Optimizing Rectangle and Boomerang Attacks: A Unified and Generic Framework for Key Recovery

Abstract

The rectangle attack has shown to be a very powerful form of cryptanalysis against block ciphers. Given a rectangle distinguisher, one expects to mount key recovery attacks as efficiently as possible. In the literature, there have been four algorithms for rectangle key recovery attacks. However, their performance varies from case to case. Besides, numerous are the applications where the attacks lack optimality. In this paper, we delve into the rectangle key recovery and propose a unified and generic key recovery algorithm, which supports any possible attacking parameters. Not only does it encompass the four existing rectangle key recovery algorithms, but it also reveals five new types of attacks that were previously overlooked. Further, we put forward a counterpart for boomerang key recovery attacks, which supports any possible attacking parameters as well. Along with these new key recovery algorithms, we propose a framework to automatically determine the best parameters for the attack. To demonstrate the efficiency of the new key recovery algorithms, we apply them to Serpent, AES-192, CRAFT, SKINNY, and Deoxys-BC-256 based on existing distinguishers, yielding a series of improved attacks.

Appendices

Our Algorithms in the Related-Key Setting

1.1 Related-key Rectangle Key Recovery Algorithm for Ciphers with a Linear Key-Schedule

Our key recovery algorithm in Sect. 3.1.2 can be easily adapted to the related-key setting for ciphers with a linear key schedule. In related-key setting, as in [4], the differential \(\alpha \rightarrow \beta \) over \(E_0\) is considered with key difference \(\varDelta K\) and for \(\gamma \rightarrow \delta \) over \(E_1\) the key difference is \(\nabla K\). Then, the keys related to the master key \(K_1\) are determined, where \(K_2=K_1\oplus \varDelta K\), \(K_3=K_1 \oplus \nabla K\) and \(K_4=K_1 \oplus \varDelta K \oplus \nabla K\). When the key schedule is linear, the partial guess of subkeys of \(K_1\) will determine the corresponding parts of subkeys of \(K_2\), \(K_3\), and \(K_4\). Considering the related keys, the data set will be different. Choose \(y=\sqrt{s}\cdot 2^{\frac{n}{2}-r_b}/P\) and we get about \(s=(y\cdot 2^{2r_b})^2\cdot 2^{-2r_b}\cdot 2^{-n}\cdot P^2\) right quartets. The related-key algorithm proceeds as follows.

1. 1.

   Collect and store y structures of \(2^{r_{b}}\) plaintexts each. Let \(D=y\cdot 2^{r_b}\). Query the corresponding ciphertexts for each structure under the four related keys \(K_{1}\), \(K_{2}\), \(K_{3}\) and \(K_{4}\) and get the corresponding plaintext-ciphertext sets \(L_{1}\), \(L_{2}\), \(L_{3}\) and \(L_{4}\).

2. 2.

   Split \((m_{b}'+m_{f}')\)-bit \(k_{b}'\Vert k_{f}'\) into two parts: \(G_L\Vert G_R\) where \(G_L\) has t bits.

3. 3.

   Guess \(G_R\):

   1. (a)

      Initialized a list of key counters for \(G_L\) and unguessed key bits of \(k_b,k_f\).

   2. (b)

      Guess the t-bit \(G_L\):

      1. i.

         For each \((P_i,C_i)\) in data set \(L_i\), partially encrypt \(P_i\) under the \(m_b'\)-bit \((k_b')_i\) and partially decrypt C under the \(m_f'\)-bit \((k_f')_i\) of \(K_{i}(i=1, 2, 3, 4)\). Let \(P^*_i=Enc_{(k_{b}')_i}(P_i)\) and \(C^*_i=Dec_{(k_{f}')_i}(C_i)\). For each structure under \(K_{i}\) \((i=1, 2, 3, 4)\), we will get \(2^{r_b'}\) sub-structures, each of which includes \(2^{r_b^*}\) plaintexts. In other words, there are \(y^*=y\cdot 2^{r_b'}\) structures of \(2^{r_b^*}\) plaintexts each.

      2. ii.

         Let \(2^{-\mu }=D\cdot 2^{-n}\). If \(r_f^*-\mu \ge r_b^*\), it turns to step (A); else if \(r_f^*-\mu < r_b^*\), it turns to step (D).

         1. A.

            Construct two sets as \(S_1=\{(P_{1}^*,C_{1}^*,P_{2}^*,C_{2}^*)\): \((P_{1}^*,C_{1}^*)\in L_1\), \((P_{2}^*,C_{2}^*)\in L_2\), \(P_{1}^*\) and \(P_{2}^*\) have difference in \(r^*_b\) bits\(\}\), \(S_2=\{(P_{3}^*,C_{3}^*,\) \(P_{4}^*,C_{4}^*)\): \((P_{3}^*,C_{3}^*)\in L_3\), \((P_{4}^*,C_{4}^*)\in L_4\), \(P_{3}^*\) and \(P_{4}^*\) have difference in \(r^*_b\) bits\(\}\). The size of each set is \(y\cdot 2^{r_b'}\cdot 2^{2(r_b-r_b')}=y\cdot 2^{2r_b-r_b'}=D\cdot 2^{r_b^*}\).

         2. B.

            Insert \(S_1\) into a hash table \(H_1\) by \(n-r_f^*\) inactive bits of \(C_1^*\) and \(n-r_f^*\) inactive bits of \(C_2^*\). Insert \(S_2\) into a hash table \(H_2\) by \(n-r_f^*\) inactive bits of \(C_3^*\) and \(n-r_f^*\) inactive bits of \(C_4^*\).

         3. C.

            With each \(2(n-r_{f}^*)\)-bit index, we pick two distinct \((P_{1}^*,C_{1}^*,P_{2}^*,C_{2}^*)\), \((P_{3}^{*},C_{3}^{*},P_{4}^{*},C_{4}^{*})\) to generate the quartet. We will get

            $$\begin{aligned} \begin{aligned} \left( \frac{|S|}{2^{2(n-r_{f}^*)}}\right) ^2\cdot 2^{2(n-r_{f}^*)}&=D^2\cdot 2^{2r_b^*}\cdot 2^{2r_f^*}\cdot 2^{-2n} \end{aligned} \end{aligned}$$

            quartets. Then go to step (iii).

