Abstract
In differential-like attacks, the process typically involves extending a distinguisher forward and backward with probability 1 for some rounds and recovering the key involved in the extended part. Particularly in rectangle attacks, a holistic key recovery strategy can be employed to yield the most efficient attacks tailored to a given distinguisher. In this paper, we treat the distinguisher and the extended part as an integrated entity and give a one-step framework for finding rectangle attacks with the purpose of reducing the overall complexity or attacking more rounds. In this framework, we propose to allow probabilistic differential propagations in the extended part and incorporate the holistic recovery strategy. Additionally, we introduce the “split-and-bunch technique” to further reduce the time complexity. Beyond rectangle attacks, we extend these foundational concepts to encompass differential attacks as well. To demonstrate the efficiency of our framework, we apply it to Deoxys-BC-384, SKINNY, ForkSkinny, and CRAFT, achieving a series of refined and improved rectangle attacks and differential attacks. Notably, we obtain the first 15-round attack on Deoxys-BC-384, narrowing its security margin to only one round. Furthermore, our differential attack on CRAFT extends to 23 rounds, covering two more rounds than the previous best attacks.
You have full access to this open access chapter, Download conference paper PDF
Keywords
1 Introduction
Differential cryptanalysis, proposed by Biham and Shamir [BS91] in 1991, is one of the most efficient and powerful cryptanalysis for symmetric ciphers. In differential cryptanalysis, the adversary aims to discover the in-homogeneity in high-probability occurrences of plaintext and ciphertext differences, i.e., high-probability differentials. For a certain block cipher, if an r-round high-probability differential is found, one could add some outer rounds and extract the information of the key in the outer rounds using the differential.
However, it is a challenging task to find a long differential trail with high probability for most ciphers. To this, Wanger proposed the boomerang attack [Wag99] in 1999 as an extension of differential cryptanalysis. In a boomerang attack, two short differential trails are combined to form a long one. The basic boomerang attack requires adaptive chosen plaintexts and ciphertexts. In [KKS00], Kelsey et al. converted it into a chosen-plaintext variant, which was named the amplified boomerang attack. Later, Biham et al. [BDK01] made further improvements on the amplified boomerang attack by proposing the rectangle attack, which takes into account as many differences as possible in the middle of the distinguisher to estimate the probability more accurately. Since then, the boomerang and rectangle attacks have been extensively studied and applied to many block ciphers. For example, boomerang attacks on full AES-192 and AES-256 in the related-key setting were proposed in [BK09, DEFN22]; the best cryptanalysis results so far on Deoxys [BL23], SKINNY [SZY+22], and GIFT [DQSW22] were all based on boomerang attacks or rectangle attacks.
In either differential attacks or rectangle attacks, it is common to take two steps to mount key recovery attacks. The first step is to find a high-probability distinguisher covering a large number of rounds. To this end, many approaches have been proposed in the literature [Mat94, MP13, SHW+14, HBS21, DDV21]. Once a high-probability distinguisher is obtained, then in the second step, the distinguisher is extended backward and forward over some rounds with probability 1 for the key recovery attack. In recent years, many studies focused on achieving key recovery attacks as efficiently as possible for a given distinguisher. For differential attacks, Boura et al. [BDD+23] introduced a novel method that recovers the key in a meet-in-the-middle manner, which brought out improved results on block ciphers SKINNY-128-384 and AES-256. For rectangle attacks, various algorithms have been proposed for the key recovery [BDK01, BDK02, ZDJ19, DQSW21, SZY+22], each of which follows a different strategy for guessing the key. Among them, the unified key recovery algorithm proposed in [SZY+22] supports any strategy for guessing the key and covers all the previous algorithms. Most notably, this algorithm is able to produce the most efficient key recovery attack for a given distinguisher. As a result, it led to the state-of-the-art results of rectangle key recovery attack on Serpent [ABK98], CRAFT [BLMR19], SKINNY [BJK+16] and Deoxys [JNPS16].
However, prior research has demonstrated that the best distinguisher does not necessarily yield the most effective key recovery attack [LGS17, ZDC+21, QDW+21]. This phenomenon is even not limited to differential attacks and rectangle attacks [SSD+18, HSE23]. These studies have revealed that distinguishers are more conducive to key recovery attacks when their input and output differences exhibit sparsity and slow diffusion in the extended rounds. In [ZDC+21], the authors specifically sought differentials that were more favorable for key recovery, while [QDW+21] incorporated both the rectangle distinguisher and the extended part in their modeling to find better attacks.
Motivation. Previous research offers valuable insights that inform our work.
-
The effectiveness of a key recovery attack hinges not only on the probability of the distinguisher but also on the differential propagation in the outer rounds. Slower diffusion of differences in the outer rounds tends to yield better results.
-
The key recovery is likely to be more efficient when the outer rounds involve fewer key bits.
-
The choice of key guessing strategy significantly influences the complexity of the key recovery attack.
Despite the key recovery algorithm in [SZY+22] offering the best rectangle attacks for a given distinguisher, we are prompted to explore whether there is room for improving rectangle attacks further when we treat the distinguisher and the extended part as a whole and meanwhile incorporate the lessons mentioned above. Additionally, we are curious whether similar advancements can be applied to differential attacks.
Our Contributions. In this work, we treat the distinguisher and the extended part as a whole and present a one-step framework for finding rectangle attacks. Instead of extending the distinguisher forward and backward with probability 1, we introduce probabilistic differential propagations in the extended part. Traditionally, the extended part only contained deterministic truncated differentials, but now it can include probabilistic (truncated) differential propagations as well. Since the probability of the extended part may be smaller than 1, we refer to the part relevant to the key recovery phase as the outer part and the remaining part as the inner part.
The effects of probabilistic extensions are multifaceted
-
Probabilistic extensions help make differences in the outer part sparse, which potentially reduces the time complexity or covers more rounds.
-
The boundaries separating the inner part and the outer part are no longer predefined and not necessarily well-aligned. Instead, they are dynamically determined in conjunction with the probabilistic extensions
-
The data complexity is then determined by the overall probability.
To further optimize the time complexity, we propose the split-and-bunch technique. When probabilistic extensions are used, differences in the outer part become sparse and certain key bits may form intricate connections with the inner part. In cases where we can identify a compressed representation of these connections, we can isolate and replace these key bits with this compressed version. As a result, the actual number of involved key bits decreases, leading to reduced time complexity.
Moreover, our framework incorporates the holistic key recovery strategy, i.e., the method of finding the best key recovery attack by choosing a proper key guessing strategy.
The main ideas of this framework are not limited to rectangle attacks but can also be applied to differential attacks. We apply the framework to several block ciphers and obtain the following results, which are summarized in Table 1.
-
We provide improved 14-round rectangle attacks on Deoxys-BC-384 and introduce the first attack on 15 rounds, reducing the security margin to just one round.
-
The data and time complexities of the 26-round rectangle attack on SKINNY-128-256 are reduced. Similar improvements can be made on the 28-round attack on ForkSkinny-128-256. The details can refer to the full version [SYC+24] of the paper.
-
We propose differential attacks on CRAFT with up to 23 rounds in the single-key setting, which is two rounds more than the previous best attacks.
Organization. The rest of the paper is organized as follows. In Sect. 2, we review differential attacks, rectangle attacks, and the key recovery algorithms. In Sect. 3, probabilistic extensions will be introduced via examples, and the one-step framework will be given. In Sect. 4, we apply our framework to several block ciphers. We conclude this paper in Sect. 5.
