to the reduced-round versions of the cipher.In 2008, Aumasson et al. [1] presented the first cryptanalysis of 256-bit key version of ChaCha6 and ChaCha7 with time complexity 2 139 and 2 248 , respectively (ChaChaR represents R-round ChaCha).The authors also introduced an attack on the 128-bit key version of ChaCha6 with time complexity 2 107 .
In 2012, Shi et al. [7] improved the time complexity of attacks given by Aumasson et al. [1].For the 256-bit key version of ChaCha6 and ChaCha7, the time complexity was reduced to 2 136 and 2 246.5 , respectively.The time complexity of the 128-bit key version of ChaCha6 was also  reduced to 2 105 .The probability of key recovery for the attack on ChaCha6 (128 and 256-bit key versions) is 45%.The attack mentioned on ChaCha7 has only a 43% probability of key recovery.In 2015, Maitra [8] provided an attack on the 256-bit key version of ChaCha7 with time complexity 2 239 .The authors mentioned that complexity works for more than half of the keys, i.e., the probability of key recovery is approximately 50%.The author introduced the concept of Chosen IV to improve the attack techniques against the cipher.In 2016, Choudhuri and Maitra [9] provided an attack on the 256-bit key version of ChaChaR (4 ≤ R ≤ 7).For ChaCha6 and ChaCha7 the time complexity is reduced 2 116 and 2 237.7 , respectively.In 2017, Dey and Sarkar [10] improved the time complexity of the 256-bit key version of ChaCha7.The time complexity was 2 235. 2 .
In 2019, Dey et al. [11] revisited the design principles of the ChaCha.In 2020, Coutinho and Neto [12] provided a new multi-bit differential and improved the time complexity for the 256-bit key version of ChaCha7, reducing the complexity to 2 231.9 .Beierle et al. [4] presented a paper in CRYPTO 2020, in which they further reduced the time complexity to 2 230.86 .They also reduce the time complexity of the 256-bit key version of ChaCha6.In addition, the authors provide a single-bit distinguisher of 3.5 rounds.In 2021, Coutinho and Neto [13] submitted a paper on modified attack procedures in Eurocrypt 2021.They improved the complexity by providing improved linear approximations to ChaCha and reducing the time complexity to 2 228.51 for the 256-bit key version of ChaCha7.In 2021, Dey et al. [14] revisited the attack techniques mentioned in CRYPTO 2020 [4] and Eurocrypt 2021 [13], addressed some incorrect results, and provided a justification for the correct result.
In 2021, Dey and Sarkar [15] provided a mathematical proof for the observed probabilities of the distinguishers mentioned for the Salsa and ChaCha ciphers.In Eurocrypt 2022, Dey et al. [5] provided an improved attack that reduced the time complexity of the 256-bit key version of ChaCha7 to 2 221.95 .They also provided the time complexity for the 128-bit key version of ChaCha6.They also provided the first-ever attack on the 128-bit key version of ChaCha6.5 with a time complexity of 2 123.04 .In 2022, Coutinho et al. ([16], [17]) provided a 7-round distinguisher for ChaCha with time complexity 2 214 .In 2022, Miyashita et al. [18] provided a differential attack on the 256-bit key version of ChaCha7 by improving the PNB technique.In 2023, Dey et al. [19] proposed the first-ever attacks on 7.25-round ChaCha256 with time complexity 2 244.85 .They also present an enhanced PNB-searching algorithm.In FSE 2023, Dey et al. [20] provided multiple ID − OD differential and reduced the time complexity for ChaCha6 to 2 99.48 .In CRYPTO 2023, Wang et al. [21] improved the time complexity for the 256-bit key version of ChaCha6 and ChaCha7.
After introducing the concept of probabilistically neutral bits in differential attacks against Salsa and ChaCha, these modifications have led to clear improvements in terms of time complexity, but little attention has been given to the changes in the probabilities of key recoveries of the attacks.In [1], the authors claimed that the probability of key recovery was at least 50% but did not provide a better estimation.In our work, we show that the probabilities of key recoveries have indeed changed significantly.