         4. D.

            Construct two sets as \(S_3=\{ (P_{1}^*,C_{1}^*,P_{3}^*,C_{3}^*)\): \((P_{1}^*,C_{1}^*)\in L_1\), \((P_{3}^*,C_{3}^*)\in L_3\), \(C_{1}^*\) and \(C_{3}^*\) are colliding in \(n-r_f^*\) bits\(\}\), \(S_4=\{ (P_{2}^*,C_{2}^*,P_{4}^*,C_{4}^*)\): \((P_{2}^*,C_{2}^*)\in L_2\), \((P_{4}^*,C_{4}^*)\in L_4\), \(C_{2}^*\) and \(C_{4}^*\) are colliding in \(n-r_f^*\) bits\(\}\). The size of each set is \(D^2\cdot 2^{r_f-r_f'-n}=D\cdot 2^{r_f^*-\mu }\).

         5. E.

            Insert \(S_3\) into a hash table \(H_3\) by \(n-r^*_b\) inactive bits of \(P_1^*\) and \(n-r_b^*\) inactive bits of \(P_3^*\). Insert \(S_4\) into a hash table \(H_4\) by \(n-r^*_b\) inactive bits of \(P_2^*\) and \(n-r_b^*\) inactive bits of \(P_4^*\).

         6. F.

            There are at most \(2^{2(n-r_{b}^*-\mu )}\) possible values for the \(2(n-r^*_b)\)-bit index. For each index, we pick two distinct entries \((P_{1}^*,C_{1}^*,P_{3}^*,C_{3}^*)\), \((P_{2}^{*},C_{2}^{*},P_{4}^{*},C_{4}^{*})\) to generate the quartet. We will get

            $$\begin{aligned} \begin{aligned} \left( \frac{|S|}{2^{2(n-r_{b}^*-\mu )}}\right) ^2\cdot 2^{2(n-r_{b}^*-\mu )}&=D^2\cdot 2^{2r_b^*}\cdot 2^{2r_f^*}\cdot 2^{-2n} \end{aligned} \end{aligned}$$

            quartets.

      3. iii.

         Determine the key candidates involved in \(E_{b}\) and \(E_{f}\) and increase the corresponding counters. Likewise, denote the time complexity in this step as \(\epsilon \).

   3. (c)

      Select the top \(2^{t+m_{b}+m_{f}-m_{b}'-m_{f}'-h}\) hits in the counters to be the candidates, which delivers a h-bit or higher advantage.

   4. (d)

      Guess the remaining \(k-m_{b}-m_{f}\) unknown key bits according to the key schedule algorithm and exhaustively search over them to recover the correct key, where k is the key size.

1.1.1 Data complexity.

The data complexity is \(D_R=4\cdot y\cdot 2^{r_{b}}=4\cdot D=\sqrt{s}2^{n/2+2}/P\).

1.1.2 Memory complexity.

The memory complexity is \(M_R=D_R+2\times \min \{D\cdot 2^{r_{b}^*},D\cdot 2^{r_{f}^*-\mu }\}+2^{t+m_{b}+m_{f}-m_{b}'-m_{f}'}\) to store the data, the sets \(S_i\), and key counters.

1.1.3 Time complexity.

The time complexity of collecting data is \(T_0=D_R,\) and the time complexity of doing partial encryption and decryption under guessed key bits is

$$\begin{aligned} T_{1}=2^{m_{b}'+m_{f}'}\cdot D_R=2^{m_{b}'+m_{f}'}\cdot 4\cdot y\cdot 2^{r_{b}}=\sqrt{s}\cdot 2^{m_{b}'+m_{f}'+\frac{n}{2}+2}/P, \end{aligned}$$

the time complexity of generating set \(S_i\) is

$$\begin{aligned} \begin{aligned} T_{2}&=2^{m_{b}'+m_{f}'}\cdot D\cdot 2 \cdot \min \{ 2^{r_{b}^*}, 2^{r_{f}^*-\mu }\}\\&=\min \{\sqrt{s}\cdot 2^{m_{b}'+m_{f}'+r_{b}-r_b'+\frac{n}{2}+1}/P,s\cdot 2^{m_{b}'+m_{f}'+r_{f}-r_f'+1}/{P^2}\}, \end{aligned} \end{aligned}$$

the time complexity of generating quartet candidates is

$$\begin{aligned} T_3=2^{m_{b}'+m_{f}'}\cdot D^2\cdot 2^{2r_b^*}\cdot 2^{2r_f^*}\cdot 2^{-2n}\cdot \epsilon =(s\cdot 2^{m_{b}'+m_{f}'-n+2r_{b}+2r_{f}-2r_{b}'-2r_{f}'}/{P^2})\cdot \epsilon , \end{aligned}$$

and the time complexity of the exhaustive search is

$$\begin{aligned} T_{4}=2^{m_{b}'+m_{f}'-t}\cdot 2^{k+t-m_{b}'-m_{f}'-h}=2^{k-h}, \end{aligned}$$

where \(h\le t+m_{b}+m_{f}-m_{b}'-m_{f}'.\)

1.2 Related-key Boomerang Key Recovery Algorithm for Ciphers with a Linear Key-Schedule

Our key recovery algorithm in Sect. 3.2.2 can be easily adapted to the related-key setting for ciphers with a linear key schedule. The related-key algorithm proceeds as follows.

1. 1.

   Collect and store y structures of \(2^{r_{b}}\) plaintexts such that \(y 2^{r_b}=s/P^2\). Query for the corresponding ciphertexts under the related keys \(K_1,K_2\) and store the plaintext–ciphertext pairs in sets \(L_{1}\) and \(L_{2}\). The size of these two sets is \(D_0=y2^{r_b+1}\).

2. 2.

   Let \(D_1= \min \{D_0\cdot 2^{r_f}, D_0\cdot 2^{r^*_f+m'_f}, 2^{n+1}\}\). If \(D_1=2^{n+1}\), query for the plaintext for each possible ciphertext under \(K_3,K_4\) respectively. If \(D_1= D_0\cdot 2^{r_f}\), for each possible \(\delta '\), shift the ciphertexts in \(L_{1},L_{2}\) by \(\delta '\) and query for their plaintexts. Store these plaintext–ciphertext pairs in sets \(L_{3}\) and \(L_{4}\). The size of the two sets is \(D_0\cdot 2^{r_f}\).