2 Preliminaries
2.1 Differential Attacks
Differential cryptanalysis [BS91] is a technique used to analyze the propagation of difference through a cipher \(E:\mathbb {F}_2^n\rightarrow \mathbb {F}_2^n\). Typically, an attacker aims to find a differential \((\alpha ,\delta )\in \mathbb {F}_2^n\times \mathbb {F}_2^n\) such that the probability \(Pr(\alpha \rightarrow \delta ) = Pr\bigl [E(x) \oplus E(x \oplus \alpha ) =\delta \bigr ]\) is high. Since E is a permutation, it follows that \(Pr(\alpha \rightarrow \delta )=Pr(\alpha \leftarrow \delta )\). A truncated differential [Knu95] is characterized by a set of input differences \(\mathcal {D}_{i}\) and a set of output differences \(\mathcal {D}_{o}\) and the probability \(Pr(\mathcal {D}_{i}\rightarrow \mathcal {D}_{o})\) is defined as \(\text {Avg}_{\alpha \in \mathcal {D}_i} Pr\bigl [E(x) \oplus E(x \oplus \alpha ) \in \mathcal {D}_o \bigr ].\) Note that \(Pr(\mathcal {D}_{i}\rightarrow \mathcal {D}_{o})\) and \(Pr(\mathcal {D}_{i}\leftarrow \mathcal {D}_{o})\) are usually not equal. Typical sets for truncated differentials often involve patterns where some bits can take on all possible values, while others are constrained to be zero.
In differential-like attacks, a distinguisher is extended backward and forward with probability 1 over some rounds. The goal of these attacks is to recover the key used in the extended rounds. Essentially, the differential in the extended rounds is actually truncated differentials with probability 1. These types of attacks are designed to understand how differences propagate with a high degree of certainty, allowing for the identification of key bits used in those rounds.
Key Recovery Attacks. Suppose a differential \(\alpha \rightarrow \delta \) over \(E_d\) is of high probability P. Suppose \(E_b\) and \(E_f\) are added around \(E_d\), as shown in Fig. 1.
The input difference of \(E_d\) \(\alpha \) propagates back over \(E_b^{-1}\) with probability \(P_b=1\) to \(\alpha '\). Let \(V_b\) be the space spanned by all possible \(\alpha '\) where \(r_b=\log _2|V_b|\). The output difference \(\delta \) of \(E_d\) propagates forward over \(E_f\) with probability \(P_f=1\) to \(\delta '\). Let \(V_f\) be the space spanned by all possible \(\delta '\) where \(r_f=\log _2|V_f|\). Let \(k_b\) be the subset of subkey bits that are employed in \(E_b\) and affect the propagation \(\alpha '\rightarrow \alpha \). Let \(k_f\) be the subset of subkey bits which are employed in \(E_f\) and affect the propagation \(\delta \leftarrow \delta '\). Let \(m_b=|k_b|\) and \(m_f=|k_f|\) be the number of the bits in \(k_b\) and \(k_f\).
In a key recovery attack, some key bits may be guessed in advance to sieve the data faster. Suppose a part of \(k_b\) and \(k_f\), denoted by \(k'_b\), \(k'_f\), is guessed at first. Let \(m_b'=|k_b'|\) and \(m_f'=|k_f'|\) and \(0\le m'_b\le m_b,0\le m'_f\le m_f\). Suppose under the guessed subkey bits a \(r'_b\)-bit condition on the top and a \(r'_f\)-bit condition on the bottom can be verified. Finally, let \(r^*_b = r_b-r'_b\) and \(r^*_f = r_f-r'_f\). Note that the other parameters are determined when \(k'_b\), \(k'_f\) are chosen.
In [SYL23], a unified key recovery algorithm for differential attack was proposed and the details can refer to Appendix A.1 in the full version [SYC+24] of the paper. With \(k'_b\), \(k'_f\) being guessed at first, the complexities of the differential attack are as follows.
Complexities. A plaintext structure takes all possible values for the \(r_b\) bits and chooses a constant for the remaining \(n-r_b\) bits. For one structure, there are \(2^{2r_b-1}\) pairs of plaintext and \(2^{r_b-1}\) of them satisfy \(\alpha \) difference by meeting the \(r_b\)-bit condition. Suppose the number of the structures needed is y which y structures can constitute \(y\cdot 2^{r_b-1}\) pairs that satisfy \(\alpha \) difference. Set s to be the number of right pairs, then \(y\cdot 2^{r_b-1}=s\cdot P^{-1}\) and the data complexity \(D=y\cdot 2^{r_b}=2s\cdot P^{-1}\). The memory complexity is \(M=\max \{D,2^{t+m_b+m_f-m'_b- m'_f}\}\) for storing the data and key counters where \(0\le t\le m'_b+m'_f\).
The time complexity of the differential attack contains four parts:
-
\(T_0=2^{m'_b+m'_f}\times D\) for partial encryption and decryption under the guessed key bits;
-
\(T_1=2^{m'_b+m'_f}\times D\times 2^{r_b-1+r_f-n-r'_b-r'_f}\) for getting the pairs that satisfy some filtering conditions;
-
\(T_2=D\cdot 2^{m_b+ m_f-n-1}\cdot \epsilon ,\epsilon \ge 1\) for extracting all the \(D\cdot 2^{m_b+ m_f-n-1}\) key candidates where \(\epsilon \) depends on the concrete situation;
-
\(T_3=2^{k-h}\), where \(h\le {t+m_{b}+m_{f}-m_{b}'-m_{f}'}\) for the exhaustive search.
2.2 Rectangle Attacks
In a boomerang attack, the target cipher is treated as a composition of two sub-ciphers \(E_0\) and \(E_1\), i.e., \(E=E_1 \circ E_0\). As illustrated in Fig. 2, the differential trail \(\alpha \rightarrow \beta \) travels in \(E_0\) with probability p, and the differential trail \(\gamma \rightarrow \delta \) travels in \(E_1\) with probability q, respectively. Then the probability of the boomerang distinguisher is
The basic boomerang attack requires adaptive chosen plaintexts and ciphertexts. As a refinement of the boomerang attack, the rectangle attack requires only chosen plaintexts and considers as many differences as possible in the middle.
Since the boomerang attack was proposed, a series of studies have emerged focusing on the analysis of the connection probability. The probability \(p^2q^2\) of a boomerang distinguisher is obtained under the assumption that the two differentials are independent. However, the probability may deviate from \(p^2q^2\) on some concrete ciphers [BK09, Mur11], which demonstrates the dependency between the two differentials for boomerang attack. Instead of splitting the target cipher into two sub-ciphers, Dunkelman et al. [DKS10, DKS14] proposed to split it into three sub-ciphers and estimate the probability as \(p^2q^2r\) where r is the exact probability of the middle part, i.e., the connection probability. That is also known as the sandwich attack. Later in [CHP+18], the dependency issue in boomerang distinguishers was revisited, and a tool named Boomerang Connectivity Table (BCT) was proposed. Immediately after, a generalized framework of BCT is given in [SQH19], which allows the probability r to be calculated systematically.
2.3 Key Recovery of Rectangle Attacks
The key recovery of rectangle attacks has been extensively studied in [BDK01, BDK02, ZDM+20]. Each of these works proposed its own key recovery algorithm that uses a fixed strategy for guessing key bits and the performance varies from cipher to cipher.
Recently in [SZY+22], a unified framework was put forward for finding the best rectangle attack for a given distinguisher. It contains a generic key recovery algorithm and a strategy for finding the best attack. The algorithm covers all the previous key recovery algorithms, as it supports any strategies for guessing key bits or utilizing the filters. Among all the strategies, there will be a certain one leading to an optimal attack. We call this method of finding the best key recovery attack by choosing a proper strategy the holistic key recovery strategy.
