General Model of the Single-Key Meet-in-the-Middle Distinguisher on the Word-Oriented Block Cipher

Abstract

The single-key meet-in-the-middle attack is an efficient attack against AES. The main component of this attack is a distinguisher. In this paper, we extend this kind of distinguisher to the word-oriented block cipher, such as the SPN block cipher and the Feistel-SP block cipher. We propose a general distinguisher model and find that building a better distinguisher is equivalent to a positive integer optimization problem. Then we give a proper algorithm to solve this problem. Furthermore, we analyse the limitation of the distinguisher using the efficient tabulation and give a method to search the special differential trail we need in this distinguisher. Finally, we apply the distinguisher to Crypton, mCrypton and LBlock, and give distinguishers on 4-round Crypton, 4-round mCrypton and 9-round LBlock. We also give 7-round attacks on Crypton-128 and mCrypton-96.

Appendices

A The Number of \(\delta \)-\(Sets\)

1.1 A.1 The Number of \(\delta \)-\(Sets\) for Crypton

For Crypton, since the branch number of the bit permutation is 4, in Fig. 3, the first column of \(z_i\) may not be all active. If there is one inactive byte, the result is that one column of \(z_{i+1}\) is inactive. Even if the \(j\)-\(th\) byte of the first column is active, the \(j\)-\(th\) column of \(z_{i+1}\) may have one inactive byte, and vice versa. However, the \(i\)-\(th\) byte of \(x_{i+2}\) and \(y_{i+2}\) must be both active or inactive.

Fig. 3.

The 4-rounds distinguisher of Crypton and mCrypton using efficient tabulation

If one byte at the same position of \(x_{i+2}\) and \(y_{i+2}\) is inactive, then that position can take all the 256 values out of the average \(\frac{256}{255}\) values [8].

We can count the exact number of \(multisets\) even though the maximum number of inactive bytes of \(x_{i+2}\) is 7. We find that if the input difference is {1, 2, 3, 4, 8, 12, 16, 32, 48, 64, 128, 192} then the output difference has one inactive byte.

Next we will calculate the probabilities that there are \(i\) inactive bytes in \(x_{i+2}\), \(i=0,1,\dots ,7\).

1. 0.

   In Fig. 3, if the active bytes of \(y_i\), \(y_{i+1}\), \(z_{i+2}\) and \(z_{i+3}\) don’t take the 12 differences above, then the 16 bytes of \(x_{i+2}\) and \({y_{i+2}}\) are all active, the probability of this happen is:

   $$ (\frac{255-12}{255})^{5 \times 2} \approx 0.6157 $$
2. 1.

   If the active bytes of \(y_i\) and \(z_{i+3}\) don’t take the 12 differences, but one of the active bytes of \(y_{i+1}\) and \(z_{i+2}\) take the 12 differences, then 15 bytes of \(x_{i+2}\) and \({y_{i+2}}\) are active(the inactive byte must be at the same position), the probability is:

   $$ 16 \times (\frac{3}{255})^{2} \times (\frac{243}{255})^{8} \approx 0.0015 $$
3. 2.

   If the active bytes of \(y_i\) and \(z_{i+3}\) don’t take the 12 differences above, but two of the active bytes of \(y_{i+1}\) and \(z_{i+2}\) take the 12 differences above, then 14 bytes of \(x_{i+2}\) and \({y_{i+2}}\) are active, the probability is:

   $$ {4 \atopwithdelims ()2} \times 4 \times 3 \times (\frac{3}{255})^{4} \times (\frac{243}{255})^{6} \approx 1.0329 \times 10^{-6} $$

Using the same method above, we can get: \(p_3= 2.0990 \times 10^{-10},\ p_4=1.4868 \times 10^{-9}, p_7=5.8718 \times 10^{-15 }\). Since the branch number of Crypton is 4, \(p_5=0,\ p_6=0\).

Then the total number of \(\delta \)-\(sets\) is:

$$\begin{aligned} 2^{80} \times \sum \nolimits _{i=0}^7 p_i \times s^{16-i} \times t^i \approx 2^{89} \end{aligned}$$

Here \(s=\frac{256}{255}\), \(t=256\) and the probability of \(i\) inactive bytes is \(p_i\).

Fig. 4.