3. 3.

   Split \(m_{b}'\)-bit \(k_{b}'\) into two parts: \(G_L\Vert G_R\) where \(G_L\) has t bits, \(0\le t \le m'_b\).

4. 4.

   Guess \(k'_f\):

   1. (a)

      If \(r'_f\ge m'_f\), for each data \((P_1, C_1)\in L_{1}\), partially decrypt \(C_i\) to \(C_i^*\) under \((k'_f)_1\) and for each possible \(r^*_f\)-bit difference, construct \(C^*_3\) and new ciphertexts \(C_3\). If \(D_1<2^n\), query for the plaintexts \(P_3\) under \(K_3\); otherwise, read \(P_3\) from \(L_3\). Store \((P_3,C^*_3)\) in \(L_{3,k'_f}\). Do the same for each data in \(L_2\) and obtain \(L_{4,k'_f}\). (Let \(\hat{L_3}=\cup _{k'_f}L_{3,k'_f},\hat{L_4}=\cup _{k'_f}L_{4,k'_f}\). The size of \(\hat{L_3}, \hat{L_4}\) is \(D_0\cdot 2^{r^*_f+m'_f}\). The memory cost for this step is \(D_0\cdot 2^{r^*_f}\).)

   2. (b)

      Guess \(G_R\):

      1. i.

         Initialized a list of key counters for \(G_L\) and the unguessed key bits of \(k_b,k_f\). The memory complexity in this step is \(2^{t+m_{b}+m_{f}-m_{b}'-m_{f}'}\).

      2. ii.

         Guess the t-bit \(G_L\):

         1. A.

            For each data \((P_i, C_i)\in L_i, i=1,2\), partially encrypt \(P_i\) and partially decrypt \(C_i\) under the guessed subkey bits. Let \(P^*_i=Enc_{(k_b')_i}(P_i)\) and \(C^*_i=Dec_{(k_f')_i}(C_i)\). For each structure, we will get \(2^{r_b'}\) sub-structures, each of which includes \(2^{r_b-r_b'}=2^{r_b^*}\) plaintexts which take all possible values for the active bits. In other words, there are \(y^*=y\cdot 2^{r_b'}\) structures of \(2^{r_b^*}\) plaintexts. (\(T=D_0\))

         2. B.

            If \(r'_f< m'_f\), do partial encryption and decryption for \((P_j,C_j)\in L_j\) to get \((P^*_j,C^*_j)\) for \(j=3,4\). (\(T=D_0\cdot 2^{r_f}\))

         3. C.

            If \(r'_f\ge m'_f\), do partial encryption for data in \(L_{j,k'_f}\) get \((P^*_j,C^*_j)\) for \(j=3,4\). (\(T=D_0\cdot 2^{r^*_f}\))

         4. D.

            Insert \((P^*_j,C^*_j)\) into a hash table \(H_j\) for \(j=3,4\), according to \((n-r^*_f)\) inactive bits of \(C^*_j\). (The size of the two hash tables is \(D_0\cdot 2^{r_f}\) or \(D_0\cdot 2^{r^*_f}\).)

         5. E.

            For \((i,j)\in \{(1,3), (2,4)\}\), look up \(H_j\) with \((P_i^*,C_i^*)\) and construct a set as \(S_{i,j}=\{(P_{i}^*,C_{i}^*\), \(P_{j}^*,C_{j}^*): C_{i}^*\text { and }C_{j}^*\) have difference only in \(r^*_f\) bits\(\}\). The size of each \(S_{i,j}\) is \(D_0\cdot 2^{r^*_f-1}\) no matter when \(r'_f<m'_f\) or \(r'_f\ge m'_f\). Insert pairs from \(S_{i,j}\) into hash table \(H_i\) according to \(n-r_b^*\) inactive bits of \(P_i^*\) and \(n-r_b^*\) inactive bits of \(P_j^*\). (\(T=D_0\cdot 2^{r^*_f}\))

         6. F.

            For \((i,j)\in \{(1,3), (2,4)\}\), there are \(y\cdot 2^{r_b'}\) possible values for the \(n-r^*_b\) bits of \(P_i^*\) and \(2^{n-r_b^*}\) possible values for the \(n-r^*_f\) bits of \(P_j^*\). For each index, we pick two distinct entries \((P_1,C_1^*,P_3,C_3^*)\) and \((P_2,C_2^*,P_4,C_4^*)\) to generate the quartet. The number of quartets we will get is

            $$\begin{aligned} \frac{|S_{1,3}|\cdot |S_{2,4}|}{\left( 2^{n-r_{b}^*}\cdot y\cdot 2^{r_b'}\right) ^2}\cdot 2^{n-r_{b}^*}\cdot y\cdot 2^{r_b'}=D_0\cdot 2^{2r_b^*+2r_f^*-n-1}. \end{aligned}$$
      3. iii.

         Determine the key candidates involved in \(E_{b}\) and \(E_{f}\) and increase the corresponding counters. Denote the time complexity for processing one quartet as \(\epsilon \). Then the time complexity in this step is \(D_0\cdot 2^{2r_b^*+2r_f^*-n}\cdot \epsilon \).

      4. iv.

         Select the top \(2^{t+m_{b}+m_{f}-m_{b}'-m_{f}'-h}\) hits in the counters to be the candidates, which delivers a h-bit or higher advantage, where \(0< h\le t+m_{b}+m_{f}-m_{b}'-m_{f}'\).

      5. v.

         Guess the remaining \(k-m_{b}-m_{f}\) unknown key bits according to the key schedule algorithm and exhaustively search over them to recover the correct key. The time complexity of this step is \(2^{k+t-m_{b}'-m_{f}'-h}\).