Suppose we treat a target cipher as \(E=E_{f}\circ E_d\circ E_{b}\), where there is a boomerang distinguisher over \(E_d\) of probability \(P^2\). As in differential attacks, a part of \(k_b\) and \(k_f\), denoted by \(k'_b\), \(k'_f\), is guessed at first, and \(m_b'=|k_b'|\) and \(m_f'=|k_f'|\). Similarly, with the guessed subkey bits, a \(r'_b\)-bit condition on the top and a \(r'_f\)-bit condition on the bottom can be verified. Following the generic key recovery algorithm, which can refer to Appendix A.2 in the full version of the paper, the complexities of the rectangle attack are as follows.
Complexities. The data complexity is \(D=\sqrt{s}2^{n/2+1}/P\) where s is the expected number of right quartets. The memory complexity is \(M=f_M(D,k'_b, k'_f)=D+min\{D\cdot 2^{r_{b}^*-1},D^2\cdot 2^{r_{f}^*-n-1}\}+2^{t+m_{b}+m_{f}-m_{b}'-m_{f}'}\) for storing the data, the pairs and the key counters, where \(0\le t\le m'_b+m'_f\). The time complexity \(T=f_T(D,k'_b, k'_f)\) is composed of four parts. The time complexity of collecting data is \(T_0=D\), the time complexity of doing partial encryption and decryption under guessed key bits is
the time complexity of generating pairs is
the time complexity of generating and processing quartet candidates is
where \(\epsilon \) is a factor that depends on the cipher,
and the time complexity of the exhaustive search is \(T_{4}=2^{k-h}\), where \(h\le {t+m_{b}+m_{f}-m_{b}'-m_{f}'}.\)
Remark. In essence, the holistic key recovery strategy is to find a proper choice for \(k'_b,k'_f\) such that the four parts of the time complexity are balanced and that the overall time complexity is minimized under constraints for data and memory.
3 A One-Step Framework for Finding Rectangle Attacks
In this section, we present our one-step framework for finding rectangle attacks. To begin, we use some examples from a toy cipher to convey the essential notions of the probabilistic extensions and the split-and-bunch technique. Subsequently, we provide a concise overview of the holistic key recovery strategy. By leveraging these concepts, we present a one-step framework for rectangle attacks, which is likewise applicable to differential attacks.
3.1 Probabilistic Extensions
In a classical differential key recovery attack, some rounds are added around the differential distinguisher \(\alpha \rightarrow \delta \), as shown in Fig. 1. The \(\alpha \) difference propagates to \(\alpha '\) via \(E_b^{-1}\) with probability 1, and the \(\delta \) difference propagates to \(\delta '\) via \(E_f\) with probability 1. It is natural to consider what occurs when difference propagates probabilistically in the outer parts. The following are examples to illustrate the impact of probabilistic extensions on the data and time complexities. For simplicity, none of the key bits are guessed in advance and the analysis of the memory complexity is omitted in the examples.
We suppose that the round function of the 128-bit toy cipher is the same as AES and the key schedule is rather simple. Each round uses the 128-bit master key K as the round key \(RK_i\). The ordering of the bytes in the state matrix is as follows.
Example 1
Suppose the probability of the inner part is \(P_d\), and append 3 rounds. These three rounds are depicted in Fig. 3. The parameters of the attack are \(n=128,k=128,m_b=r_b=0,m_f=r_f=128\).
According to Sect. 2.1, the data complexity is \(D=2s\cdot P_d^{-1}\). From D plaintexts, there are \(D\cdot 2^{r_b+r_f-n-1}\) pairs satisfying the plaintext difference and ciphertext difference. Thus the time complexity for constructing pairs is \(T_1=2^{-1}\cdot D\). As there will be \(2^{-1}\cdot D\cdot 2^{m_f-r_f}=2^{-1}\cdot D\) suggestions for \(k_f\) in total, the time complexity for extracting key candidates is \(T_2=D\cdot 2^{-1}\cdot \epsilon \). We pre-compute several tables as illustrated in Table 2, so that \(\epsilon \) is equivalent to about \(2^{24}\) memory accesses. As the time complexity for the exhaustive search is flexible, we assume it is not dominant. Therefore, the overall time complexity is \(T=T_2=2^{-1}\cdot D\cdot 2^{24}=2^{24}\cdot s\cdot P_d^{-1}\) memory accesses.
Example 2
Different from Example 1, in this example the \(\delta \) difference propagates to \(\delta '\) via \(E_f\) with probability \(P_f=2^{-16}\). As shown in Fig. 4, the probability comes from two inactive bytes of \(W_{r+1}\), i.e., \(W_{r+1}[6,7]\). The effect is that fewer bytes are activated afterward. The parameters of the attack are \(n=128,k=128,m_b=r_b=0,m_f=128,r_f=72\).
The data complexity is \(D=2s\cdot (P_dP_f)^{-1}\). The time complexities are \(T_1=D\cdot 2^{0+72-128-1}=2^{-57}\cdot D\), \(T_2=D\cdot 2^{-57}\cdot \epsilon \). We pre-compute several tables as illustrated in Table 3, so that \(\epsilon \) is equivalent to about \(2^{40}\) memory accesses. The overall time complexity is \(T_2=2^{-57}\cdot D\cdot 2^{40}=s\cdot P_d^{-1}\) memory accesses.
Comparison Between Example 1 and Example 2. Example 1 uses traditional deterministic extensions in which the \(\delta \) difference propagates to \(\delta '\) via \(E_f\) with probability 1. On the contrary, Example 2 uses probabilistic extensions in which the \(\delta \) difference propagates to \(\delta '\) via \(E_f\) with probability \(P_f=2^{-16}\).
Increasing the Data Complexity. The data complexity for the case with probabilistic extensions is \(P_f^{-1}=2^{16}\) times the data complexity with deterministic extensions. In other words, the data complexity of the attack is determined by the overall probability \(P_dP_f\) rather than by the probability \(P_d\) only.
Decreasing the Time Complexity. The time complexity of Example 1 is \(2^{24}\cdot s\cdot P_d^{-1}\) and it is \(s\cdot P_d^{-1}\) for Example 2. By using the probabilistic extensions, the time complexity is reduced by a factor of \(2^{24}\). Thus, probabilistic extensions are a technique that not only trades off data against time but may also have a gain as \(2^{24}>2^{16}\).
Flexible Boundaries. Different from the classical attack in which the boundaries between the inner and outer parts are fixed and well-aligned, the boundaries are flexible when probabilistic extensions are allowed. For a specified round, it is possible that some S-boxes belong to the inner part while others belong to the outer part. More interestingly, probabilistic differential transitions and deterministic differential transitions may occur simultaneously in the outer part and they may be even interleaved, the attack on SKINNY-128-256 can refer to Sect. 4.2 in the full version of the paper. Thus, there are no predefined boundaries. The boundaries will depend on differential transitions.
Increasing the Number of Filters and Earlier Usage. On one hand, the utilization of probabilistic extensions leads to an expansion of the total number of filter bits, growing from n to \(n+\log _2P_f^{-1}\). On the other hand, the filters appear earlier than before in the key recovery attack. The ability to employ filters at an earlier stage significantly enhances the efficiency of key candidate extraction, providing a reduction in the time complexity.
Remarks. Allowing probabilistic extensions essentially enables probabilistic differential propagations in the outer parts, which is the focus of key recovery.
-
It is clear that the data complexity is related to the overall probability. Probabilistic extensions can strike a harmonious balance between data complexity and time complexity. However, it is important to note that probabilistic extensions do not necessarily increase data complexity in the search for a globally optimal attack, as exemplified by the attack on Deoxys-BC-384 in Sect. 4.1.
