Paper 2020/1049

Rotational analysis of ChaCha permutation

Stefano Barbero, Emanuele Bellini, and Rusydi Makarim


We show that the underlying permutation of ChaCha20 stream cipher does not behave as a random permutation for up to 17 rounds with respect to rotational cryptanalysis. In particular, we derive a lower and an upper bound for the rotational probability through ChaCha quarter round, we show how to extend the bound to a full round and then to the full permutation. The obtained bounds show that the probability to find what we call a parallel rotational collision is, for example, less than $2^{-488}$ for 17 rounds of ChaCha permutation, while for a random permutation of the same input size, this probability is $2^{-511}$. We remark that our distinguisher is not an attack to ChaCha20 stream cipher, but rather a theoretical analysis of its internal permutation from the point of view of rotational cryptanalysis.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
ChaCha20Stream CipherRotational cryptanalysisPermutationDistinguisher
Contact author(s)
eemanuele bellini @ gmail com
2020-09-01: received
Short URL
Creative Commons Attribution


      author = {Stefano Barbero and Emanuele Bellini and Rusydi Makarim},
      title = {Rotational analysis of ChaCha permutation},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1049},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.