1.2.1 Data complexity.

From y pairs of structures under \(K_1\) and \(K_2\) respectively, we can form \(y\cdot 2^{2r_b}\) plaintext pairs. Among them, \(y\cdot 2^{r_b}\) pairs satisfy \(\alpha \) difference on average. Let s be the expected number of right quartets, so we have \(y\cdot 2^{r_b}\cdot P^2=s\), \(y=s\cdot 2^{-r_b}/P^2\) and \(D_0=2\cdot y\cdot 2^{r_b}=2\,s/P^2\) chosen plaintexts as well as \(D_1= \min \{D_0\cdot 2^{r_f}, D_0\cdot 2^{r^*_f+m'_f}, 2^{n+1}\}\) chosen ciphertexts.

1.2.2 Memory complexity.

The memory complexity is \(M=D_0+ D_1+2^{t+m_{b}+m_{f}-m_{b}'-m_{f}'}\) when \(r'_f<m'_f\) or \(D_1=2^{n+1}\) and \(M=D_0+\min \{ D_0\cdot 2^{r^*_f}, 2^{n+1}\}+2^{t+m_{b}+m_{f}-m_{b}'-m_{f}'}\) when \(r'_f\ge m'_f\) and \(D_1<2^{n+1}\) to store the data, the pairs, and the counters.

1.2.3 Time complexity.

The time complexity of collecting data is \(T_0=D_0+D_1\), the time complexity of doing partial encryption and decryption under guessed key bits is

$$\begin{aligned} T_{1}=2^{m'_b+m_{f}'}\cdot (D_0 + D_1), \end{aligned}$$

when \(r'_f<m'_f\) and

$$\begin{aligned} T_{1}=2^{m'_b+m_{f}'}\cdot (D_0 + D_0\cdot 2^{r^*_f}), \end{aligned}$$

when \(r'_f\ge m'_f\), the time complexity of generating set \(S_2\) is

$$\begin{aligned} T_{2}=2^{m'_b+m_{f}'}\cdot D_0\cdot 2^{r^*_f}, \end{aligned}$$

the time complexity of generating and processing quartet candidates is

$$\begin{aligned} T_3=2^{m'_b+m'_f}\cdot D_0\cdot 2^{2r_b^*+2r_f^*-n-1}\cdot \epsilon =s\cdot 2^{m'_b+m'_f+2r_b^*+2r_f^*-n}/P^2 \cdot \epsilon , \end{aligned}$$

and the time complexity of the exhaustive search is \(T_{4}=2^{m'_b+m_{f}'-t+k-m_b-m_f}\cdot 2^{t+m_b+m_f-m'_b-m_{f}'-h}=2^{k-h},\) where \(0<h\le {t+m_b+m_{f}-m'_b-m_{f}'}.\)

Application to Some Other Ciphers

1.1 Other Variants of SKINNY

1.1.1 Attack on 32-round SKINNY-128–384.

We reuse the 23-round rectangle distinguisher of SKINNY-128–384 from [18]. The probability of this distinguisher is \(2^{-n}P^2=2^{-128}\cdot 2^{-115.09}\). Our key recovery extends the distinguisher by four rounds at the top and five rounds at the bottom, as shown in Fig. 11. The parameters for this attack are: \(r_b = 12\times 8\), \(r_f=16\times 8\), \(m_b=18\times 8\) and \(m_f=24\times 8\). Note that \(k_b\cup k_f\) only contain \((18+24-2)\times 8\) information bits.

We apply our generic framework and obtain that when constructing pairs on the top and guessing 27 subtweakey cells leads to the lowest complexity overall. The positions of the guessed subtweakey cell and 19 filters (\(r'_b=11\times 8, r'_f=8\times 8\)) that can be checked under these subtweakey cells are marked by red squares in Fig. 11.

Fig. 11

A 32-round key recovery attack against SKINNY-128–384

Next, we compute the complexities of our attack.

• The data complexity is \(D_R=4\cdot y\cdot 2^{r_b}=\sqrt{s}\cdot 2^{n/2+2}/P=\sqrt{s}\cdot 2^{123.54}\).

• The memory complexity is \(M_R=D_R+D\cdot 2^{r_{b}^*}+2^{t+m_{b}+m_{f}-m_{b}'-m_{f}'}=\sqrt{s}\cdot 2^{123.54}+\sqrt{s}\cdot 2^{129.54}+2^{104+t}\)

• The time complexity is \(T_1=2^{m_b'+m_f'}\cdot D_R=\sqrt{s}\cdot 2^{27\times 8+123.55}=\sqrt{s} \cdot 2^{339.54}\);

• \(T_2=2^{m_b'+m_f'}\cdot D\cdot 2^{r_b-r_b'}=\sqrt{s}\cdot 2^{27\times 8+121.55 + 8}=\sqrt{s}\cdot 2^{345.54}\);

• \(T_3=2^{m_b'+m_f'}\cdot D^2 \cdot 2^{2r_b^*+2r_f^*-2n}\cdot \epsilon = s\cdot 2^{27\times 8+243.09+2\times 8+2\times 64-2\times 128}\cdot \epsilon =s\cdot 2^{347.09}\cdot \epsilon \);

• \(T_4=2^{384-h}, h<104+t\).

Processing a candidate quartet to retrieve the rest of \(k_b\) and \(k_b\) can be realized by looking up tables. We pre-compute several tables as illustrated in Table 9, so that \(\epsilon \) is equivalent to about 4 memory accesses which is around \(4\times \frac{1}{16}\times \frac{1}{32}=2^{-7}\) encryption. If we set \(s=1,h=40\) and \(t=0\), then the data, memory, and time complexities of our attack are \(2^{123.54}\), \(2^{129.54}\), and \(2^{344.16}\), respectively. The success probability is about \(82.1\%\).

Table 9 Precomputation tables for the 32-round attack on SKINNY-128–384, where underlined bytes are used as input and determine the time and memory complexity for building the table

The comparison with the previous rectangle attacks based on the same distinguisher is presented in Table 10.

Table 10 Comparisons of key recovery attacks on 32-round SKINNY-128–384

1.1.2 Attack on 26-round SKINNY-128–256.

Applying our new rectangle key recovery algorithm to SKINNY-128–256, we get a new 26 rectangle attack by appending 3-round \(E_b\) and 4-round \(E_f\), with using the 19-round rectangle distinguisher of SKINNY-128–256 in [18], as shown in Fig. 12. The probability of the distinguisher is \(2^{-n}P^2=2^{-128-121.07}=2^{249.07}\). The parameters for this attack are \(r_b=9\times 8=72,r_f=12\times 8=96,m_b=11\times 8=88\) and \(m_f=21\times 8=168\). Due to the tweakey schedule, \(k_b\cup k_f\) only contain \((88+168-16)=240\) information bits.