-
Employing probabilistic extensions has the potential to reduce the density of active cells in the outer parts while simultaneously increasing the number of available filters. Notably, the probabilistic differential transitions are flexibly distributed in the outer parts and they do not have to connect to the differential trail over the inner part directly. This flexibility facilitates the adaptable selection of filters, ultimately resulting in improved time complexity.
-
These extensions can be applied to \(E_b\) as well. Setting \(P_b\ge 1\), \(P_f\ge 1\) makes the probabilistic extensions cover the traditional deterministic extensions. Different extensions lead to different placements of filters. Among all possible extensions, there may be some that lead to more efficient key recovery attacks, in terms of time complexity or the number of rounds that can be attacked, compared to what deterministic extensions can achieve. Our applications to concrete ciphers will confirm this. Importantly, although our examples in this section primarily pertain to differential attacks, these same principles are applicable to rectangle attacks as well.
3.2 The Split-and-Bunch Technique
From Example 2, it is known that using probabilistic extensions brings the filters closer to the ciphertext, but the involved keys are the same. In this example, the last step is to verify \(\varDelta X_{r+1}[3,4,9]\). To compute this 3-byte difference, one has to know the values of \(W_{r+1}[6,7]\). However, another 56 key bits, i.e., \(eqtk[8,10\sim 15]\) are required to compute \(W_{r+1}[6,7]\) from the ciphertext. In other words, the 56-bit key brings the final 24-bit filter. Therefore, the remaining pairs expand by a factor of \(2^{32}\) as shown in Table 3. A question arises: Does the 56-bit key have to be traversed? To answer this question, we start with an observation on Example 2.
Observation 1
Let \(k_f=k_f^1||k_f^2\) with \(m_f^1=72\) and \(m_f^2=56\). For one pair of ciphertexts, if we traverse all possible values of the 16-bit \(W_{r+1}[6,7]\) without trying all possible values of the 56-bit \(k_f^2\), we can find that:
-
For the right \(k^1_f\), when a right pair takes the right values in the two bytes, it makes the counter plus one. Traversal must cause the right value to be taken, so the number of suggestions for the right subkey is the same.
-
For a wrong pair, the number of suggestions for the wrong key is equal to expanding the number of pairs by a factor of \(2^{16}\).
We call this technique a split-and-bunch technique. Let e be the average number of suggestions for a wrong key \(k_f\) when the split-and-bunch technique is not used. When it is used, the number of suggestions for a wrong \(k^1_f\) is expanded by a factor of \(2^{m_e}=2^{16}\) from e, i.e., it is \(e\cdot 2^{m_e}\), while the number of suggestions for the right \(k^1_f\) is \(s+e\cdot 2^{m_e}=s+e\cdot 2^{16}\).
In Example 2, the whole key is involved in \(E_f\), i.e., \(m_f=128\). In total we will get \(D\cdot 2^{m_f-n-1}=D\cdot 2^{-1}\) suggestions for 128-bit \(k_f\). On average, the number of suggestions for a wrong subkey is \(e=D\cdot 2^{-129}=P_d^{-1}\cdot s\cdot 2^{-128}\le 1\), while it is \(s+e\) for the right subkey.
When we use the split-and-bunch technique and set counters only for the \(m_f^1=72\) key bits, we will get \(D\cdot 2^{-57}\cdot 2^{16}=D\cdot 2^{-41}\) suggestions for 72-bit \(k_f\). Thus the number of suggestions for a wrong \(k^1_f\) is \(e'=2^{-41-72}\cdot D=P_d^{-1}\cdot s\cdot 2^{-112}\), while it is \(s+e'\) for the right \(k^1_f\), where \(e'=2^{m_e}\cdot e\). Thus, \(m_e=16\) is called the number of expansion bits. When e and \(e'\) are enough small, one could use the split-and-bunch technique to decrease the time complexity. The following example gives a better illustration.
Example 3
we use the split-and-bunch technique for this attack, as shown in Fig. 4. The number \(m_f\) of the involved key \(k_f\) in \(E_f\) is 72. The other parameters are \(n=128,k=128,m_b=r_b=0,r_f=72,m_e=16\).
The data complexity is \(D=2s\cdot (P_dP_f)^{-1}\). The time complexities are \(T_1=D\cdot 2^{72-128-1}=2^{-57}\cdot D\), \(T_2=D\cdot 2^{-57}\cdot \epsilon \). We pre-compute several tables as illustrated in Table 4, so that \(\epsilon \) is equivalent to about \(2^{8}\) memory accesses. The overall time complexity is \(T=T_2=2^{-49}\cdot D=2^{-32}\cdot s\cdot P_d^{-1}\) memory accesses.
Comparisons Between Example 2 and Example 3. Example 3 uses the split-and-bunch technique and the time complexity is \(T=2^{-49}\cdot D=2^{-32}\cdot s\cdot P_d^{-1}\), which reduces the time complexity of Example 2 by a factor \(2^{-32}\).
Decreasing the Time Complexity. The split-and-bunch technique reduces the time complexity further. This technique splits the key bits into two distinct categories: friendly key bits and unfriendly key bits. The former facilitates the efficient application of filters, while the latter, albeit intricately connected to some filters, can map to values comprising only a limited number of bits (i.e., \(m_e\) bits). Rather than directly trying all possibilities of the unfriendly key bits themselves, we streamline the process by traversing the \(m_e\)-bit value, ensuring that the correct key is not overlooked. Consequently, the split-and-bunch technique results in an expansion of the counter value for incorrect keys but simultaneously reduces the overall number of key suggestions. This deliberate trade-off effectively minimizes the overall time complexity.
When Counters are Not Used. Differential attacks are possible without using counters in some cases, for example, using enumeration [Din14]. The split-and-bunch can also be used and may provide an improvement. Suppose we split at an \(m_e\)-bit state, after which key extraction becomes two parts. If the complexity of key extraction for each part is reduced by more than \(2^{m_e}\), then split-and-bunch can provide an improvement.
3.3 Holistic Key Recovery Strategy
Probabilistic extensions fit well with the unified key recovery algorithm from [SZY+22]. However, the situation for the holistic key recovery strategy is different. Previously, the holistic key recovery strategy was considered in cases where a boomerang distinguisher was given. Hence, the boundaries between the inner and outer parts are clear and well-aligned. The only task is to find a proper set of key bits to be guessed in advance so that the overall time complexity is optimized.
On the contrary, the boundaries are not predetermined when probabilistic extensions are allowed. Instead, the boundaries and the set of guessed key bits should be determined together. That is, the situation for the holistic key recovery strategy is more generic in the presence of probabilistic extensions. To apply the holistic key recovery strategy, one needs to determine the involved key bits \(k_b,k_f\) from the boundaries, the guessed key bits \(k'_b, k'_f\), and other parameters affected by \(k'_b, k'_f\), including the obtained filters.
3.4 The Framework for Rectangle Attacks
Previously, one looked for the best rectangle attack for a given distinguisher. In this subsection, we present the one-step framework for rectangle attacks where the distinguisher and the extended part are considered together as a whole. The framework has four components: the unified key recovery algorithm, the holistic key recovery strategy, the core part, and the probabilistic extensions. In practice, we search for a cell-wise active pattern with the overall time complexity of the attack as the objective function and then instantiate it. As the treatment of the core part remains as in previous rectangle attacks, we focus on the upper and lower parts where probabilistic extensions occur and the determination of the boundaries is needed. Next, we present a constraint programming model for these parts.
Suppose the boomerang distinguisher \(\alpha \rightarrow \delta \) over the middle part \(E_d\) has probability \(P_d^2\). Suppose \(\alpha \) propagates backward to \(\alpha '\) with probability \(P_b\le 1\) and \(\delta \) propagates backward to \(\delta '\) with probability \(P_f\le 1\). The data complexity depends on these probabilities. Besides the probabilities, another important factor is the boundaries between the inner and outer parts since they mark the positions the key recovery phase has to reach and also determine the involved keys \(k_b,k_f\).
