Abstract
We propose a new cryptanalytic tool for differential cryptanalysis, called meetinthefilter (MiF). It is suitable for ciphers with a slow or incomplete diffusion layer such as the ones based on AdditionRotationXOR (ARX). The MiF technique uses a meetinthemiddle matching to construct differential trails connecting the differential’s output and the ciphertext difference. The proposed trails are used in the key recovery procedure, reducing time complexity and allowing flexible timedata tradeoffs. In addition, we show how to combine MiF with a dynamic counting technique for key recovery.
We illustrate MiF in practice by reporting improved attacks on the ARX based family of block ciphers Speck. We improve the time complexities of the best known attacks up to 15 rounds of Speck 32 and 20 rounds of Speck 64/128. Notably, our new attack on 11 rounds of Speck 32 has practical analysis and data complexities of \(2^{24.66}\) and \(2^{26.70}\) respectively, and was experimentally verified, recovering the master key in a matter of seconds.
The work was supported by the Luxembourg National Research Fund’s (FNR) and the German Research Foundation’s (DFG) joint project APLICA (C19/IS/13641232) and FNR’s project SP2 (PRIDE15/10621687/SPsquared).
An extended preprint version of this work is available at https://ia.cr/2022/673 [5].
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
 1.
 2.
Experimental verification of our 11 and 12round attacks on Speck 32/64 is available at github.com/cryptolu/MeetInTheFilter_Speck. Our attack experiments were run on a single core of a laptop with Intel^{®} Core™ i71185G7 CPU clocked at 3.00 GHz and 32 GiB RAM.
 3.
Deviations in average trail probability drop below 5% between 100 000 to 500 000 samples for smaller to larger cluster sizes, respectively.
 4.
Bitslicestyle optimizations for reducing this crucial constant might significantly improve the attack time complexity further, compared to [8].
References
Abed, F., List, E., Lucks, S., Wenzel, J.: Differential cryptanalysis of roundreduced Simon and Speck. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 525–545. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662467060_27
Bao, Z., Guo, J., Liu, M., Ma, L., Tu, Y.: Conditional differentialneural cryptanalysis. Cryptology ePrint Archive, Report 2021/719 (2021)
Beaulieu, R., Shors, D., Smith, J., TreatmanClark, S., Weeks, B., Wingers, L.: The SIMON and SPECK Families of Lightweight Block Ciphers. Cryptology ePrint Archive, Report 2013/404 (2013)
Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers SIMON and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 546–570. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662467060_28
Biryukov, A., dos Santos, L.C., Teh, J.S., Udovenko, A., Velichkov, V.: Meetinthefilter and dynamic counting with applications to speck. Cryptology ePrint Archive, Paper 2022/673 (2022)
Derbez, P., Fouque, P.A., Jean, J.: Improved key recovery attacks on reducedround , in the singlekey setting. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 371–387. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642383489_23
Dinur, I.: Improved differential cryptanalysis of roundreduced speck. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 147–164. Springer, Cham (2014). https://doi.org/10.1007/9783319130514_9
Dinur, I.: Improved differential cryptanalysis of roundreduced Speck. Cryptology ePrint Archive, Report 2014/320 (2014)
Dunkelman, O., Keller, N., Shamir, A.: Improved singlekey attacks on 8round AES192 and AES256. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 158–176. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642173738_10
Dunkelman, O., Sekar, G., Preneel, B.: Improved meetinthemiddle attacks on reducedround DES. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 86–100. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540770268_8
Gohr, A.: Improving attacks on roundreduced speck32/64 using deep learning. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 150–179. Springer, Cham (2019). https://doi.org/10.1007/9783030269517_6
Huang, M., Wang, L.: Automatic tool for searching for differential characteristics in ARX ciphers and applications. In: Hao, F., Ruj, S., Sen Gupta, S. (eds.) INDOCRYPT 2019. LNCS, vol. 11898, pp. 115–138. Springer, Cham (2019). https://doi.org/10.1007/9783030354237_6
Lai, X., Massey, J.L., Murphy, S.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991). https://doi.org/10.1007/3540464166_2
Lee, H., Kim, S., Kang, H., Hong, D., Sung, J., Hong, S.: Calculating the approximate probability of differentials for ARXbased cipher using SAT solver. J. Korea Inst. Inf. Secur. Cryptol. 28(1), 15–24 (2018)
Lipmaa, H., Moriai, S.: Efficient algorithms for computing differential properties of addition. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 336–350. Springer, Heidelberg (2002). https://doi.org/10.1007/354045473X_28
Liu, F., Isobe, T., Meier, W.: Cryptanalysis of full LowMC and LowMCM with algebraic techniques. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 368–401. Springer, Cham (2021). https://doi.org/10.1007/9783030842529_13
Rechberger, C., Soleimany, H., Tiessen, T.: Cryptanalysis of lowdata instances of full LowMCv2. IACR Trans. Symmetric Cryptol. 2018(3), 163–181 (2018)
Song, L., Huang, Z., Yang, Q.: Automatic differential analysis of ARX block ciphers with application to SPECK and LEA. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9723, pp. 379–394. Springer, Cham (2016). https://doi.org/10.1007/9783319403670_24
Acknowledgement
We thank Daniel Feher and Giuseppe Vitto for implementation of Dinur’s filtering algorithm and early study of keyrecovery strategies in MiF.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Differentials
B Parameters and Complexities of Our Attacks on Speck32 and Speck64
In Table 4, we provide parameters for several of the best attacks, including those using the (1+6+2+2) split, on 11round Speck 32.
In Table 5, we summarize the best attacks on 12 to 15 rounds of Speck 32 along with the attack parameters. For each number of rounds, we list the best attack in terms of time complexity and optimal attacks that use a similar amount of data as previous attacks in the literature.
In Table 6, we highlight some of our best attacks on 13, 19 and 20 rounds of Speck 64/128, all of which adopt a \(1+r+2+2\) split.
C Key Recovery Complexity Graphs
In this appendix, we provide workload graphs for various best MiF attack families on different Speck instances. These graphs show the prediction of the total number of trailsubkey pairs visited at each depth (accumulated over all visited branches). Each graphs presents a family of attacks for varying values of \(c=1\ldots 6\). This allows us to clearly illustrate the effect of the counting technique coupled with MiF. We outline briefly the most interesting data on these graphs:

The starting point for each curve defines the predicted initial number of trails to be suggested by MiF. It is adapted for each c based on the factor \(c'\) (see Appendix E).

The total number of trailsubkey pairs across all (integral) depths except the last one (equal to, roughly, the area under the curve) defines the time complexity \(T_{\textrm{enum}}\) of the recursive procedure, up to a complexity coefficient (see Claim 2, Claim 3).

The final value of the curve defines the number of recovered subkey groups to be tested either using conformance to the trail or by full trial decryptions. This induces the time complexity \(T_{\textrm{trials}}\), again, up to a complexity coefficient (see Claim 1).
Note that the coefficients of \(T_{\textrm{enum}}\) and \(T_{\textrm{trials}}\) are slightly different, therefore the dominating term is not always clear from these graphs. However, they both contribute to the attack’s complexity \(T_\textrm{att}\) (Figs. 3, 4, 5, 6 and 7).
D Memory Optimizations for the MultiTrail Key Recovery Procedure

Onthefly quick filtering. In Speck, due to a round subkey being added only to one branch, a large fraction of suggested trails does not have valid keys for decryption of the associated ciphertext pairs in accordance with the trails. Part of this filter can be implemented very efficiently using Dinur’s multibit filters. For example, in Speck 32, 6bit filters applied to the last round’s transition keep only about 0.25 of all trails.

Onthefly deep filtering. In our attacks, the MiF backwards filter covers 2 rounds, and these 2 rounds have very highweight transitions on average. Therefore, checking the existence of 2round keys would allow filtering out more trails. This can be implemented by running the singletrail recursive procedure up to 2 rounds. Note that this method has negligible time overhead, in contrast to seemingly similar Dinur’s initial 2 round subkey guessing. This is due to the availability of the full trail from MiF, allowing search tree cutoffs on each bit level.