B. OUR CONTRIBUTION
In the initial attack approach introduced by Aumasson et al. [1], the authors demonstrated its ability to recover at least 50% of the keys.Most of the subsequent works focused on enhancing the distinguishers or improving the probabilistically neutral bits, while the core attack idea remained unchanged.But, some modifications to the attack techniques were proposed by Beierle et al. [4] and Dey et al. [5].However, neither of these works conducted a thorough analysis to determine whether the probability of key recovery differs from the original approach.In general, none of the existing attacks has sincerely addressed the probability of key recovery, which creates a gap in the proper evaluation of any modifications proposed in the attack technique.
Firstly, this paper introduces a systematic procedure to compute an estimated interval for the probability of successful key recovery in the context of differential attack techniques applied to ChaCha.This procedure can be used not only for existing attacks but also for potential future attacks in this line.With the help of this, the introduction of any new idea can be thoroughly assessed, taking into account not only the improvement in complexity but also the change in the probability of key recovery.
Secondly, we apply our method to obtain the probability of key recovery for all three attack approaches mentioned above ( [1], [4], [5]), utilizing the same distinguisher.Upon analyzing and comparing the probabilities, we have several findings related to the probability of key recovery.We mention below our findings for each of these works.
1) According to the claim of Aumasson et al. [1], their attack idea, which is applicable to all keys, can recover the key with a probability of at least 0.5.They did not mention any tighter estimation of the probability.In our computation, we found a more precise estimate for the probability of key recovery, which is [0.630, 0.713].2) Next, in the attack by Beierle et al. [4], the authors claimed that their technique is applicable only for 70% of the keys, which they call ''weak keys.''They did not analyze the probability of successful key recovery among those weak keys.Neither do they comment on the performance of this approach against the remaining 30% ''strong keys''.Our analysis shows that this attack approach can be used for all keys (instead of only ''weak keys''), with the probability of key recovery in the interval [0.816, 0.849].Therefore, the efficiency of the attack is not only significantly higher than the author's claim but also higher than the probability of the previous attack approach by [1].3) Lastly, we analyzed the work of Dey et al. [5].In their work, they provided an attack technique that is applicable for only 62% of the keys, which they call ''exploitable keys''.Again, the authors did not analyze the probability of successful key recovery of the approach on its application on the exploitable keys, nor did they comment anything on the scenario when the key is not ''exploitable''.We compute and show that the attack can be used for all keys with a probability of key recovery lying in [0.866, 0.900], which is higher than both of the previous two approaches.We have mentioned all the observations in detail in Table 1.We provide the results claimed by authors in the previous three works.The table contains information about the percentage of keys for which the mentioned attack technique is applicable, the probability of key recovery claimed by the authors, and our estimated value of the same for all three attack procedures.

1) PAPER ORGANIZATION
The paper is organized as follows: • Section II comprises the preliminary details of ChaCha and its cryptanalysis techniques.We explain the detailed structure of the ChaCha in Subsection II-A.
In Subsection II-B, we discuss the differential cryptanalysis and attack procedure.The list of notations is given in Table 2.
• Section III revisits the complexity calculation technique of the existing attack approaches and derives some mathematical relations associated with the data complexity used in the attack.These relations are to be used afterwards in the computation of the probability of key recovery.
• In Section IV, we discuss the distribution of biases of the distinguisher for different keys.This distribution plays a part in the computation of the probability of key recovery.
• In Section V, we introduce a technique to compute the probabilities of key recoveries of differential-linear attacks on ChaCha.We compute estimated intervals of the probabilities of key recoveries of the existing attack approaches.Using this, in Subsection V-A, we find the probability of key recovery for the attack procedure by Aumassaon et al. [1], which appears to be in the interval [0.63, 0.71].Subsection V-B and Subsection V-C compute the probability of key recovery computation for 37002 VOLUME 12, 2024 Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
• Finally, we conclude our work in Section VI.