Data Complexity. The probability for the whole attack is \(P^2=P_b^2P_d^2P_f^2\). We will show the formula for the data complexity remains as \(D=\sqrt{s}2^{n/2+1}/P\). Each plaintext structure takes all possible values for the \(r_b\) bits and chooses a constant for the remaining \(n-r_b\) bits. For each structure, there are \(2^{2r_b-1}\) pairs of plaintext with difference in \(V_b\) and \(P_b\cdot 2^{r_b-1}\) of them satisfy \(\alpha \) difference. That is equal to a \((\log _2{P_b^{-1}}+r_b)\)-bit condition. The distinguisher over the inner part has probability \(P_d^2\), the number of quartets satisfying the input difference \(\alpha \) should be at least \(sP_d^{-2}2^n\) for a rectangle attack, where s is the expected number of right quartets. Suppose the number of structures needed is y. These structures can constitute \(2\cdot \genfrac(){0.0pt}1{y\cdot P_b\cdot 2^{r_b-1}}{2}\) quartets that satisfy \(\alpha \) difference. Due to the output difference of \(E_d\) \(\delta \) propagating forward over \(E_f\) with probability \(P_f\) to \(\delta '\), a right quartet propagates forward over \(E_f\) with probability \(P_f^2\). Thus we get \(2\cdot \genfrac(){0.0pt}1{y\cdot P_b\cdot 2^{r_b-1}}{2}\cdot P_f^2=sP_d^{-2}2^n\). Then \(y=\sqrt{s}2^{n/2-r_b+1}/P\) and the data complexity is \(D=y\cdot 2^{r_b}=\sqrt{s}2^{n/2+1}/P\).
Labels. Due to the probabilistic extensions, there is a mix of concrete differences and truncated differences in the extended parts. For each cell of the internal state, we use two labels to describe its difference: \((x,y)\in \{(0,0), (1,0), (1,1)\}\), where
-
inactive, denoted by \((x,y)=(0,0)\) or ;
-
active with a fixed non-zero difference, denoted by \((x,y)=(1,0)\), or ;
-
active with an arbitrary (truncated) difference, denoted by \((x,y)=(1,1)\) or .
Additionally, we use a label v to denote if the value of the cell is needed to verify the distinguisher. If it is, we denote by \(v=1\) and \(v=0\) otherwise. Then the labels will help to identify the boundaries as well as the probabilities \(P_b,P_f\) of the extension.
Boundaries and \(P_b,P_f\). We take the forward extension as an example. The same techniques apply to the backward extension but in a reverse direction. There are several cases that happen with a probability.
-
For the S-box layer, the probabilistic extension involves two cases: and . The number of such cases can be computed by
$$\begin{aligned} \sum _i (O_i.x-O_i.y), \end{aligned}$$(1)where \(O_i.x,O_i.y\) are labels for the output cells of the S-box layer.
If the transition is , then the output of the S-box is needed for the verification, i.e., \(O.v=1\) for the output. Besides, \(O.v= I.v\). Meanwhile, the fixed input difference acts as a one-cell filter.
-
For the linear layer, where each output cell is a linear combination of some input cells, the probabilistic extension happens when truncated differences exist in the input but the output is a fixed difference. This fixed difference happens with a probability. Let \(T=1\) if some \(I_i.y=1\) and \(T=0\) if all \(I_i.y=0\). The number of such cases can be obtained by
$$\begin{aligned} \sum (T-O.y). \end{aligned}$$(2)Conversely, each input cell is a linear combination of some output cells. If \(v=1\) for the input cell, then the values for the involved output cells are also needed.
Now \(P_b,P_f\) can be computed (or estimated) by considering Eqs. (1) and (2) together. The outer parts are composed of those internal state cells with label \(v=1\) as well as the operations and functions on them. This implies the boundaries. Then \(k_b,k_f\) are those key bits that are needed for determining the internal state cell with label \(v=1\).
Guessing the Key and Filters. The holistic key recovery strategy uses the guess-and-determine logic, which can be modeled as follows. For each key addition, if the key is guessed (a key cell in \(k_f\)) and the output is known, then the input can be determined. Therefore, we introduce another label d for each state cell to denote if it is determined. For each key cell, we introduce a label g to denote if it is guessed. We then have \(I.d=1\) when \((K.g=1)\wedge (O.d=1)\) for \(I\oplus K=O\). Then the determination can proceed backward naturally. For a linear operation, a filter is reached under the following conditions: (1) its output contains truncated cells, (2) the difference of an input cell can be determined, and (3) this input difference has a fixed difference. For the S-box, if the input can be determined and the input difference is fixed, then we have a filter. Finally, the number of filters \(r'_f\) can be computed by recording such cases and the number of guessed keys \(k'_f\) can be computed by counting distinct key cells with \(g=1\).
Constraints for the Complexities. The constraints for the data and memory complexities can be added, such as \(D<2^n\). The objective is to minimize the overall time complexity as described in Sect. 2.3. The source codes for the constraint programmind model are available here.
3.5 The Framework for Differential Attacks
Similar to the framework for rectangle attacks, a framework for differential attacks can be built, because the basic ideas and all the involved parameters are the same. The only difference lies in the computation of complexities.
4 Applications
In this section, we apply our new framework to Deoxys-BC-384, SKINNY-128-256, and CRAFT block ciphers. For Deoxys-BC-384, using the one-step framework for rectangle attacks obtains a 15-round rectangle attack for the first time, containing a 10-round inner part rather than the longest 11-round one. For SKINNY-128-256, we get a new 26-round rectangle attack with reduced data and time complexities. For CRAFT, we obtain a 21-round differential attack and a 23-round differential attack by the new framework.
4.1 Application to Deoxys-BC-384
Specification. Deoxys-BC is an AES-based tweakable block cipher [JNPS16], based on the tweakey framework [JNP14]. The Deoxys authenticated encryption scheme makes use of two versions of the cipher as its internal primitive: Deoxys-BC-256 and Deoxys-BC-384. Both versions are ad-hoc 128-bit tweakable block ciphers which besides the two standard inputs, a plaintext P (or a ciphertext C) and a key K, also take an additional input called a tweak T. The concatenation of the key and tweak states is called the tweakey state. For Deoxys-BC-384, the tweakey size is 384 bits.
Deoxys-BC is an AES-like design, i.e., it is an iterative substitution-permutation network (SPN) that transforms the initial plaintext (viewed as a \(4\times 4\) matrix of bytes) using the AES round function, with the main differences with AES being the number of rounds and the round subkeys that are used every round. Deoxys-BC-384 has 16 rounds.
Similarly to the AES, one round of Deoxys-BC has the following four transformations applied to the internal state in the order specified below:
-
AddRoundTweakey – XOR the 128-bit round subtweakey to the internal state.
-
SubBytes – Apply the 8-bit AES S-box to each of the 16 bytes of the internal state.
-
ShiftRows – Rotate the 4-byte i-th row left by \(\rho [i]\) positions, where \(\rho =(0, 1, 2, 3)\).
-
MixColumns – Multiply the internal state by the \(4\times 4\) constant MDS matrix of AES.
After the last round, a final AddRoundTweakey operation is performed to produce the ciphertext.
