Skip to main content

Meet-in-the-Filter and Dynamic Counting with Applications to Speck

  • Conference paper
  • First Online:
Applied Cryptography and Network Security (ACNS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13905))

Included in the following conference series:

Abstract

We propose a new cryptanalytic tool for differential cryptanalysis, called meet-in-the-filter (MiF). It is suitable for ciphers with a slow or incomplete diffusion layer such as the ones based on Addition-Rotation-XOR (ARX). The MiF technique uses a meet-in-the-middle matching to construct differential trails connecting the differential’s output and the ciphertext difference. The proposed trails are used in the key recovery procedure, reducing time complexity and allowing flexible time-data trade-offs. In addition, we show how to combine MiF with a dynamic counting technique for key recovery.

We illustrate MiF in practice by reporting improved attacks on the ARX -based family of block ciphers Speck. We improve the time complexities of the best known attacks up to 15 rounds of Speck 32 and 20 rounds of Speck 64/128. Notably, our new attack on 11 rounds of Speck 32 has practical analysis and data complexities of \(2^{24.66}\) and \(2^{26.70}\) respectively, and was experimentally verified, recovering the master key in a matter of seconds.

The work was supported by the Luxembourg National Research Fund’s (FNR) and the German Research Foundation’s (DFG) joint project APLICA (C19/IS/13641232) and FNR’s project SP2 (PRIDE15/10621687/SPsquared).

An extended preprint version of this work is available at https://ia.cr/2022/673 [5].

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We refer to [8], which is the extended version of [7] and which contains a full description of Dinur’s algorithm.

  2. 2.

    Experimental verification of our 11- and 12-round attacks on Speck 32/64 is available at github.com/cryptolu/MeetInTheFilter_Speck. Our attack experiments were run on a single core of a laptop with Intel® Core™ i7-1185G7 CPU clocked at 3.00 GHz and 32 GiB RAM.

  3. 3.

    Deviations in average trail probability drop below 5% between 100 000 to 500 000 samples for smaller to larger cluster sizes, respectively.

  4. 4.

    Bitslice-style optimizations for reducing this crucial constant might significantly improve the attack time complexity further, compared to [8].

References

  1. Abed, F., List, E., Lucks, S., Wenzel, J.: Differential cryptanalysis of round-reduced Simon and Speck. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 525–545. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_27

    Chapter  Google Scholar 

  2. Bao, Z., Guo, J., Liu, M., Ma, L., Tu, Y.: Conditional differential-neural cryptanalysis. Cryptology ePrint Archive, Report 2021/719 (2021)

    Google Scholar 

  3. Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK Families of Lightweight Block Ciphers. Cryptology ePrint Archive, Report 2013/404 (2013)

    Google Scholar 

  4. Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers SIMON and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 546–570. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_28

    Chapter  Google Scholar 

  5. Biryukov, A., dos Santos, L.C., Teh, J.S., Udovenko, A., Velichkov, V.: Meet-in-the-filter and dynamic counting with applications to speck. Cryptology ePrint Archive, Paper 2022/673 (2022)

    Google Scholar 

  6. Derbez, P., Fouque, P.-A., Jean, J.: Improved key recovery attacks on reduced-round , in the single-key setting. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 371–387. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_23

    Chapter  MATH  Google Scholar 

  7. Dinur, I.: Improved differential cryptanalysis of round-reduced speck. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 147–164. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_9

    Chapter  Google Scholar 

  8. Dinur, I.: Improved differential cryptanalysis of round-reduced Speck. Cryptology ePrint Archive, Report 2014/320 (2014)

    Google Scholar 

  9. Dunkelman, O., Keller, N., Shamir, A.: Improved single-key attacks on 8-round AES-192 and AES-256. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 158–176. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_10

    Chapter  Google Scholar 

  10. Dunkelman, O., Sekar, G., Preneel, B.: Improved meet-in-the-middle attacks on reduced-round DES. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 86–100. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77026-8_8

    Chapter  MATH  Google Scholar 

  11. Gohr, A.: Improving attacks on round-reduced speck32/64 using deep learning. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 150–179. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_6