The 9-rounds distinguisher of LBlock

1.2 A.2 The Number of 2-\(\delta \)-\(Sets\) for mCryptonp

For mCrypton, since the branch number is also 4, in Fig. 3, the first column of \(z_i\) may not be all active, and the inactive nibbles can be as many as 2. As a result, there are two columns of \(z_{i+1}\) being all inactive. Even if the \(j\)-\(th\) nibble of the first column of \(z_i\) is active, the \(j\)-\(th\) column of \(z_{i+1}\) may not be all active and vice versa.

If one nibble at the same position of \(x_{i+2}\) and \(y_{i+2}\) is inactive, that position can take all the 16 values out of the average \(\frac{16}{15}\) values.

We can exactly count the number of 2-\(multisets\) even though the maximum number of inactive nibbles of \(x_{i+2}\) is 10. If the input differences of \(z_i\) have two active nibbles, and take the values {(1,1), (2,2), (4,4), (8,8)}, then the output differences have two inactive nibbles. Else if the differences of the two active nibbles taking 52 particular values will result in 1 inactive nibble. If there is only one active nibble in a column and the difference is 1,2,4,8, after the bit permutation, the output difference of that column has 1 inactive nibble. Since the branch number of mCrypton is 4, the maximal number of inactive nibbles is 7.

The way to calculate the probability that there are \(i\) inactive nibble in \(x_{i+2}\) is the same as Crypton, we just show the probabilities of \(i\) inactive nibbles in Table 1.

Table 1. The probability of the number of inactive nibbles in \(x_{i+2}\)

Then the total number of 2-\(multisets\) is:

$$\begin{aligned} 2^{48} \times \sum \nolimits _{i=0}^{10} p_i \times s^{16-i} \times t^i \approx 2^{49.44} \end{aligned}$$

Here \(s=\frac{16}{15}\), \(t=16\) and the probability of \(i\) inactive bytes is \( p_i\).

1.3 A.3 The Number of \(Multisets\) of the AES \(\star \) Distinguisher and 5-Round Distinguisher in [8]

In [8], Derbez, Fouque and Jean proposed the attacks on reduced-round AES using the efficient tabulation. In Sect. 3.3 of their paper, they used a special differential trail \(\star \) to reduce the time complexity of the online phase, i.e.

$$\begin{aligned} 2 \mathop {\longrightarrow }\limits ^{R_i} 4 \mathop {\longrightarrow }\limits ^{R_{i+1}} 16 \mathop {\longrightarrow }\limits ^{R_{i+2}} 4 \mathop {\longrightarrow }\limits ^{R_{i+3}} 1 \end{aligned}$$

(⋆)

Since \(\star \) has 2 active bytes comparing to the original distinguisher, they simply calculated the memory requirement \(2^{8}\) times more than the original one.

However the branch number of AES mixcolumn operation is 5, it may have one inactive byte after the mixcolumn operation of round \(i\), and it lead to one inactive column at \(x_{i+2}\). From the other direction, one active byte in \(x_{i+4}\) can result in \(y_{i+2}\) being all active, this is a mismatch. The number of pairs of \((\varDelta x_i[0],\varDelta x_i[2])\) which will lead to a mismatch is 1020, so we have the memory they use to store the \(multisets\) is:

$$ 2^{82} \times 2^{8} \times \frac{2^{16}-1020}{2^{16}} \approx 0.98 \times 2^{80} $$

128-bit blocks.

At Sect. 4.2 of their attack, they present an attack on 9-round AES 256, they add one round in the middle of the distinguisher, and they simply calculate the memory requirement \(2^{128}\) times more than the original one.

They add the extra round after \(x_{i+2}\) by guessing all the values of the standard state, and use the differential property of S between \(x_{i+3}\) and \(y_{i+3}\). Since \(x_{i+2}\) is active at all bytes, after the mixcolumn operation of round \(i+2\), it may have inactive bytes at \(x_{i+3}\). Since one active byte at \(x_{i+5}\) will lead to all active at \(y_{i+3}\) this will lead to a mismatch. One column which includes of 4 active bytes will result in 1, 2 or 3 inactive bytes, the number of active column for each case is \(6.52953 \times 10^{7},\ 384030,\ 1020\). So the memory to store the \(multisets\) is:

$$ 2^{82} \times 2^{128} \times \frac{2^{32}-6.52953 \times 10^{7}-384030-1020}{2^{32}} \approx 0.98 \times 2^{208} $$

128-bit blocks.

