Cryptanalysis of Full LowMC and LowMC-M with Algebraic Techniques

Abstract

In this paper, we revisit the difference enumeration technique for LowMC and develop new algebraic techniques to achieve efficient key-recovery attacks. In the original difference enumeration attack framework, an inevitable step is to precompute and store a set of intermediate state differences for efficient checking via the binary search. Our first observation is that Bar-On et al.’s general algebraic technique developed for SPNs with partial nonlinear layers can be utilized to fulfill the same task, which can make the memory complexity negligible as there is no need to store a huge set of state differences any more. Benefiting from this technique, we could significantly improve the attacks on LowMC when the block size is much larger than the key size and even break LowMC with such a kind of parameter. On the other hand, with our new key-recovery technique, we could significantly improve the time to retrieve the full key if given only a single pair of input and output messages together with the difference trail that they take, which was stated as an interesting question by Rechberger et al. at ToSC 2018. Combining both techniques, with only 2 chosen plaintexts, we could break 4 rounds of LowMC adopting a full S-Box layer with block size of 129, 192 and 255 bits, respectively, which are the 3 recommended parameters for Picnic3, an alternative third-round candidate in NIST’s Post-Quantum Cryptography competition. We have to emphasize that our attacks do not indicate that Picnic3 is broken as the Picnic use-case is very different and an attacker cannot even freely choose 2 plaintexts to encrypt for a concrete LowMC instance. However, such parameters are deemed as secure in the latest LowMC. Moreover, much more rounds of seven instances of the backdoor cipher LowMC-M as proposed by Peyrin and Wang in CRYPTO 2020 can be broken without finding the backdoor by making full use of the allowed \(2^{64}\) data. The above mentioned attacks are all achieved with negligible memory.

Appendices

A Description of LowMC-M

LowMC-M [27] is a family of tweakable block ciphers built on LowMC, which is introduced by Peyrin and Wang at CRYPTO 2020. The feature of LowMC-M is that backdoors can be inserted in the instantiation. The only difference between LowMC and LowMC-M is that there is an addition operation AddSubTweak (AT) after AK and WK. In other words, the round function in the \((i+1)\)-round \((0\le i\le R-1)\) can be described as follows:

1. 1.

   SBoxLayer (SB): Same with LowMC.

2. 2.

   LinearLayer (L): Same with LowMC.

3. 3.

   ConstantAddition (AC): Same with LowMC.

4. 4.

   KeyAddition (AK): Same with LowMC.

5. 5.

   AddSubTweak (AT): Add an n-bit sub-tweak \(TW_{i+1}\) to the n-bit state.

For the state after WK, it will also be XORed with an n-bit sub-tweak \(TW_0\).

To strengthen the security of the backdoors, \(TW_i\) \((0\le i\le R)\) are generated via an extendable-output-function (XOF) function. SHAKE-128 and SHAKE-256 are used as the XOF functions in LowMC-M for 128-bit and 256-bit security respectively. Specifically, the tweak TW is the input of the XOF function and the corresponding \(n(R+1)\)-bit output will be split into \((R+1)\) sub-tweaks \(TW_i\), i.e. \((TW_0,TW_1,\cdot \cdot \cdot ,TW_{R})\leftarrow \mathrm{XOF}(TW)\).

B Exploiting the Tweak to Maximize \(r_0\) for LowMC-M

In brief, when there is no active S-box in the first \(r_0\) rounds, an attacker can construct a linear equation system of size \(3mr_0\) and in terms of \(\varDelta _0\) as well as the difference of the sub-tweaks \((\varDelta TW_0,\cdot \cdot \cdot ,\varDelta TW_{r_0-1})\). When the sub-tweaks are fixed, the equation system is thus only in terms of \(\varDelta _0\), i.e. n variables. Therefore, when \(3mr_0>n\), the equation system is consistent with probability \(2^{n-3mr_0}\). Thus, the attacker needs to find an assignment for \((\varDelta TW_0,\cdot \cdot \cdot ,\varDelta TW_{r_0-1})\) such that the constructed equation system is consistent.

To achieve this goal, the equation system will be first re-organized by placing \((\varDelta TW_0,\cdot \cdot \cdot ,\varDelta TW_{r_0-1})\) on the right-hand of the equation system and placing \(\varDelta _0\) on the left-hand of the equation system. In other words, the equation system becomes

$$\begin{aligned} A\cdot \varDelta _0=B\cdot (\varDelta TW_0,\cdot \cdot \cdot ,\varDelta TW_{r_0-1}), \end{aligned}$$

where A is a binary matrix of size \(3mr_0\times n\) and B is a binary matrix of size \(3mr_0\times nr_0\). To ensure that there is a solution to \(\varDelta _0\), one can derive an equation system of size \(3mr_0-n\) and only in terms of \((\varDelta TW_0,\cdot \cdot \cdot ,\varDelta TW_{r_0-1})\). Specifically, apply a transform \(A^{\prime }_{3mr_0\times 3mr_0}\) to both A and B such that the first n rows of \(A^{\prime }\cdot A\) is an identity matrix and the remaining \((3mr_0-n)\) rows of \(A^{\prime }\cdot A\) are all zero. In this way, we only need to focus on the last \((3mr_0-n)\) rows of \(A^{\prime }\cdot B\), i.e. a linear equation system of size \(3mr_0-n\) and in terms of \((\varDelta TW_0,\cdot \cdot \cdot ,\varDelta TW_{r_0-1})\) can be derived to ensure that there is always a solution to \(\varDelta _0\). Thus, with a parallel collision search [32], it is expected to find \((\varDelta TW_0,\cdot \cdot \cdot ,\varDelta TW_{r_0-1})\) with time complexity \(2^{\frac{3mr_0-n}{2}}\) and negligible memory satisfying such an equation system. Therefore, the constraint for \(r_0\) becomes

$$\begin{aligned} \frac{3mr_0-n}{2}<k. \end{aligned}$$

(19)

In this way, one could find the desirable pair of tweaks as well as the plaintext difference \(\varDelta _0\) with time complexity \(2^{\frac{3mr_0-n}{2}}\). This is the method given in [9] to maximize \(r_0\).

