Abstract
In this paper we introduce the differential meet-in-the-middle framework, a new cryptanalysis technique for symmetric primitives. Our new cryptanalysis method combines techniques from both meet-in-the-middle and differential cryptanalysis. As such, the introduced technique can be seen as a way of extending meet-in-the-middle attacks and their variants but also as a new way to perform the key recovery part in differential attacks. We apply our approach to SKINNY-128-384 in the single-key model and to AES-256 in the related-key model. Our attack on SKINNY-128-384 permits to break 25 out of the 56 rounds of this variant and improves by two rounds the previous best known attacks. For AES-256 we attack 12 rounds by considering two related keys, thus outperforming the previous best related-key attack on AES-256 with only two related keys by 2 rounds.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that [30] provides a 26-round integral attack against SKINNY-128-384 but it relies on differences in the tweak.
References
Aoki, K., Sasaki, Y.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-642-04159-4_7
Aoki, K., Sasaki, Yu.: Meet-in-the-middle preimage attacks against reduced SHA-0 and SHA-1. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 70–89. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_5
Banik, S., Pandey, S.K., Peyrin, T., Sasaki, Yu., Sim, S.M., Todo, Y.: GIFT: a small present. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 321–345. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_16
Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_5
Biham, E., Biryukov, A., Shamir, A.: Miss in the middle attacks on IDEA and Khufu. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 124–138. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_10
Biham, E., Dunkelman, O., Keller, N.: The rectangle attack — rectangling the serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 340–357. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_21
Biham, E., Dunkelman, O., Keller, N.: Related-Key boomerang and rectangle attacks. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 507–525. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_30
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_1
Biham, E., Shamir, A.: Differential cryptanalysis of the full 16-round DES. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 487–496. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_34
Biryukov, A., Dunkelman, O., Keller, N., Khovratovich, D., Shamir, A.: Key recovery attacks of practical complexity on AES-256 variants with up to 10 rounds. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 299–319. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_15
Biryukov, A., Khovratovich, D.: Related-key cryptanalysis of the full AES-192 and AES-256. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 1–18. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_1
Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_19
Bordes, Nicolas, Daemen, Joan, Kuijsters, Daniël, Van Assche, Gilles: Thinking outside the superbox. In: Malkin, Tal, Peikert, Chris (eds.) CRYPTO 2021, Part III. LNCS, vol. 12827, pp. 337–367. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_12
Canteaut, A., Naya-Plasencia, M., Vayssière, B.: Sieve-in-the-middle: improved MITM attacks. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 222–240. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_13
Canteaut, A., Naya-Plasencia, M., Vayssière, B.: Sieve-in-the-middle: improved MITM attacks (full version). IACR Cryptology ePrint Archive, p. 324 (2013). http://eprint.iacr.org/2013/324
Choudhuri, A.R., Maitra, S.: Differential cryptanalysis of Salsa and ChaCha - an evaluation with a hybrid model. Cryptology ePrint Archive, Paper 2016/377 (2016). https://eprint.iacr.org/2016/377
Daemen, J., Knudsen, L., Rijmen, V.: The block cipher square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052343
Delaune, S., Derbez, P., Huynh, P., Minier, M., Mollimard, V., Prud’homme, C.: Efficient methods to search for best differential characteristics on SKINNY. In: Sako, K., Tippenhauer, N.O. (eds.) ACNS 2021, Part II. LNCS, vol. 12727, pp. 184–207. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-030-78375-4_8
Demirci, H., Selçuk, A.A.: A meet-in-the-middle attack on 8-round AES. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 116–126. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_7
Derbez, P., Fouque, P.-A., Jean, J.: Improved key recovery attacks on reduced-round AES, in the single-key setting. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 371–387. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_23
Diffie, W., Hellman, M.: Special feature exhaustive cryptanalysis of the NBS Data Encryption Standard. Computer 10(6), 74–84 (1977)
Dong, X., Hua, J., Sun, S., Li, Z., Wang, X., Hu, L.: Meet-in-the-middle attacks revisited: key-recovery, collision, and preimage attacks. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part III. LNCS, vol. 12827, pp. 278–308. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-030-84252-9_10
Dunkelman, O., Keller, N., Shamir, A.: Improved single-key attacks on 8-round AES-192 and AES-256. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 158–176. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_10