1.4 A.4 The Basic Model of Distinguisher using Efficient Tabulation

With the limitation, the search algorithm for the special truncated differential trail with the least guessed-cells is a meet-in-the-middle procedure. For the SPN cipher, we denote the pair with \(T\) active cells at the beginning of the truncated differential trail by \(E_T\) and the state with \(S\) active cells at the end by \(D_S\). Also from the encrypt direction, the number of active cells before the non-linear permutation of round \(i\) is denoted by \(\chi _{i}^{E}\). From the decrypt direction, the number of active cells after the non-linear permutation of the \(i\)-\(th\) round from the bottom is denoted by \(\chi _{i}^{D}\). One state of the pair is dennonted by the standard state. The algorithm is as follows:

1. 1.

   From the encrypt direction, starting from an \(E_T\), we can get all the differences at the end of round 0 by guessing the differences of the active cells after the non-linear permutation. By guessing the active cells of the standard state before the non-linear permutation, we can get all the differences at the end of the \(i\)-\(th\) round. So after guessing \(\sum \nolimits _{i=0}^{r_E}{\chi _{i}^{E}}\) cells, we can get all the differences before the non-linear permutation of round \(r_E+1\);

2. 2.

   From the decrypt direction, starting from a \(D_S\), we can get all the differences at the beginning of the last round by guessing the differences of the active cells before the non-linear permutation. By guessing the active cells of the standard state after the non-linear permutation, we can get all the differences at the beginning of the \(i\)-\(th\) round from the bottom. So after guessing \(\sum \nolimits _{i=0}^{r_D}{\chi _{i}^{D}}\) cells we can get all the differences after the non-linear permutation of round \(r_E+1\);

3. 3.

   The two pairs on the both sides of the non-linear permutation must be perfect match⁷. Then by the differential property of S [8], we can get one value in average for the active cells and \(2^b\) values for the inactive cells.

4. 4.

   Taken the limitation into account, we can use the guessed-cells and the retrieved values to get the \(S\)-\(multisets\) from the \(T\)-\(\delta \)-\(set\) and calculate the memory complexity. If the memory complexity is greater than exhaustive search, we give up this \((E_T,D_S)\) pair.

The goal of the algorithm is to maximize \(r_E+r_D\) under the condition that the memory complexity (considering the guessed-cells and the limitation of this kind of distinguisher) is less than the exhaustive search. After that, we make the memory complexity to be the least. We can try all the possible combination of \((r_E,r_D)\) and \((E_T,D_S)\) to find the best distinguisher.

B Basic Attacks on Crypton and mCrypton Using Efficient Tabulation

In this section, we will show the basic attacks on Crypton and mCrypton using the distinguishers in Sect. 4.3. The attacks are made up of 2 phases: the precomputation phase and the online phase. The online phase is also made up of three parts: finding the right pair, creating and checking \(\delta \)-\(set\) and finding secret key.

1.1 B.1 Attacks on Crypton

Fig. 5.

The 7-rounds basic attack of Crypton and mCrypton

1. 1.

   Precomputation phase. In the precomputation phase of the attack, we build a lookup table containing \(2^{89}\) \(multisets\) for \(\varDelta x_5[0]\) following the method of Sect. 4.3 and Appendix A.1.

   The lookup table of the \(2^{89}\) possible \(multisets\) uses about \(2^{91}\) 128-bit blocks to store [8]. To construct the table, we have to perform \(2^{89}\) partial encryptions on 256 messages, which we estimate to \(2^{93}\) encryptions.

2. 2.

   Online Phase. The attack procedure is shown in Fig. 5. The online phase is made up of three parts: finding the right pair, creating and checking the \(\delta \)-\(set\) and finding the secret key.

   1. (a)

      Finding the Right Pair:

      1. i.