We denote the concatenation of the key K and the tweak T as KT, i.e., \(KT=K||T\). For Deoxys-BC-384, the size of KT is 384 bits, and we denote the first, second and third 128-bit words of KT by \(W_3\), \(W_2\) and \(W_1\), respectively. Finally, we denote by \(STK_i\) the 128-bit subtweakey that is added to the state at round i during the AddRoundTweakey operation. For Deoxys-BC-384, a subtweakey is defined as \(STK_i = TK^1_i \oplus TK^2_i \oplus TK^3_i \oplus RC_i\). The tweakey schedule algorithm is defined as \(TK^1_{i+1} = h(TK^1_i)\), \(TK^2_{i+1} = h(LFSR_2(TK^2_i))\) and \(TK^3_{i+1} = h(LFSR_3(TK^3_i))\), where the byte permutation h is defined as
with the 16 bytes of a tweakey word numbered by the usual AES byte ordering.
14-Round Rectangle Attack on Deoxys-BC-384. By our new one-step framework, we get a 14-round rectangle attack on Deoxys-BC-384 with a 10-round inner part in \(E_d\), 1-round in \(E_b\) and 3-round in \(E_f\), as shown in Fig. 5. Detailed of the 10-round inner part refers to Fig. 11 in the full version of the paper. The probability of \(E_b\) is 1, the probability of \(E_d\) is \(P_d^2=2^{-14\times 2-11.4-7\times 2-14\times 2}=2^{-81.4}\) and the probability of \(E_f\) is \(P_f^2=2^{-8\times 2}\). Thus the probability of the whole rectangle attack is \(P^2=P_b^2P_d^2P_f^2=2^{-97.4}\), and other parameters of the attack are: \(n=128,k=384,m_b=r_b=80,m_f=8\times (16+7+3)=208\) and \(r_f=8\times 13=104.\)
The best guessing parameters are \(m_b'=8\times 10=80,r_b'=8\times 10=80\), \(m_f'=8\times (5+1)=48,r_f'=32\), \(r_b^*=0\) and \(r_f^*=72\), which means guessing 10 bytes of \(k_b\) and 6 bytes of \(k_f\). The 6 bytes of \(k_f\) are \(eqtk_{14}[8,9,10,11,12]\) and \(eqtk_{13}[13]\) respectively. The complexities of our new attack are as followsFootnote 1.
-
The data complexity is \(D_R=4\cdot D=4\cdot y\cdot 2^{r_b}=4\cdot \sqrt{s}\cdot 2^{n/2}/P=4\cdot \sqrt{s}\cdot 2^{48.7+64}=\sqrt{s}\cdot 2^{114.7}\).
-
The memory complexity is \(M_R=D_R+D\cdot 2^{r_b*}+2^{t+m_b+m_f-m_b'-m_f'}=\sqrt{s}\cdot 2^{114.7}+\sqrt{s}\cdot 2^{112.7}+2^{t+160}\).
-
The time complexity \(T_1=2^{m_b'+m_f'}\cdot D_R=\sqrt{s}\cdot 2^{128+114.7}=\sqrt{s}\cdot 2^{242.7};\)
-
\(T_2=2^{m_b'+m_f'}\cdot D=\sqrt{s}\cdot 2^{128+112.7}=\sqrt{s}\cdot 2^{240.7};\)
-
\(T_3=2^{m_b'+m_f'}\cdot D^2\cdot 2^{2r_b^*}\cdot 2^{2r_f^*}\cdot 2^{-2n}\cdot \epsilon =s\cdot 2^{128+112.7\times 2+72\times 2-2\times 128}\cdot \epsilon =s\cdot 2^{241.4}\cdot \epsilon ;\)
-
\(T_4= 2^{m_b'+m_f'-t}\cdot 2^{k+t-m_b'-m_f'-h}=2^{k-h}\).
Processing a candidate quartet to retrieve the rest \(k_f\) can be realized by looking up tables. We pre-compute several tables as illustrated in Table 5, detailed refers to [SZY+22], so that \(\epsilon \) is equivalent to about \(2^{25}\) memory accesses which is around \(2^{25}\times \frac{1}{14} \times \frac{1}{16}=2^{17.19}\) encryption. The time complexity and memory complexity of the tables are related to the involved state bits, the involved subkeys and the filters. The time complexity and memory complexity of the tables are all \(2^{128}\). If we set \(s=4,t=0\), then the data, memory, and time complexities of our attack are \(2^{115.7}\), \(2^{160}\) and \(2^{260.59}\) respectively.
Improved 14-Round Rectangle Attack by the Split-and-bunch Technique. From the time complexity of the 14-round rectangle attack above, we can find that in subtable 6 there are 4 bytes involved subkeys and 0 filter. The number of quartets in this subtable reaches the maximum, making the time complexity of this step dominant.
With the same guessing strategy, by using the split-and-bunch technique, the number of the involved subkeys bits in \(E_f\) is \(m_f=8\times (13+6+3)=176\). And the number of the counts for a wrong key is \(e=D^2\cdot 2^{m_e-2n-16}=s\cdot 2^{225.4+8-272}=s\cdot 2^{-38.6}\ll s\). We get the new \(\epsilon \) as illustrated in Table 6. The time complexity and memory complexity of the tables are \(2^{128}\). It is shown \(\epsilon \) is equivalent to about 2 memory accesses which is around \(2\times \frac{1}{14} \times \frac{1}{16}=2^{-6.81}\) encryption. The memory complexity is \(\sqrt{s}\cdot 2^{114.7}+\sqrt{s}\cdot 2^{112.7}+2^{t+(176+80)-80-48}\). If we set \(s=4,t=0\), then the data, memory and time complexities of our attack are \(2^{115.7}\), \(2^{128}\) and \(2^{243.7}\) respectively.
15-Round Rectangle Attack on Deoxys-BC-384. Using our new framework, we get a 15-round rectangle attack which is equal to add one round after the 14-round rectangle attack, as shown in Fig. 6.
In order to get an effective attack, we also use the split-and-bunch technique in the 15-round rectangle attack. The parameters of the attack are: \(m_b=r_b=80,m_f=8\times (16+13+6+3)=304\) and \(r_f=128\). Due to the key schedule, \(k_b\cup k_f\) contains 376 information bits. The best guessing parameters are \(m_b'=80,r_b'=80\) and \(m_f'=8\times (16+5+1)=176,r_f'=8\times (4+3)=56\), which means guessing the whole subkey of \(k_b\), 16 bytes of \(tk_{15}\), 5 bytes of the equivalent subkey \(eqtk_{14}\) and 1 bytes of the equivalent subkey \(eqtk_{13}\). The complexities of our 15-round attack are as follows:
-
The data complexity is \(D_R=4\cdot D=4\cdot y\cdot 2^{r_b}=4\cdot \sqrt{s}\cdot 2^{n/2}/\tilde{P}=4\cdot \sqrt{s}\cdot 2^{48.7+64}=\sqrt{s}\cdot 2^{114.7}\).
-
The memory complexity is \(M_R=D_R+D\cdot 2^{r_b*}+2^{t+m_b+m_f-m_b'-m_f'}=\sqrt{s}\cdot 2^{114.7}+\sqrt{s}\cdot 2^{112.7}+2^{t+120}\).
-
The time complexity \(T_1=2^{m_b'+m_f'}\cdot D_R=\sqrt{s}\cdot 2^{256+114.7}=\sqrt{s}\cdot 2^{370.7};\)
-
\(T_2=2^{m_b'+m_f'}\cdot D=\sqrt{s}\cdot 2^{256+112.7}=\sqrt{s}\cdot 2^{368.7};\)
-
\(T_3=2^{m_b'+m_f'}\cdot D^2\cdot 2^{2r_b^*}\cdot 2^{2r_f^*}\cdot 2^{-2n}\cdot \epsilon =s\cdot 2^{256+112.7\times 2+72\times 2-2\times 128}\cdot \epsilon =s\cdot 2^{369.4}\cdot \epsilon ;\)
-
\(T_4= 2^{m_b'+m_f'-t}\cdot 2^{k+t-m_b'-m_f'-h}=2^{k-h}\).
