Differential Meet-In-The-Middle Cryptanalysis

Abstract

In this paper we introduce the differential meet-in-the-middle framework, a new cryptanalysis technique for symmetric primitives. Our new cryptanalysis method combines techniques from both meet-in-the-middle and differential cryptanalysis. As such, the introduced technique can be seen as a way of extending meet-in-the-middle attacks and their variants but also as a new way to perform the key recovery part in differential attacks. We apply our approach to SKINNY-128-384 in the single-key model and to AES-256 in the related-key model. Our attack on SKINNY-128-384 permits to break 25 out of the 56 rounds of this variant and improves by two rounds the previous best known attacks. For AES-256 we attack 12 rounds by considering two related keys, thus outperforming the previous best related-key attack on AES-256 with only two related keys by 2 rounds.

A Automatic Detection of Involved Keys

We provide here a simple algorithm to search, given a differential, for efficient applications of the new attack. Indeed, in many cases, it is technically very easy to exactly determine which information about the key is required in the forward or backward computation. As often, when it comes to the question of dependency only, the easiest and less error-prone method is to experimentally determine which bits have an actual influence. Assume we are given (the implementation of) a function \(F:\mathbb {F}_2^n \rightarrow \mathbb {F}_2^m\) and want to determine if the ith input bit of x has an influence on the output of F(x), that is if there exist an input x such that

$$\begin{aligned} F(x) \ne F(x \oplus e_i) , \end{aligned}$$

where \(e_i\) is the vector that has a one exactly at position i.

For this, we could simply take a random input x and compute \(F(x) \oplus F(x \oplus e_i)\). If the result is non-zero, we know that the output depends on the ith input bit. After repeating this process a few times and if we always get zero as a result, we conclude that the ith bit does not have an influence on the output. The later decision might of course be wrong (while the former never is). However, for our applications this is (i) very unlikely to happen due to the construction of the round functions and (ii) irrelevant for the attacks as a key bit that influences the output only in one out of many outputs usually does not have to be guessed.

Focusing on our target, given the implementation of the cipher, i.e. in particular the (round-reduced) encryption and decryption procedures along with the key schedule, we can easily process as represented in Algorithm 2.

The nice feature of the algorithm is that it works for any cipher structure and without the need to know or implement any internal details. However, on this generality we might miss many possible improvements. As an example, consider the key schedule of SKINNY. Here, every round-tweak-key bit is the sum of three bits of (updated) master tweak-key bits. The algorithm above would (correctly) detect the dependence of the output on those three bits, but obviously guessing the sum of the bits is enough. We can easily adopt the above algorithm to take into account linear (tweak) key-schedules. The main idea is not to flip master key-bits directly, but rather round-key bits.

Let us denote the linear key schedule by \(L:\mathbb {F}_2^{\kappa } \rightarrow \mathbb {F}_2^{n\dot{r}}\). The ith bit of the expanded key can thus be written as \(\langle L_i,k\rangle \) where \(L_i\) denotes the ith row of the matrix corresponding to L. Furthermore we denote by \(\widehat{E}_r\) the encryption excluding the key schedule, i.e.

$$\begin{aligned} E_r(k,x)= \widehat{E}_r (L(k),x) . \end{aligned}$$

Instead of master key-bits, we now aim at computing the round-key bits that the encryption depends on and collecting the corresponding linear combinations of the master-key.

The vector-space contains the information that is sufficient to guess in order to compute the upper part of the attack. The dimension of \(\mathcal {K}\) corresponds to the amount of information that has to be guessed, its Gauss-Jordan-basis contains information on which master key bits can be guessed equivalently. This algorithm again is easy to adapt given an implementation of a cipher. In practice, given a differential \(\varDelta _x \rightarrow \varDelta _y\), we can apply this algorithm on both \((E_{in}, \varDelta _x)\) and \((E_{out}^{-1}, \varDelta _y)\) to respectively get the sets \(k_{in}\) and \(k_{out}\) required in our new framework.

For SKINNY, Algorithm 3 allows to complete both the differential trails given in Sect. 3 into attacks against 23 and 24 rounds, that we will finally extend by one additional round at the end to get the currently best known results on SKINNY-128-384.