Dunkelman, O., Sekar, G., Preneel, B.: Improved meet-in-the-middle attacks on reduced-round DES. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 86–100. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77026-8_8
Feistel, H.: Cryptography and computer privacy. Sci. Am. 228(5), 15–23 (1973)
FIPS 197: Announcing the Advanced Encryption Standard (AES). National Institute for Standards and Technology, Gaithersburg, MD, USA, November 2001
Gérault, D., Lafourcade, P., Minier, M., Solnon, C.: Revisiting AES related-key differential attacks with constraint programming. Inf. Process. Lett. 139, 24–29 (2018)
Guo, J., Ling, S., Rechberger, C., Wang, H.: Advanced meet-in-the-middle preimage attacks: first results on Full Tiger, and improved results on MD4 and SHA-2. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 56–75. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_4
Guo, J., Song, L., Wang, H.: Key structures: improved related-key boomerang attack against the full AES-256. In: Nguyen, K., Yang, G., Guo, F., Susilo, W. (eds.) ACISP 2022. LNCS, vol. 13494, pp. 3–23. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22301-3_1
Hadipour, H., Sadeghi, S., Eichlseder, M.: Finding the impossible: automated search for full impossible-differential, zero-correlation, and integral attacks. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023, Part IV. LNCS, vol. 14007, pp. 128–157. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-30634-1_5
Isobe, T., Shibutani, K.: All subkeys recovery attack on block ciphers: extending meet-in-the-middle approach. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 202–221. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-35999-6_14
Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_15
Kim, J., Hong, S., Preneel, B.: Related-key rectangle attacks on reduced AES-192 and AES-256. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 225–241. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74619-5_15
Knellwolf, S., Meier, W., Naya-Plasencia, M.: Conditional differential cryptanalysis of NLFSR-based cryptosystems. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 130–145. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_8
Knudsen, L.: DEAL-a 128-bit block cipher. Complexity 258(2), 216 (1998)
Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_16
Langford, S.K., Hellman, M.E.: Differential-linear cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_3
Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_12
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33
Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03317-9_16
Naya-Plasencia, M.: How to improve rebound attacks. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 188–205. Springer (2011)
Prud’homme, C., Fages, J.G., Lorca, X.: Choco Solver Documentation. TASC, INRIA Rennes, LINA CNRS UMR 6241, COSLING S.A.S. (2016). http://www.choco-solver.org
Shi, D., Sun, S., Derbez, P., Todo, Y., Sun, B., Hu, L.: Programming the Demirci-Selçuk meet-in-the-middle attack with constraints. In: Peyrin, T., Galbraith, S.D. (eds.) ASIACRYPT 2018, Part II. LNCS, vol. 11273, pp. 3–34. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-030-03329-3_1
Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_12
Tolba, M., Abdelkhalek, A., Youssef, A.M.: Impossible differential cryptanalysis of reduced-round SKINNY. In: Joye, M., Nitaj, A. (eds.) AFRICACRYPT 2017. LNCS, vol. 10239, pp. 117–134. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57339-7_7
Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_12
Yang, D., Qi, W., Chen, H.: Impossible differential attacks on the SKINNY family of block ciphers. IET Inf. Secur. 11(6), 377–385 (2017)
Acknowledgements
This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement no. 714294 - acronym QUASYModo). It was also partially supported by the French Agence Nationale de la Recherche through the SWAP project under Contract ANR-21-CE39-0012, through the DeCrypt project under Contract ANR-18-CE39-0007, and by the Deutsche Forschungsgemeinschaft (DFG, German Research Foudation) under Germany’s Excellence Strategy - EXC 2092 CASA - 390781972. Finally, the authors would like to thank the Dagstuhl Seminar 22141 on Symmetric Cryptography that gave the opportunity to the authors to advance this collaboration.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Automatic Detection of Involved Keys
A Automatic Detection of Involved Keys
We provide here a simple algorithm to search, given a differential, for efficient applications of the new attack. Indeed, in many cases, it is technically very easy to exactly determine which information about the key is required in the forward or backward computation. As often, when it comes to the question of dependency only, the easiest and less error-prone method is to experimentally determine which bits have an actual influence. Assume we are given (the implementation of) a function \(F:\mathbb {F}_2^n \rightarrow \mathbb {F}_2^m\) and want to determine if the ith input bit of x has an influence on the output of F(x), that is if there exist an input x such that
where \(e_i\) is the vector that has a one exactly at position i.