II. PRELIMINARIES
In this section, we explain the basic structure of the ChaCha cipher, the differential cryptanalysis, and the attack procedure.In this section, we explain the fundamentals of forward bias ϵ d and backward bias ϵ a .
A. ChaCha CIPHER For the 128-bit key structure, the second and third rows of the matrix are the same.There is a slight change in the constants for the 128-bit key structure.The four constants for the 128bit key structure are The matrix looks as follows: In ChaCha, the round function is a nonlinear operation consisting of three operations viz: XOR operation between the bits (⊕), addition modulo 2 32 (⊞), and left cyclic rotation operation for each round (≪).In this round function (a, b, c, d) is the initial vector that transforms into vector (a ′′ , b ′′ , c ′′ , d ′′ ) as shown below: For an initial state matrix X , after applying for n round functions, we obtain a state matrix X (n) .For odd rounds, the round function acts along the columns of the matrix.This is called the columnround function.The four columns of state matrix X , viz.(X 0 , X 4 , X 8 , X 12 ), (X 1 , X 5 , X 9 , X 13 ), (X 2 , X 6 , X 10 , X 14 ) and (X 3 , X 7 , X 11 , X 15 ).For even rounds, the round function acts along the diagonals of the matrix.This is called the diagonalround function.The four diagonals are (X 0 , X 5 , X 10 , X 15 ), (X 1 , X 6 , X 11 , X 12 ), (X 2 , X 7 , X 8 , X 13 ) and (X 3 , X 4 , X 9 , X 14 ) The keystream block Z is obtained by addition of matrices X (0) and X (n) as shown below: where X (0) is denoted as the initial state and X (n) is the state after n-rounds of X .
Every ChaCha round function is reversible.In reverse round function the vector (a ′′ , b ′′ , c ′′ , d ′′ ) acts as initial vector and changes into vector (a, b, c, d) as follows:

B. DIFFERENTIAL CRYPTANALYSIS AND ATTACK PROCEDURE
We explain the differential cryptanalysis introduced by Aumasson et al. [1] in 2008 for ChaCha.We consider X to be the initial state matrix.We introduce input differential in to generate another state matrix X ′ , where X ′ = X ⊕ in .The differential in indicates value 1 at j-th bit of the i-th word and 0 at the remaining bits.Now, we look for the output differential after r rounds.Let denotes the difference obtained between two states X and X ′ at j-th bit of the i-th word after r-rounds.The bias obtained after r-rounds is known as forward bias and is denoted by Here, the bias ϵ d holds for all the outputs.In the attacks, we consider an estimated median value of the biases over all the keys.In Section IV, we have shown the distribution of forward bias ϵ d .
After extending the state matrices X and X ′ up to r-rounds, we also find the final state matrices X (n) and X ′(n) after n rounds.We also generate the keystream blocks corresponding to both the state matrices X and X ′ given as Z = X (0) ⊞ X (n)  and Z ′ = X ′ ⊞ X ′(n) .Differential cryptanalysis is not only used to analyse the security of ARX ciphers but also used to do the performance analysis of audio [22] and image encryption [23], [24] algorithms.Now, we discuss the concept of probabilistically neutral bits (PNBs) to find the value of the key bits.Aumasson et al. [1] introduced this concept by dividing the key bits into two sets, PNBs and non-PNBs, on the basis of their influence on the output difference bit.The m bits that have a high influence on the output difference bit are considered as non-PNBs, and the remaining (256 − m) as PNBs.
Next, we discuss how to find the values of non-PNB bits.We fix some guessed values at the m positions of the state matrices X and X ′ to obtain two new states X and X ′ .We use N pairs of keystream blocks for each guessed key.Using the value of keystream blocks Z and Z ′ , we obtain the two new matrices M = Z − X and M ′ = Z ′ − X ′ .Now we run the reverse round function for n − r rounds and obtain the difference with a high probability, we consider the bias to be backward bias and is denoted by ϵ a .Therefore, the final bias mentioned by Aumasson et al. [1], for M (n−r) i [j] = 1 is given by 1 2 (1 + ϵ), where ϵ = ϵ d • ϵ a under reasonable independency assumptions.