Fig. 12

A 26-round key recovery attack against SKINNY-128–256

The best guessing parameters are \(m_b'=72,r_b'=64\), and \(m_f'=r_f'=32\), which means guessing partial bits of \(k_b\) and \(k_f\). This type of guessing is not covered in previous rectangle key recovery attacks. The complexities of our new attack are as follows.

• The data complexity is \(D_R=4\cdot y\cdot 2^{r_b}=\sqrt{s}\cdot 2^{n/2+2}/P=\sqrt{s}\cdot 2^{126.53}\).

• The memory complexity is \(M_R=D_R+D\cdot 2^{r_{b}^*}+2^{t+m_{b}+m_{f}-m_{b}'-m_{f}'}=\sqrt{s}\cdot 2^{126.53}+\sqrt{s}\cdot 2^{132.53}+2^{136+t}\).

• The time complexity \(T_1=2^{m_b'+m_f'}\cdot D_R=\sqrt{s}\cdot 2^{13\times 8+126.53}=\sqrt{s} \cdot 2^{230.53}\);

• \(T_2=2^{m_b'+m_f'}\cdot D\cdot 2^{r_b-r_b'}=\sqrt{s}\cdot 2^{13\times 8+124.53 + 8}=\sqrt{s}\cdot 2^{236.53}\);

• \(T_3=2^{m_b'+m_f'}\cdot D^2 \cdot 2^{2r_b^*+2r_f^*-2n}\cdot \epsilon = s\cdot 2^{13\times 8+124.53\times 2+2\times 8+2\times 64-2\times 128}\cdot \epsilon =s\cdot 2^{241.07}\cdot \epsilon \);

• \(T_4=2^{256-h}, h<136+t\).

Processing a candidate quartet to retrieve the rest of \(k_b\) and \(k_f\) can be realized by looking up tables. We pre-compute several tables as illustrated in Table 11, so that \(\epsilon \) is equivalent to about \(1+1+2^{8}+2^{8}+1+1=516\) memory accesses which is around \(516\times \frac{1}{16}\times \frac{1}{26}=2^{0.31}\) encryption. If we set \(s=1,h=40\) and \(t=0\), then the data, memory, and time complexities of our attack are \(2^{126.53}\), \(2^{136}\), \(2^{241.38}\), respectively. The success probability is about \(64.06\%\).

Table 11 Precomputation tables for the 26-round attack on SKINNY-128–256, where underlined bytes are used as input and determine the time and memory complexity for building the table

The comparison with the previous rectangle attacks based on the same distinguisher is presented in Table 12.

Table 12 Comparisons of key recovery attacks on 26-round SKINNY-128–256

1.2 Deoxys-BC-256

Deoxys-BC [24] is the internal tweakable block cipher of Deoxys-II, which is among the final portfolio of CAESAR competition. Both versions of the cipher have a 128-bit state and variable size key and tweak. It has two versions with a 256-bit key size and a 384-bit key size.

1.2.1 Rectangle Attack.

We reuse the 9-round rectangle distinguisher of Deoxys-BC-256 proposed by Cid et al. [10] and reevaluated in [38] to attack 11-round rectangle Deoxys-BC-256 with 2-round \(E_f\), as shown in Fig. 10. The probability of the distinguisher is \(2^{-n}P^2=2^{-128-120.4}=2^{-248.4}\), and other parameters are: \(n=128,k=256,m_b=r_b=0,m_f=(16+10)\times 8=208,r_f=16\times 8=128\).

The best guessing parameters are \(m_f'=12\times 8=96\) and \(r_f'=8\times 8=64\), which means guessing 8 bytes of \(k_f\). The complexities of our new attack are as follows.

• The data complexity is \(D_R=4\cdot y\cdot 2^{r_b}=\sqrt{s}\cdot 2^{n/2+2}/P=\sqrt{s}\cdot 2^{126.2}\).

• The memory complexity is \(M_R=D_R+D\cdot 2^{r_{b}^*}+2^{t+m_{b}+m_{f}-m_{b}'-m_{f}'}=\sqrt{s}\cdot 2^{126.2}+\sqrt{s}\cdot 2^{124.2}+2^{112+t}\).

• The time complexity \(T_1=2^{m_b'+m_f'}\cdot D_R=\sqrt{s}\cdot 2^{12\times 8+126.2}=\sqrt{s} \cdot 2^{222.2}\);

• \(T_2=2^{m_b'+m_f'}\cdot D\cdot 2^{r_b-r_b'}=\sqrt{s}\cdot 2^{12\times 8+124.2}=\sqrt{s}\cdot 2^{220.2}\);

• \(T_3=2^{m_b'+m_f'}\cdot D^2 \cdot 2^{2r_b^*+2r_f^*-2n}\cdot \epsilon = s\cdot 2^{12\times 8+124.2\times 2+2\times 64-2\times 128}\cdot \epsilon =s\cdot 2^{216.4}\cdot \epsilon \);

• \(T_4=2^{256-h}, h<112+t\).

Table 13 Comparisons of key recovery attacks on 11-round Deoxys-BC-256

Processing a candidate quartet to retrieve the rest of \(k_f\) can be realized by looking up tables. We consider the equivalent round subtweakey \(MTK_i=SR^{-1}\circ MC^{-1}(STK_i)\) in round i. To process a candidate quartet to retrieve the rest of \(k_f\), we prepare some tables as illustrated in Table 16. So that \(\epsilon \) is equivalent to about 1 memory access which is around \(1\times \frac{1}{16}\times \frac{1}{11}=2^{-7.45}\) encryption. If we set \(s=1.5,h=36\) and \(t=0\), then the data, memory, and time complexities of our attack are \(2^{126.78}\), \(2^{128}\), \(2^{222.49}\), respectively. The success probability is about \(77.19\%\).

