Further Improving Differential-Linear Attacks: Applications to Chaskey and Serpent Marek Broll 1 , Federico Canale 1 , Nicolas David 2 , Antonio Florez-Gutierrez 2 , Gregor Leander 1 , Mar´ ıa Naya-Plasencia 2 , and Yosuke Todo 3 1 Horst G¨ ortz Institute for IT Security, Ruhr University Bochum, Bochum, Germany, {marek.broll,federico.canale,gregor.leander}@rub.de 2 Inria, France, {nicolas.david,antonio.florez-gutierrez,maria.naya plasencia}@inria.fr 3 NTT Secure Platform Laboratories, Tokyo, Japan, yosuke.todo.xt@hco.ntt.co.jp Abstract. Differential-linear attacks are a cryptanalysis family that has recently benefited from various technical improvements, mainly in the context of ARX constructions. In this paper we push further this refine- ment, proposing several new improvements. In particular, we develop a better understanding of the related correlations, improve upon the statis- tics by using the LLR, and finally use ideas from conditional differentials for finding many right pairs. We illustrate the usefulness of these ideas by presenting the first 7.5-round attack on Chaskey. Finally, we present a new competitive attack on 12 rounds of Serpent, and as such the first cryptanalytic progress on Serpent in 10 years. Keywords: cryptanalysis, differential-linear attack, partitions, LLR, Chaskey, Serpent, conditional-differential 1 Introduction Symmetric ciphers are deployed in virtually any application using cryptography and are indeed used for encryption of the bulk of our private data. The security of symmetric primitives is evaluated as their resistance against known attacks, and the great success of symmetric cryptography is based on the community’s effort to continually improve upon the best attacks by developing new general ideas and applying them to concrete ciphers to get concrete security levels and security margins. It is safe to say that the most studied attack families are differential and linear cryptanalysis and their variants. Here, we are especially interested in their combination known as differential- linear cryptanalysis, initially introduced in [16]. The high-level idea is to split a cipher into two parts and to apply a differential attack to the first, and a linear attack to the second part. If successful, this results in a biased distribution when comparing (a linear combination of) output bits from pairs of ciphertexts stemming from plaintexts with a particular difference. Given a differential part