Higher-Order Cryptanalysis of LowMC

Abstract

LowMC is a family of block ciphers developed particularly for use in multi-party computations and fully homomorphic encryption schemes, where the main performance penalty comes from non-linear operations. Thus, LowMC has been designed to minimize the total quantity of logical “and” operations, as well as the “and” depth. To achieve this, the LowMC designers opted for an incomplete S-box layer that does not cover the complete state, and compensate for it with a very dense, randomly chosen linear layer. In this work, we exploit this design strategy in a cube-like key-recovery attack. We are able to recover the secret key of a round-reduced variant of LowMC with 80-bit security, where the number of rounds is reduced from 11 to 9. Our attacks are independent of the actual instances of the used linear layers and therefore, do not exploit possible weak choices of them. From our results, we conclude that the resulting security margin of 2 rounds is smaller than expected.

A Application to Other Parameter Sets

Besides the recommended versions \(\text {LowMC-80}\) and \(\text {LowMC-128}\), the designers also propose several alternative parameter sets for the 80-bit and 128-bit security level. For 128-bit security, the design document discusses the performance of \(\text {LowMC-128}^{\text {256},\text {63}}\) (\(r=12\) rounds, main variant) and \(\text {LowMC-128}^{\text {512},\text {86}}\) (\(r=11\) or 12 rounds), all with data complexity limit \(d=128\); for 80-bit security, \(\text {LowMC-80}^{\text {256},\text {49}}\) (\(r=11\) rounds, main variant, or \(r=10\)) and \(\text {LowMC-80}^{\text {128},\text {34}}\) (\(r=11\) rounds), all with data complexity limit \(d=64\).

For \(\text {LowMC-128}^{\text {256},\text {63}}\), the attacks of Sect. 4.1 apply for the same number of rounds, with the same complexity. Furthermore, due to the increased logarithmic data complexity limit, an additional round can be added here (for a total of 8 rounds), and the data complexity increased accordingly. However, the size of the identity part, \(\ell =67\), is too small to append rounds with initial-key-guessing as in Sect. 4.2: the necessary number of about \(3 \cdot 40\) guessed S-box key bits becomes prohibitive. Final-key-guessing as in Sect. 4.3, on the other hand, is applicable in a similar way. Again, the smaller identity part increases the complexity: instead of masks b with 6 active S-boxes, about 24 active S-boxes are necessary for a reasonably high probability. If the correct \(3 \cdot 24\)-bit subkey is recovered as described in Sect. 4.3, the computational complexity is about \(2^{72}\) (for up to 9 rounds). However, it is possible to optimize this step at the cost of a slightly higher data complexity.

For \(\text {LowMC-128}^{\text {512},\text {86}}\), on the other hand, the size of the identity part \(\ell = 254\) is almost as large as the S-box part of \(3\cdot m = 258\) bits. This allows the application of initial-key-guessing for free, and 1 active S-box is expected to be sufficient for final-key-guessing. Additionally, due to the higher logarithmic data complexity limit of \(d=128\), the core cube degree can be increased to 64 (\(f^6\)) to add another round, for a total of 10 attacked rounds (out of 11 or 12).

For \(\text {LowMC-80}^{\text {128},\text {34}}\), \(\ell =26\), so the same problems as for \(\text {LowMC-128}^{\text {256},\text {63}}\) apply. For the final-key-guessing, about 14 active S-boxes would be required to find suitable a, b, to attack a total of 8 rounds.

We want to stress that all described attacks are generic for the design of \(\mathrm {LowMC}\), without requiring specific instances of the linear layer \(f_L\) or the key schedule matrices. For specific “weak” choices of the random matrices, it is likely that attacks on more rounds are feasible.