Automated Key Recovery Attacks on Round-Reduced Orthros

Abstract

Orthros is a low-latency keyed pseudo-random function designed by Banik et al. in FSE 2022. It adopts the parallel structure composed of two keyed permutations. Both branches take the same 128-bit input and their outputs are XORed to generate the final 128-bit output. Benefiting from this special structure, it’s security is hard to evaluate, especially for key recovery attacks. In its specification, the most effective distinguisher proposed is a 7-round integral one. However, it can only lead to key recovery attacks worse than exhaustive attack. Besides, there is no key recovery attack presented in the design document. Therefore, we are motivated to see whether a valid key recovery attack exists and how powerful it can be. In this paper, we aim to proceed differential and differential-linear key recovery attacks on Orthros. To deal with the special structure, we introduce two automated key recovery attack frameworks that work for such two-branch ciphers. With the help of them, we finally got a 7-round differential-linear key recovery attack and a 6-round differential one. Both attacks are the first key recovery attacks on this cipher. However, they are so far from threatening its full-round security.

Appendices

A Integral Key Recovery Attacks on Orthros

In this section, we show that there is no integral key recovery attacks can be mounted for more than 6 rounds with complexities better than the exhaustive attack. Hence, our proposed 7-round differential-linear attack is the best key recovery one.

The 7-round integral distinguishers given in the design document [2] have 127 active bits in the input. One of them can make all output bits after 7 rounds balanced when the 0-th bit is constant and the remaining 127 bits take all possible \(2^{127}\) values. As pointed out by designers, these 7-round distinguishers cannot be used to mount key recovery attacks on 8-round Orthros. When adding one round after the distinguisher, one has to guess one of the branch outputs in order to reverse the ciphertext. In this case, it costs more than the exhaustive attack. If we try to prepend one round before it, we have to traverse all \(2^{128}\) inputs which is also not better than the exhaustive attack.

Another way is proceeding a 7-round attack based on a 6.5-round distinguisher. The first round of this distinguisher contains all operations except for the Sbox layer⁴, while the others are composed of all operations. By adding the Sbox layer and the whitening key addition operation before such distinguisher, we try to mount a 7-round attack. To find the distinguisher in each branch, we constructed an automatic searching algorithm following the way introduced in [10]. As a result, we found several 6.5-round distinguishers which hold for both branches. Among these distinguishers, the best ones have 5 bits fixed and take all possible values on the other 123 bits. These five bits cover a full output of a Sbox \(S_1\) (4-bit) and one bit of the output of another Sbox \(S_2\).

Without loss of generality, assuming that \(S_1\) is the i-th Sbox while \(S_2\) is the j-th Sbox. In this case, we have to traverse all inputs of the added Sbox layer except for the i-th Sbox to check whether the distinguisher holds. Meanwhile, to get these 124-bit input to the Sbox layer in Branch1, the 4-bit whitening key \(WK^1[j]\) should be guessed, where \(WK^1[j]\) denotes the j-th nibble of \(WK^1\). As for Branch2, another 4-bit whitening key \(WK^2[j]\) also needs to be guessed. According to bit permutations utilized in the key schedule of Orthros, there is at most one common bit in \(WK^1[j]\) and \(WK^2[j]\). Hence, we have to guess 7 master key bits for each input. Recall that we need to traverse \(2^{124}\) inputs. Therefore, such an attack costs \(2^{124}\cdot 2^{7}=2^{131}\) full-round encryptions of Orthros, which is worse than the exhaustive attack which needs \(2^{128}\) full-round encryptions.

B Differential-Like Attacks Considering Two Rounds Prepended

Since the active pattern of plaintexts affects the data complexity of key recovery attack, we wonder how many bits will be activated from randomly chosen input differences. The relation between the active pattern and input differences can be deduced with active pattern propagation properties of each operation. To find the minimal number of activated bits, we construct this deducing procedure into several equations following Property 6–10 and solve them with the automatic searching tool STP. Note that we don’t make any restriction on these two input differences. As a result, we obtain that at least 22 nibbles (i.e. 88 bits) will be activated when two rounds are prepended.

Fig. 5.

Key recovery attack on Orthros considering two rounds

Key recovery attack framework in this case is illustrated in Fig. 5. In this attack, the best way we can do to construct plaintext pairs is following the strategy utilized in Algorithm 1. For each structure, we choose \(2^{88}\) plaintexts M which takes all possible values in these 88 activated bits while fixed in others. For each plaintext M, we encrypt it under \(2^{88}\) guessed values of \(WK^1\). After applying the first Sbox layer, one can obtain 88-bit \(Y^1\). Then one can achieve \((Y^{1})'=Y^1\oplus \alpha ^1\), where \(\alpha ^1\) is deduced from \(\varDelta ^1\) and takes more than one possible value. With the 88-bit \((Y^{1})'\), one can obtain \(M'\) by applying the inverse of Sbox layer.

Note that the above procedure has already cost at least \(T=2^{88}\cdot 2^{88}\cdot \frac{22}{32}\approx 2^{175.46}\) times of proceeding the Sbox layer. Assuming that the proceeding cost of Sbox layer equals to \(\frac{1}{2}\) one-round encryption and we’re mounting attacks on an R-round Orthros, this procedure costs \(T\cdot \frac{1}{2}\cdot \frac{1}{R}\ge T\cdot \frac{1}{2}\cdot \frac{1}{12}\approx 2^{170.87}\) full-round encryptions. This costs much worse than the exhaustive attack where time complexity is \(2^{128}\) full-round encryptions.

C Permutations Adopted in Orthros

Bit and nibble permutations used in the round function of Orthros are shown in Table 5 and 6, while Table 7 describes bit permutations utilized in key schedules.

Table 5. Bit permutations \(P_{br1}\) and \(P_{br2}\) adopted in Orthros [2]

Table 6. Nibble permutations \(P_{nr1}\) and \(P_{nr2}\) adopted in Orthros [2]

Table 7. Bit permutations \(P_{bk1}\) and \(P_{bk2}\) adopted in Orthros [2]

D DDT, LAT and DLCT for the Sbox of Orthros

We illustrate DDT, LAT and DLCT for its Sbox in Table 8, 9 and 10, respectively.

Table 8. Differential distribution table \(DDT(\varDelta _{in},\varDelta _{out})\)

Table 9. Linear approximation table \(LAT(\varGamma _{in},\varGamma _{out})\)

Table 10. Differential-linear connectivity table \(DLCT(\varDelta _{in},\varGamma _{out})\)