1) ATTACK USING RIGHT-PAIRS
Beierle et al. [4] introduced the idea of right pair-based attack.The authors observed that for approximately 70% of the keys, there exists at least one IV, which produces a minimum difference of 10 in the first round.They called such keys ''weak keys'' and the pairs of keys and IVs right pair.They observed that, for a weak key, on average, out of 2 5 random guesses, one IV appears to form a right pair.Having a right pair helps to improve the bias of the distinguisher.One can visit Section V-B of [4] for details.

2) MEMORY-BASED ATTACK USING RIGHT-PAIRS
Dey et al. [5] further introduced memory into this attack.They decomposed the key space into no-memory key space and Memory key space.For each member of memory key space, the attacker can find a IV, which forms a right pair for each of the keys belonging to that coset.This pair can be stored in memory beforehand.Therefore, during the attack, the 2 5 random guesses can be avoided.For details, one can visit Section 7.1 of [5].
To distinguish between the initial attack approach (by Aumasson et al. [1]), where IVs were chosen randomly and the right pair-based attack approach, we call the first one as ''random-IV based attack.''

III. MATHEMATICAL FORMULATION OF THE TIME AND DATA COMPLEXITY
Let X be the normal distribution.The parameters for the distribution X are: The mean and standard deviation for the normal distribution X 1 are denoted by µ 1 and σ 1 respectively and are given by: X 0 is the distribution generated from random output.The parameters for X 0 distribution are:

TABLE 2. Table of notations.
Let H 0 : X = X 0 be the hypothesis if the distribution is generated from the random output and H 1 : X = X 1 be the hypothesis if the distribution is the normal distribution.Let be the threshold and should follow the error probability conditions.
For the non-detection error, we have the Pr(Y ≤ |H 1 ) < 1.3 × 10 −3 and for the false alarm error the Pr(Y ≥ |H 0 ) < 2 −α for some suitable α.

A. FALSE ALARM ERROR
For the distribution X 0 the probability Pr(X 0 ≥ ) is less than 2 −α i.e., Pr(X 0 ≥ , where X 0 −µ 0 σ 0 denotes the standard normal and is given as: .

This implies
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

B. NON-DETECTION ERROR
The standard normal form of X 1 is given as: As we mentioned, the non-detection error probability is less than 1.3 × 10 −3 .So, Pr (X 1 ≤ ) ≤ 1.3 × 10 −3 .Changing the above inequality in standard form we have To compute the data complexity value, we compare the Equation 5 and Equation 6 to compute the data complexity value.Rewriting Equation 6 we get Comparing the L.H.S of Equation 5and Equation 7we get The time complexity of the attack is given as

IV. PARTITIONING THE RANGE OF THE BIASES
In the existing attacks, as mentioned in Subsection II-B, the median value of the bias is considered for the computation of the attack complexity.Therefore, the formula works for approximately 50% of all the keys.In this work, we aim to compute the probability when, for a given key, the bias is lower than the median value.The overall probability of key recovery depends on the distribution of biases for different keys.
Throughout our analysis, we use the 3.5-round distinguisher (0) 12 [6] [0] given by Beierle et al. [4], where (0) 12 [6] denotes the ID position and (3.5) 1 [0] is the OD position.Here, we divide the bias values into a fixed number of intervals, and for each interval, find out the percentage of key bits whose bias lies in that particular interval.
We consider only the median value of the forward bias ϵ d for an ID − OD position, but the bias is distributed over all the keys.Let [0, E] be the range of the forward bias value.We divide this interval into k sub-intervals [ϵ d j , ϵ

