Rotational analysis of ChaCha permutation

Abstract

<p style='text-indent:20px;'>We show that the underlying permutation of ChaCha20 stream cipher does not behave as a random permutation for up to 17 rounds with respect to rotational cryptanalysis. In particular, we derive a lower and an upper bound for the rotational probability through ChaCha quarter round, we show how to extend the bound to a full round and then to the full permutation. The obtained bounds show that the probability to find what we call a parallel rotational collision is, for example, less than <inline-formula><tex-math id="M1">\begin{document}$ 2^{-505} $\end{document}</tex-math></inline-formula> for 17 rounds of ChaCha permutation, while for a random permutation of the same input size, this probability is <inline-formula><tex-math id="M2">\begin{document}$ 2^{-511} $\end{document}</tex-math></inline-formula>. We remark that our distinguisher is not an attack against the ChaCha20 stream cipher, but rather a theoretical analysis of its internal permutation from the point of view of rotational cryptanalysis. Whenever possible, our claims are supported by experiments.</p>