C Explanation of the Attacks on LowMC with a Full S-box Layer

Attacks on (192, 192, 64, 1, 4). Similar to the above analysis, we first confirm q. As \(V(192,15)>1\) based on Eq. 12, we can expect to always find an assignment to \(\varDelta _0^S\) such that there will be \(q=15\)⁸ inactive S-boxes in the 2nd round.

As \(Pr[t\ge 3]\approx 0.99\) and \(Pr[62\le t\le 64]\approx 0\), based on Eq. 17 and Eq. 18, the time complexity to retrieve the master key will be \(max(3\times 2^{3m-2t}, 4\times 2^{3t-2})<2^{187.6}\). Based on Eq. 16, the time complexity to enumerate the difference is less than \(3\times (2^{2m}+2^{2m-2t+0.858m})=3\times (2^{2m}+2^{2.858m-2t})<2^{178.5}\). Therefore, we could break \((n,k,m,D,R)=(192,192,64,1,4)\) with time complexity less than \(2^{187.6}\) and success probability 0.99.

As \(Pr[t\ge 6]=0.82\) and \(Pr[61\le t\le 64]\approx 0\), the time complexity to retrieve the master key will be \(max(3\times 2^{3m-2t},4\times 2^{3t-2})=2^{180}\), while the time complexity to enumerate the differences will not exceed \(3\times (2^{2m}+2^{2.858m-2t})<2^{170.9}\). Therefore, we could break \((n,k,m,D,R)=(192,192,64,1,4)\) with time complexity less than \(2^{180}\) and success probability 0.82.

To further reduce the success probability, we focus on the expected case \(q=15\) and \(3\le t\le 52\). As \(Pr[t\ge 3]\approx 0.99\) and \(Pr[53\le t\le 64]\approx 0\), we have \(Pr[3\le t\le 52]\approx 0.99\). The time complexity to retrieve the master key becomes \(max(2^{3m-2t-2q},2^{3t-2})<2^{156}\). The time complexity to enumerate the difference is less than \(2^{2m-2q}+2^{2.858m-2t-2q}<2^{146.9}\). Therefore, we could break \((n,k,m,D,R)=(192,192,64,1,4)\) with time complexity less than \(2^{156}\) and success probability \(0.99\times 0.25=0.247\).

Attacks on (255, 256, 85, 1, 4). For \((n,k,m,D,R)=(255,255,85,1,4)\), we have \(V(255,19)>1\) based on Eq. 12, i.e. we can expect to always find an assignment to \(\varDelta _0^S\) such that there will be \(q=19\)⁹ inactive S-boxes in the 2nd round.

As \(Pr[t\ge 5]\approx 0.986\) and \(Pr[79\le t\le 85]\approx 0\), based on Eq. 17 and Eq. 18, the time complexity to retrieve the master key will be \(max(3\times 2^{3m-2t}, 4\times 2^{3t-2})<2^{246.6}\). Based on Eq. 16, the time complexity to enumerate the difference is less than \(3\times (2^{2m}+2^{2m-2t+0.858m})=3\times (2^{2m}+2^{2.858m-2t})<2^{234.53}\). Therefore, we could break \((n,k,m,D,R)=(255,255,85,1,4)\) with time complexity less than \(2^{246.6}\) and success probability 0.986.

As \(Pr[t\ge 8]=0.848\) and \(Pr[79\le t\le 85]\approx 0\), the time complexity to retrieve the master key will be \(max(3\times 2^{3m-2t},4\times 2^{3t-2})<2^{240.6}\), while the time complexity to enumerate the differences will not exceed \(3\times (2^{2m}+2^{2.858m-2t})<2^{228.53}\). Therefore, we could break \((n,k,m,D,R)=(255,255,85,1,4)\) with time complexity less than \(2^{240.6}\) and success probability 0.848.

To further reduce the success probability, we focus on the expected case \(q=19\) and \(5\le t\le 85\). As \(Pr[t\ge 5]\approx 0.986\) and \(Pr[70\le t\le 85]\approx 0\), we have \(Pr[5\le t\le 69]\approx 0.986\). The time complexity to retrieve the master key becomes \(max(2^{3m-2t-2q},2^{3t-2})<2^{208}\). The time complexity to enumerate the difference is less than \(2^{2m-2q}+2^{2.858m-2t-2q}<2^{194.93}\). Therefore, we could break \((n,k,m,D,R)=(255,255,85,1,4)\) with time complexity less than \(2^{208}\) and success probability \(0.986\times 0.25=0.2465\).

D A Table

Table 4. The full list for all valid non-zero difference transitions