Larger first recursion step. The multitrail procedure keeps a list of trails per each depth level in the recursion. These lists have quickly decreasing sizes (according to Lemma 6, the expected factor per bit of a random differential transition through ADD is \(\root n \of {(4/7)^{n1}}\le 2^{0.75}\) for \(n\ge 16\). Therefore, the total storage size expansion (compared to the size of the input list of trails) is below the sum of this geometric progression, equal to \(1/(12^{0.75})\approx 2.47\). It can be effectively reduced to 1 by increasing the first recursion step’s guess to several bits. This would chop off the heaviest lists of trails on the recursion path. For example, guessing 8 bits instead of 1 would replace the factor
$$\begin{aligned} 1 + 2^{0.75} + 2^{1.5} + 2^{2.25} + \ldots + 2^{6} + 2^{6.75} + \ldots \approx 2.47 \end{aligned}$$(16)by
$$\begin{aligned} 1 + 2^{6} + 2^{6.75} + \ldots \approx 1.039. \end{aligned}$$(17)We remark that this step is very similar to Dinur’s initial 2round subkey guessing. However, by guessing a smaller number of bits (which is possible due to the availability of the trail) we can minimize the memory overhead without visibly affecting the time complexity.

Compact storage. In our attacks on Speck, the backwards filter covers 2 rounds. Due to the Feistellike structure, input and output differences of 2 rounds of Speck completely determine the intermediate differences, i.e., the full 2round trail. Therefore, instead of storing full 4round trails as required for the key recovery, we could initially store trails in a compressed form: the ciphertext difference \(\varDelta {C}\) and the cluster difference \(\varDelta {X}\). The last 2 rounds of the trail can be recovered due to the aforementioned property of the Feistel structure, and the preceding rounds can be recovered from the cluster.
Note that the (de)compression overhead on time complexity would be negligible on first depths. At a particular depth, when the size of the list of trails is sufficiently small, all the necessary auxiliary information required to minimize the time complexity can be computed and stored for subsequent computations, causing only a negligible memory overhead.
Based on the described techniques, we propose the following claim, which we will use for memory complexity estimations of our attacks. We remark that further reduction is possible through careful analysis of onthefly filtration efficiency.
Claim 4
The memory complexity of the multitrail procedure with optimizations can be estimated as \(2 \cdot n_{\textrm{trails}}\) encryption blocks.
E Computing the Required Multiplier for Counting
The binomial distribution converges to the Poisson distribution when the number of trials goes to infinity. The following proposition is essentially given by the Poisson distribution. We derive it explicitly to highlight the approximations used so that the approximation error can be bounded if necessary.
Proposition 1
Let \(q \in \mathbb {R}_{+}, q \ll 1\) and \(c \in \mathbb {Z}, 1 \le c \ll 1/q\). Consider \(c'/q\) independent experiments each with the probability of a positive outcome equal to q. The probability to succeed at least c times is equal to (up to a negligible error)
Proof
The exact probability can be computed by subtracting from 1 the probabilities to succeed strictly less than c times:
Since \(i \le c \ll 1/q \le c'/q\), we can use the approximation \(\left( {\begin{array}{c}n\\ k\end{array}}\right) \approx \frac{n^k}{k!}\). Since \(q \ll 1\), we can approximate \((1q)^{(c'/q)i}\) as \(e^{c'}/(1q)^i \approx e^{c'}\). After cancelling \(q^i\) and moving \(e^{c'}\) outside, the proposition follows.
We now consider the problem of finding the right \(c'\) given the target success rate \(\tilde{q}\) of at least c positive outcomes. Note that this value is practically independent of q when q is sufficiently large.
Proposition 2
Given the target success rate \(\tilde{q} \in \mathbb {R}_{+}\), the required number \(c'/q\) of experiments is characterized by the following equation:
Proof
Follows from Proposition 1 by Eq. (18) to \(\tilde{q}\).
Since \(c'\) affects the overall success probability in a monotone way, its value can be computed using binary search on the error of the equation (i.e., the difference between the lefthand and the righthand sides, which is decreasing with increasing \(c'\)).
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Biryukov, A., Cardoso dos Santos, L., Teh, J.S., Udovenko, A., Velichkov, V. (2023). MeetintheFilter and Dynamic Counting with Applications to Speck. In: Tibouchi, M., Wang, X. (eds) Applied Cryptography and Network Security. ACNS 2023. Lecture Notes in Computer Science, vol 13905. Springer, Cham. https://doi.org/10.1007/9783031334887_6
Download citation
DOI: https://doi.org/10.1007/9783031334887_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783031334870
Online ISBN: 9783031334887
eBook Packages: Computer ScienceComputer Science (R0)