Previously Proposed Key Recovery Algorithms

1.1 Algorithm 1: Biham–Dunkelman–Keller’s Algorithm at EUROCRYPT 2001

Biham, Dunkelman, and Keller introduced the rectangle attack [2] at EUROCRYPT 2001 and first applied it to Serpent [1]. The specific procedures are as follows:

1. 1.

   Create and store \(y=\sqrt{s}\cdot 2^{\frac{n}{2}-r_{b}+1}/P\) structures including \(2^{r_{b}}\) each by traversing the active bits in each structure, where s denotes the expected number of right quartets.

2. 2.

   Initialize \(2^{m_{b}+m_{f}}\) key counters for the \((m_{f}+m_{b})\)-bit subkey involved in \(E_{b}\) and \(E_{f}\). For each \((m_{f}+m_{b})\)-bit subkey and each structure:

   1. (a)

      Partially encrypt plaintext \(P_{1}\) to the position of \(\alpha \) under the guessed \(m_{b}\)-bit subkey in \(E_{b}\) and partially decrypt the state xored the known difference \(\alpha \) to the plaintext \(P_{2}\).

   2. (b)

      Denote \(C_{1}\) and \(C_{2}\) the corresponding ciphertexts of \(P_{1}\) and \(P_{2}\) respectively. Partially decrypt \(C_{1}\) to the position of \(\delta \) and encrypt it to the ciphertext \(C_{3}\) after xoring \(\delta \). Similarly, we find \(C_{4}\) from \(C_{2}\) in the same way and then obtain the quartet \((C_{1}, C_{2}, C_{3}, C_{4}).\)

   3. (c)

      Check whether the corresponding ciphertexts \((C_{3}, C_{4})\) exist in our data. If exist, we check the difference is \(\alpha \) after partially encrypting corresponding plaintexts \((P_{3},P_{4})\) under \(m_{b}\)-bit subkey in \(E_{b}\). If so, we increase the corresponding counter by 1.

   4. (d)

      Select the top \(2^{m_{b}+m_{f}-h}\) hits in the counter to be the candidates, which delivers a h-bit or higher advantage.

   5. (e)

      Guess the remaining \(k-m_{b}-m_{f}\) unknown key bits according to the key schedule algorithm and exhaustively search over them to recover the correct key, where k is the key size.

The data complexity is \(D=y\cdot 2^{r_{b}}=\sqrt{s}\cdot 2^{\frac{n}{2}+1}/P\). The memory complexity is \(D+2^{m_{b}+m_{f}}\) to store the data and key counters. The time complexity of generating quartets and determining the key candidates is

$$\begin{aligned} T_{1}=2^{m_{b}+m_{f}}\cdot D=\sqrt{s} \cdot 2^{m_{b}+m_{f}+\frac{n}{2}+1}/P, \end{aligned}$$

and the complexity of the exhaustive search is

$$\begin{aligned} T_{2}=2^{m_{b}+m_{f}-h}\cdot 2^{k-(m_{b}+m_{f})}=2^{k-h}, \end{aligned}$$

where \(h\le m_{b}+m_{f}.\)

1.2 Algorithm 2: Biham-Dunkelman-Keller’s Algorithm at FSE 2002

At FSE 2002, Biham, Dunkelman, and Keller further introduced their new algorithm for rectangle recovery attacks in the single-key setting. Later, the attack was converted into the related-key setting by Liu et al. [28] on ciphers with a linear key schedule. The procedures are summarized as follows, and more details are described in [2]:

1. 1.

   Construct and store y structures of \(2^{r_{b}}\) plaintexts each by traversing the active bits in each structure.

2. 2.

   Initialize an array of \(2^{m_{b}+m_{f}}\) counters for the (\(m_{f}+m_{b}\))-bit subkey involved in \(E_{b}\) and \(E_{f}\).

3. 3.

   Insert the \(y\cdot 2^{r_{b}}\) ciphertexts into a hash table H according to the \(n-r_{f}\) inactive ciphertext bits. For each index, there are \(2^{r_{b}}\cdot 2^{r_{f}-n}\) plaintexts and ciphertexts colliding in the \(n-r_{f}\) bits for each structure.

4. 4.

   In each structure S, we search for a ciphertext pair \((C_{1},C_{2})\) and choose a ciphertext \(C_{3}\) by the \(n-r_{f}\) inactive ciphertext bits of \(C_{1}\) from the hash table H. We pick a ciphertext \(C_{4}\) according to the \(n-r_{f}\) inactive ciphertext bits of \(C_{2}\) from the hash table in the same way. Then we check whether the corresponding plaintexts \(P_{3}\) and \(P_{4}\) are in the same structure. If so, then we generate a quartet \((P_{1}, P_{2}, P_{3}, P_{4})\) and its corresponding ciphertexts \((C_{1}, C_{2}, C_{3}, C_{4}).\)

5. 5.

   Determine the key candidates involved in \(E_{b}\) and \(E_{f}\) with the quartets obtained above and increase the corresponding counters. This phase is just a guess and filter procedure. Denote the time complexity in this step as \(\epsilon _{2}\).

6. 6.

   Select the top \(2^{m_{b}+m_{f}-h}\) hits in the counter to be the candidates, which delivers a h-bit or higher advantage.

7. 7.

   Guess the remaining \(k-m_{b}-m_{f}\) unknown key bits according to the key schedule algorithm and exhaustively search over them to recover the correct key, where k is the key size.