Similar to the improved rectangle attack on 14-round Deoxys-BC-384, for \(s\cdot 2^{369.4}\) quartets, \(\epsilon \) is equivalent to about 2 memory accesses which is around \(2\times \frac{1}{14} \times \frac{1}{16}=2^{-6.81}\) encryption. The time complexity and memory complexity of the tables both are \(2^{128}\). If we set \(s=4,t=0\) then the data, memory, and time complexities are \(2^{115.7}\), \(2^{128}\) and \(2^{371.7}\), respectively.
Comparison. The comparison with the previous rectangle attacks is presented in Table 7. A note on how the new attacks are obtained is as follows. We search for the active patterns of the whole attack with the total time complexity of the attack as the objective function in one step and then instantiate these patterns. In order to balance the time complexity and data complexity, we impose some restrictions on the data complexity in the model.
4.2 Application to CRAFT
Specification. CRAFT is a lightweight tweakable block cipher that was introduced by Beierle et al. [BLMR19]. It supports 64-bit plaintexts, 128-bit keys, and 64-bit tweaks. Its round function is composed of involutory building blocks. The 64-bit input is arranged as a state of \(4\times 4\) nibbles. The state is then going through 32 rounds \(\mathcal {R}_i, i\in {0,\cdots , 31}\), to generate a 64-bit ciphertext. As depicted in Fig. 7, each round, excluding the last round, has five functions, i.e., MixColumn (MC), AddRoundConstants (ARC), AddTweakey (ATK), PermuteNibbles (PN), and S-box (SB). The last round only includes MC, ARC and ATK, i.e., \(\mathcal {R}_{31}=\texttt {ATK}_{31}\circ \texttt {ARC}_{31}\circ \texttt {MC}\), while for any \(0\le i \le 30\), \(\mathcal {R}_{i}=\texttt {SB}\circ \texttt {PN} \circ \texttt {ATK}_{i}\circ \texttt {ARC}_{i}\circ \texttt {MC}\).
The tweakey schedule of CRAFT is rather simple. Given the secret key \(K=K_0\Vert K_1\) and the tweak \(T\in \{0,1\}^{64}\), where \(K_i\in \{0,1\}^{64}\), four round tweakeys \(TK_0=K_0\oplus T\), \(TK_1=K_1\oplus T\), \(TK_2=K_0\oplus Q(T)\) and \(TK_3=K_1\oplus Q(T)\) are generated, where Q is a nibble-wise permutation. Then at the round \(\mathcal {R}_i\), \(TK_{i\%4}\) is used as the subtweakey.
21-Round Differential Attack on CRAFT. By using our new framework, we obtain a 21-round differential attack on CRAFT, as depicted in Fig. 8, which contains a 14-round inner part, 3-round in \(E_b\) and 4-round in \(E_f\). The input difference is 0a00000000a000a0 and the output difference is 0a0000?000x000x0. The probability of the inner part is \(P=2^{-54}\) and for a random permutation, the probability is \(2^{-56}\). This inner part uses a 2-round invariant property of CRAFT proposed in [GSS+20] when the tweak T satisfies the conditions \(T[6]\oplus K[12]\in \{0x0,0xa\}\) and \(T[12]\oplus K[12]\in \{0x0,0xa\}\) the difference 0xa propagates 2-round to 0xa with probability 1, detailed can refer to Appendix C in the full version of the paper. This is a single-key model with some conditions in tweak T.
In this attack, we build \(2^{x}\) structures for each value of T[6] with the tweak T satisfying \(T[6]=T[12]\). For each T[6], we perform the following steps.
-
1.
We build \(2^{x}\) structures that \(Y_0[0,3,4,8,11,12,13,14]\) traverse all possible values while the other cells are fixed to some random constants. The data complexity is \(D_0=2^{x+32}\). By using \(2^{x+32}\) plaintexts, there are \(N_0=2^{x}\cdot 2^{32\times 2-1}=2^{x+63}\) pairs of plaintexts. The expected number of the remaining pairs of ciphertexts are \(N_1=N_0\cdot 2^{-4\times 8}=2^{x+31}\). The time complexity of this step is \(T_0=D=2^{x+32}\).
-
2.
For each of \(N_1=2^{x+31}\) pairs, determine the key candidates and increase the corresponding counters. We pre-compute several tables as shown in Table 8, so that the time complexity of this step is \(T_1=2^{36}\cdot N_1=2^{x+67}\) which is about \(2^{x+67}\times \frac{1}{21}\times \frac{1}{16}\approx 2^{x+58.61}\) encryption.
-
3.
Exhaustively search the remaining keys.
Set \(x=24.99\), then the data, memory, and time complexities are \(2^{4+24.99+32}=2^{60.99}\), \(2^{92}\) and \(2^{87.60}\), respectively.
23-Round Differential Attack on CRAFT. Expending one round before and one round after the 21-round differential attack, we obtain a 23-round differential attack on CRAFT. As for the 21-round attack, we perform the following steps for each T[6]. For 23-round attack, \(K_1[12]=T[6]=T[12]\).
-
1.
We build \(2^{x}\) structures that \(Y_0[2,3,6,7,8,9,10,12,13,14,15]\) traverse all possible values while the other cells are fixed to some random constants. The data complexity is \(D_0=2^{x+44}\). By using \(2^{x+44}\) plaintexts, there are \(N_0=2^{x}\cdot 2^{44\times 2-1}=2^{x+87}\) pairs of plaintexts. The expected number of the remaining pairs of ciphertexts are \(N_1=N_0\cdot 2^{-4\times 5}=2^{x+67}\) pairs. The time complexity of this step is \(T_0=D=2^{x+44}\).
-
2.
For each of \(N_1=2^{x+87}\) pairs, determine the key candidates and increase the corresponding counters. We pre-compute several tables as shown in Table 9, so that the time complexity of this step is \(T_1=2^{40}\cdot N_1=2^{x+107}\) which is about \(2^{x+107}\times \frac{1}{23}\times \frac{1}{16}\approx 2^{x+98.47}\) encryption.
-
3.
Exhaustively the remaining keys (Fig. 9).
Set \(x=12.99\), then the data, memory, and time complexities are \(2^{4+12.99+44}=2^{60.99}\), \(2^{120}\) and \(2^{111.46}\), respectively. The comparison with the previous attacks is presented in Table 10.
5 Conclusion
In this paper, we propose a one-step framework for finding the rectangle attacks with the purpose of reducing the overall complexities or attacking more rounds. Instead of extending the distinguisher forward and backward with probability 1, we propose to allow probabilistic propagations in the extended part. We treat the distinguisher and the extended part as a whole with a more flexible selection of propagation and involved keys to get better attacks. Moreover, we incorporate the holistic key recovery strategy into our one-step framework. Further, we introduce a technique, which is called the split-and-bunch technique, to reduce the time complexity. Applying our framework to Deoxys-BC-384, we obtain the first 15-round rectangle attack for Deoxys-BC-384, narrowing its security margin to only one round. Applying to SKINNY and ForkSkinny, we obtain a new rectangle attack with reduced data and time complexities. We also apply the main ideas of the framework to differential attacks on CRAFT block cipher, which achieves 2 more rounds than the previous best attacks.
Further Works. In this paper, we only apply the new framework to rectangle attacks and differential attacks. It would be a potential future work to explore the application of these ideas to other attacks.
Notes
- 1.
We use a variant of formulas from Sect. 2.3 in the related-key setting for ciphers with a linear key schedule.