    Chapter  Google Scholar 

  12. Huang, M., Wang, L.: Automatic tool for searching for differential characteristics in ARX ciphers and applications. In: Hao, F., Ruj, S., Sen Gupta, S. (eds.) INDOCRYPT 2019. LNCS, vol. 11898, pp. 115–138. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35423-7_6

    Chapter  Google Scholar 

  13. Lai, X., Massey, J.L., Murphy, S.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_2

    Chapter  Google Scholar 

  14. Lee, H., Kim, S., Kang, H., Hong, D., Sung, J., Hong, S.: Calculating the approximate probability of differentials for ARX-based cipher using SAT solver. J. Korea Inst. Inf. Secur. Cryptol. 28(1), 15–24 (2018)

    Google Scholar 

  15. Lipmaa, H., Moriai, S.: Efficient algorithms for computing differential properties of addition. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 336–350. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45473-X_28

    Chapter  Google Scholar 

  16. Liu, F., Isobe, T., Meier, W.: Cryptanalysis of full LowMC and LowMC-M with algebraic techniques. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 368–401. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_13

    Chapter  Google Scholar 

  17. Rechberger, C., Soleimany, H., Tiessen, T.: Cryptanalysis of low-data instances of full LowMCv2. IACR Trans. Symmetric Cryptol. 2018(3), 163–181 (2018)

    Article  Google Scholar 

  18. Song, L., Huang, Z., Yang, Q.: Automatic differential analysis of ARX block ciphers with application to SPECK and LEA. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9723, pp. 379–394. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40367-0_24

    Chapter  Google Scholar 

Download references

Acknowledgement

We thank Daniel Feher and Giuseppe Vitto for implementation of Dinur’s filtering algorithm and early study of key-recovery strategies in MiF.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Aleksei Udovenko .

Editor information

Editors and Affiliations

Appendices

A Differentials

Table 3. Differentials used in this paper. Where existing differentials were not available we used a SAT solver to compute them. Pr T is the probability of the best trail, and Pr D is the probability of the differential, and both are expressed as \(-\log _2(Pr)\).

B Parameters and Complexities of Our Attacks on Speck32 and Speck64

In Table 4, we provide parameters for several of the best attacks, including those using the (1+6+2+2) split, on 11-round Speck 32.

Table 4. Attacks on 11 round Speck 32: The “Diff. ID” column refers to the IDs of the differentials in Table 3.

In Table 5, we summarize the best attacks on 12 to 15 rounds of Speck 32 along with the attack parameters. For each number of rounds, we list the best attack in terms of time complexity and optimal attacks that use a similar amount of data as previous attacks in the literature.

Table 5. Attacks on 12–15 rounds of Speck 32: The “Diff. ID” column refers to the IDs of the differentials in Table 3.

In Table 6, we highlight some of our best attacks on 13, 19 and 20 rounds of Speck 64/128, all of which adopt a \(1+r+2+2\) split.

Table 6. Attacks on Speck 64: The “Diff. ID” column refers to the IDs of the differentials in Table 3.

C Key Recovery Complexity Graphs

In this appendix, we provide workload graphs for various best MiF attack families on different Speck instances. These graphs show the prediction of the total number of trail-subkey pairs visited at each depth (accumulated over all visited branches). Each graphs presents a family of attacks for varying values of \(c=1\ldots 6\). This allows us to clearly illustrate the effect of the counting technique coupled with MiF. We outline briefly the most interesting data on these graphs:

Fig. 3.
figure 3

Time complexity analysis of the fastest attack family on 11-round Speck 32 (see Table 4, attack #5 with \(c=3\)). Lines plotted are the predicted numbers of trail-subkey pairs visited per each depth \(0\ldots 64\) for attacks with \(c=1,2,3,4\); data points mark data collected from a real experiment with bad trails only (in the case \(c=1\), missing points were not obtained due to complexity limitations; in the cases \(c=3,4\) missing points signify the absence of survived wrong candidates).

Fig. 4.
figure 4

Time complexity analysis of an attack family on 14-round Speck 32 (see Table 5, #6,#7), zoomed into the last 16 bits of key recovery (the dominating part). Lines plotted are the predicted numbers of trail-subkey pairs visited per each depth \(0\ldots 64\) for attacks with \(c=1,2,3,4,5,6\). Note that attacks with \(c\ge 3\) require an infeasible amount of data.