The data complexity is \(D=y\cdot 2^{r_{b}}=\sqrt{s}\cdot 2^{\frac{n}{2}+1}/P\). The memory complexity is \(D+2^{m_{b}+m_{f}}\) to store the data and key counters. The time complexity of inserting the ciphertexts into the hash table is

$$\begin{aligned} T_{1}=D=\sqrt{s} \cdot 2^{\frac{n}{2}+1}/P, \end{aligned}$$

the time complexity to generate quartets accessing the colliding pairs is

$$\begin{aligned} T_{2}=\left( {\begin{array}{c}D\\ 2\end{array}}\right) \cdot 2^{r_{f}-n}=D^2\cdot 2^{r_{f}-n-1}=y^2\cdot 2^{2r_b+r_f-n-1}=s\cdot 2^{r_f+1}/P^2, \end{aligned}$$

the complexity of determining the key candidates is

$$\begin{aligned} \begin{aligned} T_{3}&=(y\cdot 2^{2r_{b}+r_{f}-n-1})^{2}=y^{2} \cdot 2^{4r_{b}+2r_{f}-2n-2} \cdot \epsilon _{2}\\&=D^2\cdot 2^{2r_b+2r_f-2n-2}\cdot \epsilon _{2}\\&=s \cdot 2^{2r_{b}+2r_{f}-n}/{P^{2}} \cdot \epsilon _{2} \end{aligned} \end{aligned}$$

and the complexity of exhaustive search is

$$\begin{aligned} T_{4}=2^{m_{b}+m_{f}-h}\cdot 2^{k-(m_{b}+m_{f})}=2^{k-h}, \end{aligned}$$

where \(h\le m_{b}+m_{f}.\)

In step 4 of the above algorithm, quartets are constructed in time \(T_2\) and the memory cost does not exceed D. Here we try to give an illustration of how to avoid the increase in memory. Firstly, we need to store the collected data and the memory complexity is D. Next, insert (P, C) into a hash table \(H_1\) according to \(n-r_f\) bits in ciphertexts. There are \(D\cdot 2^{-(n-r_f)}\) values in each index and the time complexity of this step is D. Then for each structure \(S_i(i=1,2,\cdots ,y)\), considering \((P_1,P_2)(P_1,P_2\in S_i)\), we will obtain \(2^{2r_b-1}\) such pairs. The values in the same index with \(C_1\) in \(H_1\) are denoted as \(C_3^1,C_3^2,\cdots ,C_3^j,\cdots \) and \(C_4^1,C_4^2,\cdots ,C_4^k,\cdots \) for \(C_2\). Insert \(C_3^j\) into a hash table \(H_2\) according to \(n-r_b \) bits of \(P_3^j\), which is the same as we defined in our algorithm. We then look up \(H_2\) with \(n-r_b \) bits of \(P_4^k\); if a collision is found, \((C_1,C_2,C_3^j,C_4^k)\) is a candidate quartet. In this step, the memory complexity of storing \(H_2\) is \(D\cdot 2^{-(n-r_f)}\), which can be ignored compared to D. We will get

$$\begin{aligned} y\cdot 2^{2r_b-1} \cdot \left( {\begin{array}{c}D\cdot 2^{-(n-r_f)}\\ 2\end{array}}\right) \cdot 2^{-(n-r_b-\mu )}=D^2\cdot 2^{2r_b+2r_f-2n-2} \end{aligned}$$

candidate quartets. However, there will be an extra time complexity of accessing the hash table \(H_2\), which is

$$\begin{aligned} y\cdot 2^{2r_b-1}\cdot D\cdot 2^{-(n-r_f)}=D^2\cdot 2^{r_b+r_f-n-1}. \end{aligned}$$

It should be noted that the extra time complexity may not be omitted as it may be a dominant part in some cases. We feel that this term of time complexity was neglected by the authors of [2] inadvertently, or the memory complexity should be higher than D.

1.3 Algorithm 3: Zhao et al. ’s Single-key Variant

Zhao et al. proposed a new generalized related-key rectangle framework [39, 40] for block ciphers with a linear key schedule. The attack can be applied to single-key setting with simple modifications:

1. 1.

   Collect and store y structures of \(2^{r_{b}}\) plaintexts each by traversing the active bits in each structure.

2. 2.

   Guess the \(2^{m_{b}}\) possible \(m_{b}\)-bit subkey involved in \(E_{b}\):

   1. (a)

      Initialized a list of \(2^{m_{f}}\) counters corresponding to a \(m_{f}\)-bit subkey guess.

   2. (b)

      For each structure, partially encrypt plaintext \(P_{1}\) under the guessed subkey bits in \(E_{b}\) to the position of \(\alpha \) and decrypt the intermediate value xored the known difference \(\alpha \) to obtain the plaintext \(P_{2}\) in the same structure with \(P_{1}\). Construct a set S with the relevant plaintexts and ciphertexts as

      $$\begin{aligned} S=\left\{ (P_{1},C_{1},P_{2},C_{2}): E_{b}(P_{1})\oplus E_{b}(P_{2})=\alpha \right\} . \end{aligned}$$
   3. (c)

      The size of S is \(y\cdot 2^{r_{b}-1}\). Insert S into a hash table H indexed by the \(n-r_{f}\) bits of \(C_{1}\) and \(n-r_{f}\) bits of \(C_{2}\) that are 0 in \(\delta '\). We randomly choose \((C_{1},C_{2})\) and \((C'_{1},C'_{2})\) to generate quartet \((C_{1},C_{2},C_{3},C_{4})\) with each \(2(n-r_{f})\)-bit index, where \((C_{3},C_{4})=(C_{1}^{`},C_{2}^{`})\).

   4. (d)

      Determine the key candidates related to \(E_{f}\) using the quartets obtained above and increase the corresponding counters. Similarly, denote the time complexity in this step as \(\epsilon _{3}\).

   5. (e)

      Select the top \(2^{m_{f}-h}\) hits in the counter to be the candidates, which delivers a h-bit or higher advantage.

   6. (f)

      Guess the remaining \(k-m_{b}-m_{f}\) unknown key bits according to the key schedule algorithm and exhaustively search over them to recover the correct key, where k is the key size.