References
Anderson, R., Biham, E., Knudsen, L.: Serpent: a proposal for the advanced encryption standard. NIST AES Proposal 174, 1–23 (1998)
Boura, C., David, N., Derbez, P., Leander, G., Naya-Plasencia, M.: Differential meet-in-the-middle cryptanalysis. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023, Part III. LNCS, vol. 14083, pp. 240–272. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38548-3_9
Biham, E., Dunkelman, O., Keller, N.: The rectangle attack — rectangling the serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 340–357. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_21
Biham, E., Dunkelman, O., Keller, N.: New results on boomerang and rectangle attacks. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 1–16. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45661-9_1
Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_5
Biryukov, A., Khovratovich, D.: Related-key cryptanalysis of the full AES-192 and AES-256. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 1–18. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_1
Bariant, A., Leurent, G.: Truncated boomerang attacks and application to AES-based ciphers. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023, Part IV. LNCS, vol. 14007, pp. 3–35. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30634-1_1
Beierle, C., Leander, G., Moradi, A., Rasoolzadeh, S.: CRAFT: lightweight tweakable block cipher with efficient protection against DFA attacks. IACR Trans. Symmetric Cryptol. 2019(1), 5–45 (2019)
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)
Cid, C., Huang, T., Peyrin, T., Sasaki, Yu., Song, L.: Boomerang connectivity table: a new cryptanalysis tool. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 683–714. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_22
Delaune, S., Derbez, P., Vavrille, M.: Catching the fastest boomerangs - application to SKINNY. IACR Cryptology ePrint Archive, p. 20 (2021)
Derbez, P., Euler, M., Fouque, P.A., Nguyen, P.H.: Revisiting related-key boomerang attacks on AES using computer-aided tool. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022, Part III. LNCS, vol. 13793, pp. 68–88. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22969-5_3
Dinur, I.: Improved differential cryptanalysis of round-reduced speck. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 147–164. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_9
Dunkelman, O., Keller, N., Shamir, A.: A practical-time related-key attack on the Kasumi cryptosystem used in GSM and 3G telephony. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 393–410. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_21
Dunkelman, O., Keller, N., Shamir, A.: A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony. J. Cryptol. 27(4), 824–849 (2014)
Dong, X., Qin, L., Sun, S., Wang, X.: Key guessing strategies for linear key-schedule algorithms in rectangle attacks. IACR Cryptology ePrint Archive, p. 856 (2021)
Dong, X., Qin, L., Sun, S., Wang, X.: Key guessing strategies for linear key-schedule algorithms in rectangle attacks. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part III. LNCS, vol. 13277, pp. 3–33. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_1
Guo, H., et al.: Differential attacks on CRAFT exploiting the involutory s-boxes and tweak additions. IACR Trans. Symmetric Cryptol. 2020(3), 119–151 (2020)
Hadipour, H., Bagheri, N., Song, L.: Improved rectangle attacks on SKINNY and CRAFT. IACR Trans. Symmetric Cryptol. 2021(2), 140–198 (2021)
Hadipour, H., Sadeghi, S., Eichlseder, M.: Finding the impossible: automated search for full impossible-differential, zero-correlation, and integral attacks. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023. LNCS, vol. 14007, pp. 128–157. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30634-1_5
Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_15
Jean, J., Nikolic, I., Peyrin, T., Seurin, Y.: Deoxys v1. 41. In: Submitted to CAESAR, vol. 124 (2016)
Kelsey, J., Kohno, T., Schneier, B.: Amplified boomerang attacks against reduced-round MARS and serpent. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 75–93. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44706-7_6
Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_16
Liu, G., Ghosh, M., Song, L.: Security analysis of SKINNY under related-TWEAKEY settings. IACR Trans. Symmetric Cryptol. 2017(3), 37–72 (2017)
Leander, G., Rasoolzadeh, S.: Weak tweak-keys for the CRAFT block cipher. IACR Trans. Symmetric Cryptol. 2022(1), 38–63 (2022)
Matsui, M.: On correlation between the order of S-boxes and the strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053451
Mouha, N., Preneel, B.: A proof that the ARX cipher Salsa20 is secure against differential cryptanalysis. IACR Cryptology ePrint Archive, p. 328 (2013)
Murphy, S.: The return of the cryptographic boomerang. IEEE Trans. Inf. Theory 57(4), 2517–2521 (2011)
Qin, L., Dong, X., Wang, X., Jia, K., Liu, Y.: Automated search oriented to key recovery on ciphers with linear key schedule applications to boomerangs in SKINNY and FORKSKINNY. IACR Trans. Symmetric Cryptol. 2021(2), 249–291 (2021)
Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_9
Song, L., Qin, X., Lei, H.: Boomerang connectivity table revisited: application to SKINNY and AES. IACR Trans. Symmetric Cryptol. 2019(1), 118–141 (2019)
Shi, D., Sun, S., Derbez, P., Todo, Y., Sun, B., Hu, L.: Programming the Demirci-Selçuk meet-in-the-middle attack with constraints. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part II. LNCS, vol. 11273, pp. 3–34. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_1
Song, L., Yang, Q., Chen, Y., Hu, L., Weng, J.: Probabilistic extensions: a one-step framework for finding rectangle attacks and beyond. Cryptology ePrint Archive, Paper 2024/344 (2024). https://eprint.iacr.org/2024/344
Song, L., Yang, Q., Liu, H.: Revisiting the differential meet-in-the-middle cryptanalysis. IACR Cryptology ePrint Archive, p. 1302 (2023)
Song, L., et al.: Optimizing rectangle attacks: a unified and generic framework for key recovery. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022, Part I. Lecture Notes in Computer Science, vol. 13791, pp. 410–440. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22963-3_14
Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_12
Zong, R., Dong, X., Chen, H., Luo, Y., Wang, S., Li, Z.: Towards key-recovery-attack friendly distinguishers: application to GIFT-128. IACR Trans. Symmetric Cryptol. 2021(1), 156–184 (2021)
Zhao, B., Dong, X., Jia, K.: New related-TWEAKEY boomerang and rectangle attacks on Deoxys-BC including BDT effect. IACR Trans. Symmetric Cryptol. pp. 121–151 (2019)
Zhao, B., Dong, X., Meier, W., Jia, K., Wang, G.: Generalized related-key rectangle attacks on block ciphers with linear key schedule: applications to SKINNY and GIFT. Des. Codes Crypt. 88(6), 1103–1126 (2020)
Acknowledgement
The authors would like to thank anonymous reviewers for their helpful comments and suggestions and Ye Luo for preparing some figures. The work of this paper was supported by the National Key Research and Development Program (No. 2018YFA0704704) and the National Natural Science Foundation of China (Grants 62202460, 62372213, 62132008, 62022036). Jian Weng is supported by the National Natural Science Foundation of China under Grant Nos. 61825203, 62332007, and U22B2028, Science and Technology Major Project of Tibetan Autonomous Region of China under Grant No. XZ202201ZD0006G, National Joint Engineering Research Center of Network Security Detection and Protection Technology, Guangdong Key Laboratory of Data Security and Privacy Preserving, Guangdong Hong Kong Joint Laboratory for Data Security and Privacy Protection, and Engineering Research Center of Trustworthy AI, Ministry of Education.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Song, L., Yang, Q., Chen, Y., Hu, L., Weng, J. (2024). Probabilistic Extensions: A One-Step Framework for Finding Rectangle Attacks and Beyond. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14651. Springer, Cham. https://doi.org/10.1007/978-3-031-58716-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-58716-0_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58715-3
Online ISBN: 978-3-031-58716-0
eBook Packages: Computer ScienceComputer Science (R0)