Miyaji Laboratory

With the rapid development of information and communication technologies，the importance of cryptography for secure communications has increased．Among cryptographic primitives，symmetric-key ciphers enable high-speed processing，and ChaCha，adopted in TLS1.3 standardized by the IETF，has been extensively studied．Existing cryptanalyses of ChaCha include differential and differential-linear attacks．Coutinho et al. proposed distinguishers for 3-6 and 6-7 rounds with complexity 2^214，and Bellini et al. proposed a 3.5-7-round distinguisher with complexity 2^169.89．However，linear approximations and distinguishers reaching 6.5 rounds had not been reported．Moreover，Dey et al. pointed out that many existing distinguishers are invalid due to excessive data complexity，leaving the best valid result as a 6-round distinguisher with complexity 2^51．In this work，we re-evaluate the complexity and maximum number of analyzable rounds of the distinguishers by Coutinho et al. and Bellini et al．We derive three new carry approximation formulas for two consecutive additions and apply them to refine linear biases．By revisiting the 3-6-round construction of Coutinho et al.，we obtain linear approximations up to 6.5 rounds and propose a 6.5-round distinguisher with complexity 2^109.75．Furthermore，by applying carry approximations to the linear part and considering multiple differential paths in the differential part，we propose a new 6.5-round distinguisher with reduced complexity 2^105.64，achieving a 12 ％ improvement．