The data complexity is \(D=y\cdot 2^{r_{b}}=\sqrt{s}\cdot 2^{\frac{n}{2}+1}/P\). The memory complexity is \(D+D/2+2^{m_{f}}\) to store the data, set S, and key counters. The time complexity to generate quartets by constructing set S is

$$\begin{aligned} T_{1}=2^{m_{b}}\cdot D=\sqrt{s} \cdot 2^{m_{b}+\frac{n}{2}+1}/P, \end{aligned}$$

the complexity of determining the key candidates is

$$\begin{aligned} \begin{aligned} T_{2}&=2^{m_{b}}\cdot 2^{2(n-r_{f})}\cdot 2\cdot \left( {\begin{array}{c}D^2\cdot 2^{-2(n-r_{f})-1}\\ 2\end{array}}\right) \cdot \epsilon _3\\&=2^{m_b}\cdot D^2\cdot 2^{2r_f-2n-2}\cdot \epsilon _3\\&=s \cdot 2^{m_{b}-n+2r_{f}}/{P^{2}}\cdot \epsilon _{3} \end{aligned} \end{aligned}$$

and the exhaustive search complexity is

$$\begin{aligned} T_{3}=2^{m_{b}}\cdot 2^{m_{f}-h}\cdot 2^{k-(m_{b}+m_{f})}=2^{k-h}, \end{aligned}$$

where \(h\le m_{f}.\)

1.4 Algorithm 4: Dong et al. ’s Single-key Variant

To avoid generating quartets that may never suggest key candidates as many as possible, Dong et al. presented a new rectangle attack framework [18] to transform Algorithm 3 into Algorithm 4 using a fast filter with partially guessed key \(k'_{f}\) and \(h_{f}\)-bit inactive internal states resulted from the partially guessed key. Denote \(m_{f}'=|k'_{f}|\). We summarize the procedures as follows:

1. 1.

   Collect and store y structures of \(2^{r_{b}}\) plaintexts each by traversing the active bits in each structure.

2. 2.

   Guess the possible \((m_{b}+m_{f}')\)-bit \(k_{b}\) and \(k'_{f}\) involved in \(E_{b}\) and part of \(E_{f}\):

   1. (a)

      Initialize an array of \(2^{m_{f}-m_{f}'}\) counters.

   2. (b)

      For each structure, construct set S in the same way with Model 3 in the following:

      $$\begin{aligned} S=\left\{ (P_{1},C_{1},P_{2},C_{2}): E_{b}(P_{1})\oplus E_{b}(P_{2})=\alpha \right\} . \end{aligned}$$
   3. (c)

      The size of S is \(y\cdot 2^{r_{b}-1}\). For each \((P_{1},C_{1},P_{2},C_{2})\) in S, partially decrypt \((C_{1},C_{2})\) to get two \(r_{f}'\)-bit partial internal state \((Y_{1},Y_{2})\). Insert S into a hash table indexed by \(n-r_{f}\) inactive bits of \(C_{1}\), \(n-r_{f}\) inactive bits of \(C_{2}\), \(r_{f}'\) inactive bits of both \(Y_{1}\) and \(Y_{2}\).

   4. (d)

      With each \(2(n-r_{f}+r_{f}')\)-bit index, we pick two distinct \((P_{1},C_{1},P_{2},C_{2})\), \((P'_{1},C'_{1},P'_{2},C'_{2})\) to generate the quartet, denoted as \((C_{1},C_{2},C_{3},C_{4})\), where \((C_{3},C_{4})=(C'_{1},C'_{2})\).

   5. (e)

      Determine the key candidates involved in \(E_{f}\) and increase the corresponding counters. Likewise, denote the time complexity in this step as \(\epsilon _{4}\).

   6. (f)

      Select the top \(2^{m_{f}-m_{f}'-h}\) hits in the counter to be the candidates, which delivers a h-bit or higher advantage.

   7. (g)

      Guess the remaining \(k-m_{b}-m_{f}\) unknown key bits according to the key schedule algorithm and exhaustively search over them to recover the correct key, where k is the key size.

The data complexity is \(D=y\cdot 2^{r_{b}}=\sqrt{s}\cdot 2^{\frac{n}{2}+1}/P\). The memory complexity is \(D+D/2+2^{m_{f}-m_{f}'}\) to store the data, set S, and key counters. The time complexity of generating quartets by constructing set S is

$$\begin{aligned} T_{1}=2^{m_{b}+m_{f}'}\cdot D=\sqrt{s} \cdot 2^{m_{b}+m_{f}'+\frac{n}{2}+1}/P, \end{aligned}$$

the complexity to determine key candidates is

$$\begin{aligned} \begin{aligned} T_{2}&=2^{m_{b}+m_{f}'}\cdot 2^{2(n-r_{f}+r_{f}')}\cdot 2 \cdot \left( {\begin{array}{c}D\cdot 2^{-1-2(n-r_{f}+r_{f}')}\\ 2\end{array}}\right) \cdot \epsilon _{4}\\&=2^{m_b+m_f'}\cdot D^2\cdot 2^{2r_f-2r_f'-2n-2}\cdot \epsilon _{4}\\&=s \cdot 2^{m_{b}+m'_{f}-n+2r_{f}-2r_{f}'}/{P^{2}} \cdot \epsilon _{4} \end{aligned} \end{aligned}$$

and the complexity of exhaustive search is

$$\begin{aligned} T_{3}=2^{m_{b}+m_{f}'}\cdot 2^{m_{f}-m_{f}'-h}\cdot 2^{k-(m_{b}+m_{f})}=2^{k-h}, \end{aligned}$$

where \(h\le 2^{m_{f}-m'_{f}}.\)

Actually, there are also another two refinements of Algorithm 4 presented in [18]. The first refinement is to balance the overall complexity by guessing different key cells among the partial key guesses. The second is to apply the improved algorithm to the related-key setting. More details about this can be found in [18]. In this paper, the refined algorithms can be grouped, in which Algorithm 4 is representative.

Distinguishers and Precomputation Tables

1.1 The New 11-Round Distinguisher For AES-192

Fig. 13

A 11-round boomerang distinguisher of AES-192. White stands for no difference, blue for a set difference, green for a known difference, and gray for a free variable

1.2 Precomputataion Tables for Attacks in Sect. 5

Table 14 Key schedule difference in the AES-192 trail

Table 15 Precomputation tables for 19-round attack on CRAFT, where underlined bytes are used as input and determine the time and memory complexity for building the table. Note that the precomputation table may be built for pairs or quartets. When a table is built for pairs, the filter effect in brackets is for two pairs

Table 16 Precomputation tables for the 11-round attack on Deoxys-BC-256, where underlined bytes are used as input and determine the time and memory complexity for building the table

Table 17 Precomputation tables for the 25-round attack on SKINNY-64–128, where underlined bytes are used as input and determine the time and memory complexity for building the table. Note that the precomputation table may be built for pairs or quartets