For this, we could simply take a random input x and compute \(F(x) \oplus F(x \oplus e_i)\). If the result is non-zero, we know that the output depends on the ith input bit. After repeating this process a few times and if we always get zero as a result, we conclude that the ith bit does not have an influence on the output. The later decision might of course be wrong (while the former never is). However, for our applications this is (i) very unlikely to happen due to the construction of the round functions and (ii) irrelevant for the attacks as a key bit that influences the output only in one out of many outputs usually does not have to be guessed.
Focusing on our target, given the implementation of the cipher, i.e. in particular the (round-reduced) encryption and decryption procedures along with the key schedule, we can easily process as represented in Algorithm 2.
![figure d](http://media.springernature.com/lw685/springer-static/image/chp%3A10.1007%2F978-3-031-38548-3_9/MediaObjects/551634_1_En_9_Figd_HTML.png)
The nice feature of the algorithm is that it works for any cipher structure and without the need to know or implement any internal details. However, on this generality we might miss many possible improvements. As an example, consider the key schedule of SKINNY. Here, every round-tweak-key bit is the sum of three bits of (updated) master tweak-key bits. The algorithm above would (correctly) detect the dependence of the output on those three bits, but obviously guessing the sum of the bits is enough. We can easily adopt the above algorithm to take into account linear (tweak) key-schedules. The main idea is not to flip master key-bits directly, but rather round-key bits.
Let us denote the linear key schedule by \(L:\mathbb {F}_2^{\kappa } \rightarrow \mathbb {F}_2^{n\dot{r}}\). The ith bit of the expanded key can thus be written as \(\langle L_i,k\rangle \) where \(L_i\) denotes the ith row of the matrix corresponding to L. Furthermore we denote by \(\widehat{E}_r\) the encryption excluding the key schedule, i.e.
Instead of master key-bits, we now aim at computing the round-key bits that the encryption depends on and collecting the corresponding linear combinations of the master-key.
![figure e](http://media.springernature.com/lw685/springer-static/image/chp%3A10.1007%2F978-3-031-38548-3_9/MediaObjects/551634_1_En_9_Fige_HTML.png)
![figure f](http://media.springernature.com/lw685/springer-static/image/chp%3A10.1007%2F978-3-031-38548-3_9/MediaObjects/551634_1_En_9_Figf_HTML.png)
The vector-space contains the information that is sufficient to guess in order to compute the upper part of the attack. The dimension of \(\mathcal {K}\) corresponds to the amount of information that has to be guessed, its Gauss-Jordan-basis contains information on which master key bits can be guessed equivalently. This algorithm again is easy to adapt given an implementation of a cipher. In practice, given a differential \(\varDelta _x \rightarrow \varDelta _y\), we can apply this algorithm on both \((E_{in}, \varDelta _x)\) and \((E_{out}^{-1}, \varDelta _y)\) to respectively get the sets \(k_{in}\) and \(k_{out}\) required in our new framework.
For SKINNY, Algorithm 3 allows to complete both the differential trails given in Sect. 3 into attacks against 23 and 24 rounds, that we will finally extend by one additional round at the end to get the currently best known results on SKINNY-128-384.
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Boura, C., David, N., Derbez, P., Leander, G., Naya-Plasencia, M. (2023). Differential Meet-In-The-Middle Cryptanalysis. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14083. Springer, Cham. https://doi.org/10.1007/978-3-031-38548-3_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-38548-3_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38547-6
Online ISBN: 978-3-031-38548-3
eBook Packages: Computer ScienceComputer Science (R0)