A. ANALYSIS OF BIAS DISTRIBUTION FOR RIGHT PAIR-BASED ATTACK
In this, we have presented the forward bias distribution for the Right pair-based attack case.The median bias value ϵ d in the Right pair-based attack case for the ID − OD pair is 0.00317.In Figure 2, the histogram represents the percentage of key bits in intervals.The percentage value for the respective interval is mentioned in Table 3.The x-axis represents the values of biases (scaled by a factor of 10 −4 ).Y -axis represents the percentage of keys lying in an interval.Note that the intervals are not necessarily equal.We have chosen the intervals in such a way that we can provide a tight estimation (small interval).

B. ANALYSIS OF BIAS DISTRIBUTION FOR RANDOM IV BASED ATTACK
In this, we have presented the Random IV based attack case for the same pair of ID − OD.The experimentally observed median bias value ϵ d in the Random IV based attack case for the ID − OD pair is 0.00050.In Figure 3, the histogram represents the percentage of key bits in intervals.The percentage value for the respective interval is mentioned in Table 4.
where, Y denotes the case when ϵ j < ϵ < ϵ j+1 for a particular value of j.
Hence, the total probability over the interval [0, E] is as From the above inequality, we obtain the sum of error probability values of all the k sub-intervals of bias interval [0, E].The sum of error probability values can be represented in the interval form as Now, to compute the probability of key recovery, we subtract the error probability values from 1. Hence, the probability of key recovery lies in the interval.

A. PROBABILITY OF KEY RECOVERY IN THE ATTACK PROCEDURE BY AUMASSON ET AL. [1]
Aumasson et al. [1] obtained the forward bias for Random IV based attacks as the idea of right pair-based attack was introduced by Beierle et al. [4]  [0] .We use this 3.5 round ID − OD pair throughout for uniformity.Now, to compute the probability of key recovery, we find the value of F(ϵ j ) for each ϵ j = ϵ d j ×ϵ a for 0 < j < 13.Next, we compute the value of function for each F(ϵ j ).To obtain the value of the error probability for the bias values ϵ 0 and ϵ 1 , we multiply the probability value P 0 with (F(ϵ 0 )) and (F(ϵ 1 )) respectively.Similarly, we compute the value of error probability for ϵ j and ϵ j+1 , 0 < j < 13.After adding the error probabilities of all ϵ j 's, we compute the probability of key recovery.
Using the attack technique given by Aumasson et al. [1], the bias ϵ d observed for 3.5 rounds is equal to 0.00050.This bias is also known as forward bias.Also, bias observed in a backward direction from 7 rounds to 3.5 rounds is known as backward bias and is given by ϵ a = 0.00057.In this procedure, we have considered 79 key bits as PNBs.Substituting the value of ϵ = ϵ d • ϵ a in Equation 8 we evaluated the data complexity N = 2 49.96  = 1095112114681510 for α = 30.Using the value of N , we get the threshold value = 547556163755514.06from Equation 6.In Table 5, we compute the error probability value for each ϵ d j , 0 < j < 13.The sum of error probability values can be represented in interval form as

B. PROBABILITY OF KEY RECOVERY IN THE ATTACK PROCEDURE BY BEIERLE ET AL. [2]
In CRYPTO 2020, Beierle et al. [4] introduced the new ID − OD pair (0) 12 [6] [0] .They used the concept of Right pair-based attack for finding the key-IV for all keys and observed that there exists no such pair for some keys.They found the bias ϵ d for 3.5 rounds for the Right pair-based attack case.In the attack procedure for 7 round ChaCha, the bias observed in the backward direction from 7 rounds to 3.5 rounds is known as backward bias and is given by ϵ a = 0.000610.They have considered 74 key bits as PNBs.Using Equation 8, we have value of data complexity N = 2 43.83 = 15636683811300.Using Equation 6, we have obtained the value of as 7818352092492.251.