  • The starting point for each curve defines the predicted initial number of trails to be suggested by MiF. It is adapted for each c based on the factor \(c'\) (see Appendix E).

  • The total number of trail-subkey pairs across all (integral) depths except the last one (equal to, roughly, the area under the curve) defines the time complexity \(T_{\textrm{enum}}\) of the recursive procedure, up to a complexity coefficient (see Claim 2, Claim 3).

  • The final value of the curve defines the number of recovered subkey groups to be tested either using conformance to the trail or by full trial decryptions. This induces the time complexity \(T_{\textrm{trials}}\), again, up to a complexity coefficient (see Claim 1).

Fig. 5.
figure 5

Time complexity analysis of an attack family on 15-round Speck 32 (see Table 5, #8), zoomed into the last 16 bits of key recovery (the dominating part). Lines plotted are the predicted numbers of trail-subkey pairs visited per each depth \(0\ldots 64\) for attacks with \(c=1,2,3,4,5,6\). Note that attacks with \(c\ge 2\) require an infeasible amount of data.

Fig. 6.
figure 6

Time complexity analysis of an attack family on 19-round Speck 64 (see Table 6, #5). Lines plotted are the predicted numbers of trail-subkey pairs visited per each depth \(0\ldots 128\) for attacks with \(c=1,2,3,4,5,6\).

Note that the coefficients of \(T_{\textrm{enum}}\) and \(T_{\textrm{trials}}\) are slightly different, therefore the dominating term is not always clear from these graphs. However, they both contribute to the attack’s complexity \(T_\textrm{att}\) (Figs. 3, 4, 5, 6 and 7).

Fig. 7.
figure 7

Time complexity analysis of an attack family on 19-round Speck 64 (see Table 6, #5), zoomed in to the last 48 bits of key recovery (the dominating part). Lines plotted are the predicted numbers of trail-subkey pairs visited per each depth \(0\ldots 128\) for attacks with \(c=1,2,3,4,5,6\).

D Memory Optimizations for the Multi-Trail Key Recovery Procedure

  • On-the-fly quick filtering. In Speck, due to a round subkey being added only to one branch, a large fraction of suggested trails does not have valid keys for decryption of the associated ciphertext pairs in accordance with the trails. Part of this filter can be implemented very efficiently using Dinur’s multi-bit filters. For example, in Speck 32, 6-bit filters applied to the last round’s transition keep only about 0.25 of all trails.

  • On-the-fly deep filtering. In our attacks, the MiF backwards filter covers 2 rounds, and these 2 rounds have very high-weight transitions on average. Therefore, checking the existence of 2-round keys would allow filtering out more trails. This can be implemented by running the single-trail recursive procedure up to 2 rounds. Note that this method has negligible time overhead, in contrast to seemingly similar Dinur’s initial 2- round subkey guessing. This is due to the availability of the full trail from MiF, allowing search tree cutoffs on each bit level.

  • Larger first recursion step. The multi-trail procedure keeps a list of trails per each depth level in the recursion. These lists have quickly decreasing sizes (according to Lemma 6, the expected factor per bit of a random differential transition through ADD is \(\root n \of {(4/7)^{n-1}}\le 2^{-0.75}\) for \(n\ge 16\). Therefore, the total storage size expansion (compared to the size of the input list of trails) is below the sum of this geometric progression, equal to \(1/(1-2^{-0.75})\approx 2.47\). It can be effectively reduced to 1 by increasing the first recursion step’s guess to several bits. This would chop off the heaviest lists of trails on the recursion path. For example, guessing 8 bits instead of 1 would replace the factor

    $$\begin{aligned} 1 + 2^{-0.75} + 2^{-1.5} + 2^{-2.25} + \ldots + 2^{-6} + 2^{-6.75} + \ldots \approx 2.47 \end{aligned}$$
    (16)

    by

    $$\begin{aligned} 1 + 2^{-6} + 2^{-6.75} + \ldots \approx 1.039. \end{aligned}$$
    (17)

    We remark that this step is very similar to Dinur’s initial 2-round subkey guessing. However, by guessing a smaller number of bits (which is possible due to the availability of the trail) we can minimize the memory overhead without visibly affecting the time complexity.