         We prepare a structure of \(2^{32}\) plaintexts where the first column takes all \(2^{32}\) values, and the remaining 12 bytes are fixed to some constants. Hence, each of the \(2^{32} \times (2^{32}-1)/2 \approx 2^{63}\) pairs we can generate satisfies the plaintext difference. Choose \(2^{81} \) structures and get the corresponding ciphertext. Among the \(2^{63 + 81} = 2^{144}\) corresponding ciphertext pairs, we expect \(2^{144} \times 2^{-96} = 2^{48}\) to verify the truncated-difference trail where only the third column has non-zero difference as shown in Fig. 5. Since only the third column of the ciphertext has non-zero difference, by Observation 2 of [15], we have that only the first row of \(y_6\) has non-zero difference. Store the leaving \(2^{48}\) pairs in a hash table. This step requires \(2^{81+32} = 2^{113}\) chosen plaintexts and their corresponding ciphertexts.

      2. ii.

         Guess the values of \(k_{-1}[0,\dots ,3]\), using the guessed values to encrypt the first column of the remaining pairs to \(y_0\). After the bit permutation operation, we choose the pairs that have non-zero difference only in byte position 0, there are \(2^{48-24} = 2^{48-24}\) pairs left.

      3. iii.

         Guess the values of \(y_{6}[0,4,8,12]\). Since we can yield the first column of \(\varDelta y_6\) from the third column of \(\varDelta z_7\), we can use the guessed values to encrypt the first row of the remaining pairs to \(z_5\). After the bit permutation operation, we choose the pairs that have non-zero difference only in byte position 0, there are \(2^{24-24} = 1\) pairs left.

   2. (b)

      Creating and Checking the \(Multiset\) :

      1. i.

         For each guess of the eight bytes made in Phase (a) and for the corresponding pair, take one of the members of the pair, denote it by \(P^0\), and find its \(\delta \)-\(set\) using the knowledge of \(k_{-1}[0,\dots ,3]\). (This is done by using the knowledge of \(k_{-1}[0,\dots ,3]\), we can encrypt \(P^0\) to \(w_0\), then XOR it with the \(2^8-1\) possible values which are different only in byte 0. Decrypt the \(2^8-1\) obtained value through round 0 using the known subkey bytes. The resulting plaintexts are the other members of the \(\delta \)-\(set\).)

      2. ii.

         Using \(P^0\) as the standard plaintext, the other 255 plaintexts are denoted as \(P^1\) to \(P^{255}\), and the corresponding ciphertexts as \(C^0\) to \(C^{255}\). By Observation 2 of [15], knowing the knowledge of the third column in \([C^0 \oplus C^0, C^1 \oplus C^0, \dots , C^{255} \oplus C^0]\), we can yield the knowledge of the third row of \([y_6^0 \oplus y_6^0, y_6^1 \oplus y_6^1, \dots , y_6^{255} \oplus y_6^0]\). By the knowledge of \(y_6^0[0,4,8,12]\), we can yield the values of \(y_6^0[0,4,8,12]\) to \(y_6^{255}[0,4,8,12]\). By the linearity of key addition, column-to-row and bit permutation, we can yield the knowledge of byte 0 in \([y_5^0 \oplus y_5^0, y_5^1 \oplus y_5^0, \dots , y_5^{255} \oplus y_5^0]\). Guess byte 0 of \(y_5^0[0]\), we can obtain the \(multiset\) \([x_5^0[0]\oplus x_5^0[0],x_5^0[1]\oplus x_5^0[0],\dots ,x_5^{255}[0]\oplus x_5^0[0]]\).

      3. iii.

         Checking whether the \(multiset\) exists in the hash table made in the Precomputation Phase. If not, discard the guessing.

   3. (c)

      Exhaustive Search the Rest of the Key: For each remaining key guess, find the remaining key bytes by exhaustive search.

It is clear that time complexity of the online phase of the attack is dominated by encrypting \(2^{113}\) plaintexts, and hence, the data and time complexity of this part is \(2^{113}\). The memory complexity is about \(2^{91}\) 128-bit blocks, since each \(multiset\) contains about 512 bits. The time complexity of the preprocessing phase of the attack is approximately \(2^{93}\) encryptions.

1.2 B.2 Attacks of mCrypton

The attack procedure of mCrypton is quite the same as Crypton and shown in Fig. 5.

The time complexity of the online phase is \(2^8 \times {2^{32} \times 2^{40 } } = 2^{80}\) one-round mCrypton encryptions, it equals \(2^{77}\) 7-round mCrypton encryption. The data complexity of the online phase is \(2^{49}\). The memory complexity of the precomputation phase is \(2^{52.44}\) 64-bit blocks, since each \(multiset\) contains about 512 bits.

C Algorithms