1) CRITICISM OF THE CLAIM
In [4], the authors have categorised the keys into ''weak keys'' (70%) and ''strong keys'' (30%).The authors proposed the attack only for the weak keys.To find an IV which forms a right pair for a particular weak key, we have to evaluate 2 5 iterations.However, this was an average value and did not completely fit with the previously existing complexity computation formula since the existing formula represented the maximum number of iterations, not the average.Aligning it with the existing formula, if we assume that the attacker would perform 2 5 iterations at most, we have experimentally examined that out of all keys, only for 47% of the keys we find an IV to form a right pair among 2 5 IVs, and for the remaining 53% of the keys, we do not find an IV among the 2 5 iteration.
In Table 6, we have shown the percentage of keys for which we can get a suitable IV to form a right pair.To reach 70%, we need 2 11 iterations.
2) COMPUTING THE PROBABILITY Therefore, in order to compute the probability of key recovery, instead of the 70% − 30% breakdown, we have to use the 47%−53% breakdown.For the 53% keys for which we do not find a suitable IV to form a right pair, automatically, it would be a random IV based attack.So, in order to compute the probability of key recovery, we have to compute the same for both these two cases separately.Therefore, we consider both the attack approaches: the right pair and random IV based.

a: RIGHT PAIR-BASED ATTACK (FOR 47% OF THE KEYS)
In this case, we consider only those key-IV pairs for which the minimum difference after the first round is 10, also called right pairs.The observed forward bias is ϵ d = 0.00317.
Here, we divide the bias value into 8 sub-intervals.After substituting the value of P j and ϵ j , we obtain the error probability value and hence compute the probability of key recovery for the right pair-based attack.
From Table 7, we obtain the error probability for all 7 values of ϵ d j for the right pair-based attack.The sum of the error probabilities of these values lies in the interval In this case, a Random IV based attack is considered for every key.The observed forward bias is ϵ d = 0.00050.We compute the probability of key recovery for random IV based attack by the procedure explained in Subsection V-A.
In Table 8, we compute the error probability for a Random IV based attack.In this case, the bias value is divided into

C. PROBABILITY OF KEY RECOVERY IN THE ATTACK PROCEDURE BY DEY ET AL. [9]
For the 7-round attack, Dey et al. [5] obtained the value of forward bias ϵ d for the same 3.5-round distinguisher.In the attack procedure, the backward bias observed in the direction from 7 rounds to 3.5 rounds is given by ϵ a = 0.00057.They have considered 79 key bits as PNBs.The obtained value of data complexity is N= 2 44.89  = 32601419142621.The value of obtained from Equation 6 is 16300730460414.76.
In [5], Dey et al. have mentioned that out of all the keys, only 62% keys are exploitable, i.e., only for 62% of the keys we get a favorable IV, which we store in memory.For the remaining 38% keys, we have to choose a Random IV based attack.Therefore, similar to Subsection V-B, we find the probabilities for both the right pair and random IV based attack.

1) RIGHT PAIR-BASED ATTACK (FOR 62% OF KEYS)
They observed the bias for the right pairs only.The observed forward bias is ϵ d = 0.00317.

VI. CONCLUSION
In this paper, we analyze the probability of key recovery in differential attacks against ChaCha.Until now, the assessment of new ideas in this line of attacks has predominantly focused on the improvement in complexity.However, our contribution introduces another parameter for the comprehensive evaluation of any new idea.In future attacks on ChaCha, incorporating a section in their contributions that outlines the probability of key recovery adds another layer to their approach.
One research direction in this domain is the analysis of how the choice of keys influences the backward bias ϵ a .A study on the distribution of ϵ a and its integration with the distribution of ϵ d to obtain an overall distribution of ϵ is an important problem that can be explored in the future.

FIGURE 1 .
FIGURE 1. Probability of key recovery for ChaCha cipher.
d j+1 ], 0 ≤ j ≤ k − 1.Here, ϵ d = 0 and d k = E denotes the minimum and maximum bias value respectively.The value ϵ d denotes the median value of the k values ϵ d 0 , ϵ d 1 , . . ., ϵ d k−1 and lies in an interval [ϵ d j , ϵ d j+1 ].Let P j denote the percentage of key bits lying in the interval [ϵ d j , ϵ d j+1 ].The source code for computing the bias distribution for the Right pair-based attack and the Random IV based attack cases is available in Code Ocean [25].

FIGURE 2 .
FIGURE 2. Bias distribution for right pair-based attack.
[37.1 × 10 −4 , 66.4 × 10 −4 ].Using the formula mentioned in Section V , the interval of the probability of key recovery for the right pair-based attack can be computed as b: RANDOM IV BASED ATTACK (FOR 53% OF THE KEYS) 14 sub-intervals.The interval of error probability is [2795.4× 10 −4 , 3381.7 × 10 −4 ].So the probability of key recovery for the Random IV based attack lies in the interval [(1−3381.7×10−4 ), (1−2795.4×10−4 )] = [0.661,0.720].As mentioned above, 47% of the keys form a right pair, and the remaining 53% keys do not find a suitable IV to form a right pair.Therefore, we compute the probability for all keys by adding the probabilities of key recovery of the right pair (47%) and random IV (53%) based attacks.The interval of the probability of key recovery is [0.47 × 0.993 + 0.53×0.661,0.47×0.996+0.53×0.720]= [0.816,0.849].

2 )
RANDOM IV BASED ATTACK (FOR 38% OF KEYS)Here, they also observed the bias for all the key-IV pairs.The observed forward bias is ϵ d = 0.00050.The computation of the probability of key recovery is the same as mentioned in Subsection V-B.The calculation of obtaining the error probability for Random IV based attack by Dey et al. is explained in Table10.The interval of error probability is given as [2438.0× 10 −4 , 3100.23 × 10 −4 ].So the probability of key recovery for the Random IV based attack lies in the interval [(1−3100.23×10−4 ), (1−2438.0×10−4 )] = [0.69,0.756].Now, to compute the probability of key recovery of all the keys, we add the values of probabilities of key recovery of both 62% exploitable (right pair) and 38% random IV keys.

TABLE 9 .
Calculation of error probability for the right pair-based attack case for attack procedure by Dey et al. in[5].TABLE 10.Calculation of error probability for the random IV based attack case in attack procedure by Dey et al. in [5].The interval of the probability of key recovery is [0.62×0.975+ 0.38×0.69,0.62×0.989+ 0.38 × 0.756] = [0.866,0.900].

TABLE 1 .
Estimated probability of key recovery for all three attack techniques.
ChaCha works on sixteen 32-bit words represented as a 4 × 4 matrix.The cipher design has two key versions, 128-bit and 256-bit.The 256-bit key version of cipher takes 8 key words (k 0 , k 1 , . . ., k 7 ), 4 constants words (c 0 , c 1 , c 2 , c 3 ), 1 IV word t 0 and 3 counter words (v 0 , v 1 , v 2 ) as input and generates a 512-bit output.The first row of matrix consists of 4 words or constants c 0 , c 1 , c 2 , and c 3 derived from word ''expand 32-byte k''.The second and third row of the matrix consists of keywords (k 0 , k 1 , . . ., k 7 ).Fourth row consists of IV word t 0 and counter words (v 0 , v 1 , v 2 ).The four constants for 256-bit key structure are

TABLE 5 .
[1]culation of error probability for attack procedure by aumasson et al. in[1].6.Percentage of keys for which we get IV to form a right pair.

TABLE 7 .
[4]culation of error probability for the right pair-based attack case in attack procedure by Beierle et al. in[4].

TABLE 8 .
[4]culation of error probability for the random IV based attack case in attack procedure by Beierle et al. in[4].

Table 9
demonstrates the computation of error probability for the right pair-based attack by Dey et al.From the table, we obtain the result that the error probability value lies in the interval [103.64×10−4 , 246.76×10