  • Compact storage. In our attacks on Speck, the backwards filter covers 2 rounds. Due to the Feistel-like structure, input and output differences of 2 rounds of Speck completely determine the intermediate differences, i.e., the full 2-round trail. Therefore, instead of storing full 4-round trails as required for the key recovery, we could initially store trails in a compressed form: the ciphertext difference \(\varDelta {C}\) and the cluster difference \(\varDelta {X}\). The last 2 rounds of the trail can be recovered due to the aforementioned property of the Feistel structure, and the preceding rounds can be recovered from the cluster.

    Note that the (de)compression overhead on time complexity would be negligible on first depths. At a particular depth, when the size of the list of trails is sufficiently small, all the necessary auxiliary information required to minimize the time complexity can be computed and stored for subsequent computations, causing only a negligible memory overhead.

Based on the described techniques, we propose the following claim, which we will use for memory complexity estimations of our attacks. We remark that further reduction is possible through careful analysis of on-the-fly filtration efficiency.

Claim 4

The memory complexity of the multi-trail procedure with optimizations can be estimated as \(2 \cdot n_{\textrm{trails}}\) encryption blocks.

E Computing the Required Multiplier for Counting

The binomial distribution converges to the Poisson distribution when the number of trials goes to infinity. The following proposition is essentially given by the Poisson distribution. We derive it explicitly to highlight the approximations used so that the approximation error can be bounded if necessary.

Proposition 1

Let \(q \in \mathbb {R}_{+}, q \ll 1\) and \(c \in \mathbb {Z}, 1 \le c \ll 1/q\). Consider \(c'/q\) independent experiments each with the probability of a positive outcome equal to q. The probability to succeed at least c times is equal to (up to a negligible error)

$$\begin{aligned} 1-e^{-c'} \sum _{i=0}^{c-1} \frac{(c')^i}{i!}. \end{aligned}$$
(18)

Proof

The exact probability can be computed by subtracting from 1 the probabilities to succeed strictly less than c times:

$$\begin{aligned} \textrm{Pr}[\#\text {successes} \ge c] = 1 - \sum _{i=0}^{c-1} \left( {\begin{array}{c}c'/q\\ i\end{array}}\right) q^i (1-q)^{(c'/q)-i}. \end{aligned}$$
(19)

Since \(i \le c \ll 1/q \le c'/q\), we can use the approximation \(\left( {\begin{array}{c}n\\ k\end{array}}\right) \approx \frac{n^k}{k!}\). Since \(q \ll 1\), we can approximate \((1-q)^{(c'/q)-i}\) as \(e^{-c'}/(1-q)^i \approx e^{-c'}\). After cancelling \(q^i\) and moving \(e^{-c'}\) outside, the proposition follows.

We now consider the problem of finding the right \(c'\) given the target success rate \(\tilde{q}\) of at least c positive outcomes. Note that this value is practically independent of q when q is sufficiently large.

Proposition 2

Given the target success rate \(\tilde{q} \in \mathbb {R}_{+}\), the required number \(c'/q\) of experiments is characterized by the following equation:

$$\begin{aligned} \sum _{i=0}^{c-1} \frac{(c')^i}{i!} = e^{c'+b}, ~~\text {where}~b = \ln (1-\tilde{q}). \end{aligned}$$
(20)

Proof

Follows from Proposition 1 by Eq. (18) to \(\tilde{q}\).

Since \(c'\) affects the overall success probability in a monotone way, its value can be computed using binary search on the error of the equation (i.e., the difference between the left-hand and the right-hand sides, which is decreasing with increasing \(c'\)).

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Biryukov, A., Cardoso dos Santos, L., Teh, J.S., Udovenko, A., Velichkov, V. (2023). Meet-in-the-Filter and Dynamic Counting with Applications to Speck. In: Tibouchi, M., Wang, X. (eds) Applied Cryptography and Network Security. ACNS 2023. Lecture Notes in Computer Science, vol 13905. Springer, Cham. https://doi.org/10.1007/978-3-031-33488-7_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-33488-7_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-33487-0

  • Online ISBN: 978-3-031-33488-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics