New cryptanalysis of LowMC with algebraic techniques

LowMC is a family of block ciphers proposed by Albrecht et al. at EUROCRYPT 2015, which is tailored specifically for FHE and MPC applications. At ToSC 2018, a difference enumeration attack was given for the cryptanalysis of low-data instances of full LowMCv2 with few applied S-boxes per round. Recently at CRYPTO 2021, an efficient algebraic technique was proposed to attack 4-round LowMC adopting a full S-box layer. Following these works, we present a new difference enumeration attack framework, which is based on our new observations on the LowMC S-box, to analyze LowMC instances with a full S-box layer. As a result, with only 3 chosen plaintexts, we can attack 4-round LowMC instances which adopt a full S-box layer with block size of 129, 192, and 255 bits, respectively. We show that all these attacks have either a lower time complexity or a higher success probability than those reported in the CRYPTO paper.


Introduction
The LowMC family of block ciphers [1] was first proposed by Albrecht et al. at EURO-CRYPT 2015 and was designed to achieve low multiplicative complexity, which is tailored specifically for MPC [16,18,24,29,30] and FHE [7,15] applications. LowMC uses flexible Substitution-Permutation-Network (SPN) constructions, where instantiations can be created by independently choosing the block size n, the key size k, the number of S-boxes m in the substitution layer and the allowed data complexity d of attacks. Especially, some of the instances adopt the so-called partial Substitution-Permutation Network (P-SPN), i.e. in which the S-boxes are applied over only partial state bits of the cipher.
LowMC has been utilized as the underlying block cipher of the post-quantum signature scheme Picnic [9], which is an alternative candidate in the third round NIST's Post-Quantum Cryptography competition [25]. Recently, alternative parameters of LowMC were chosen for Picnic3 [17]. Different from Picnic2 where a partial S-box layer is adopted when instantiating LowMC, a full S-box layer is used when generating the three instances of LowMC in Picnic3. In Picnic3, 4-round LowMC is recommended and 5-round LowMC is treated as an alternative.
The proposal of LowMC not only starts a new trend to design symmetric-key primitives, like FLIP [23], MiMC [2], Kreyvrium [8], Rasta [13], GMiMC [3], and Ciminion [14], but also raises new challenges for cryptanalysis to evaluate its security. Soon after its publication, a higher-order differential attack (ICISC 2015, Dobraunig et al. [12]) and an optimized interpolation attack (ASIACRYPT 2015, Dinur et al. [11]) were given, which directly made LowMC move to LowMC v2, although with a high data complexity. Later at FSE 2018, Rechberger et al. [27] proposed the so-called difference enumeration technique to analyse LowMC instances with a few S-boxes in each round. Rechberger et al.'s approach requires very little data-as little as 3 chosen plaintext-ciphertext pairs. To resist such attack, LowMC was further updated to LowMC v3. 1 At CRYPTO 2021, Liu et al. [19] revisited the difference enumeration technique for LowMC and showed that some important LowMC instances are still insecure. They achieved efficient key recovery attacks on 3 instances of 4-round LowMC, with only 2 chosen plaintexts. Recently, Liu et al. [22] proposed an algebraic meet-inthe-middle (MITM) technique to analyze LowMC with a partial S-box layer. As a result, the attacks on LowMC and LowMC-M [26] published at CRYPTO 2021 are further improved and some LowMC instances could be broken for the first time.
In another direction, cryptanalysis of the LowMC block cipher when the attacker has access to a single known plaintext/ciphertext pair is particularly relevant while arguing the security of the Picnic digital signature scheme. In Picnic, the plaintext/ciphertext pair generated by the LowMC block cipher serves as the public (verification) key and the corresponding LowMC encryption key also serves as the secret (signing) key of the signature scheme. Therefore, a data complexity one key recovery attack on LowMC block cipher will lead to a signature forgery on Picnic. Until now, there have been several attacks on LowMC in such scenario [4-6, 10, 20, 21]. At ToSC 2020, Banik et al. [4] proposed guess-and-determine attacks on reduced 2-round LowMC in the Picnic setting. Following this work, at ASIACRYPT 2021, Banik et al. [5] proposed 2-stage Meet-in-the-Middle (MITM) attack with gray-code based approach, which reduced the computational complexity of 2 rounds and extended the number of attacked round to 3 rounds. A parallel work [10] also shows that 2 out of 3 instances of the 4-round LowMC in the Picnic3 setting can be broken, but it requires a huge amount of memory. Later, Banik et al. [6] combine the linearization techniques of [4,5] and the equation solving methods of [10] to analyse LowMC instances with complete non-linear layers, which yields a drastic reduction in terms of memory complexity. At ToSC 2022, Liu et al. [21] significantly improve the attacks on LowMC in the Picnic Setting by using better time-memory tradeoffs. For a survey of key recovery attacks on LowMC in such attack scenario, readers may check the work done by Grassi et al. [31].
In this paper, we study the security of LowMC with low data complexity and we are most interested in Rechberger et al.'s work [27] and Liu et al.'s work [19]. In [27], Rechberger et al. presented a difference enumeration attack to analyse LowMC instances with a partial S-box layer. The difference enumeration attack is a chosen-plaintext attack, which consists of two steps. The first step is to encrypt a pair (or more) of chosen plaintexts and then recover the difference evolutions between the plaintexts through each component in each round with a meet-in-the-middle method, i.e. to recover the differential trail. This step is called the difference enumeration phase. The second step is to derive the secret key from the recovered differential trail. This step is called the key-recovery phase. As a result, the number of the required plaintexts can be as small as 4. Furthermore, the authors showed that it is more effective to consider d-differences instead of simple differences.
However, the original difference enumeration attack [27] doesn't fit well with LowMC instances with a full S-box layer. At CRYPTO 2021, Liu et al. [19] showed a new difference enumeration attack framework to attack the constructions adopting a full S-box layer with 2 chosen plaintexts.

Our contributions
We propose a new difference enumeration attack framework for LowMC instances with a full S-box layer. Instead of considering the traditional difference, we turn to consider the 2-difference and give some new observations on the LowMC S-box which can be exploited in our attack. We then enumerate 2-differences with algebraic techniques and efficiently derive the master key from the recovered 2-differential trails with the linearization technique. Finally, we apply our attack framework to 4-round LowMC with block size of 129, 192, 255 bits, respectively. Our results are summarized in Table 1. Our attacks have a quite low data complexity, which is only 3 chosen plaintexts. And all these attacks have either a lower time complexity or a higher success probability than those reported by Liu et al. in the previous CRYPTO paper.

Organization of the paper
We give a brief introduction of LowMC and some definitions in Sect. 2. In Sect. 3, we revisit the difference enumeration techniques. In Sect. 4, we introduce our approach in a high level and show some new observations on LowMC S-box. In Sect. 5, we introduce how to find all valid 4-round compact 2-differential trials in our attack by solving linear equations. In Sect. 6, we show how to recover the master key with the algebraic method. The analysis and experimental results of our attack on 4-round LowMC instances are given in Sect. 7. Finally, we conclude the paper in Sect. 8. For the case of (n, k, m) = (129, 129, 43), our attack has a higher success probability; for (n, k, m) = (192, 192, 64), our attack is 2 2 times faster than that proposed in [19] when limiting the success probability to 0.99 or more; for (n, k, m) = (255, 255, 85), our attack is 2 4.6 times faster than that proposed in [19] when limiting the success probability to 0.986 or more a Success probability recalculated is higher than that reported in [19] 2 Preliminaries

A brief description of LowMC
LowMC [1] is a family of block ciphers with flexible SPN constructions. When instantiating LowMC, users can independently choose the parameters: the block size n, the key size k, the number of S-boxes m in each round and the allowed data complexity 2 D of attacks. The number of rounds R needed to reach the security against several known attacks with reasonable security margins is then derived from these parameters. The block cipher uses a 3-bit S-box which is the only non-linear transformation in the construction. Both the linear layers and the round key generation are done by multiplying with full rank matrices over GF(2) of appropriate dimensions. The encryption procedure of LowMC starts with a key whitening (WK), and then iterates the round function (as depicted in Fig. 1) R times, which consists of four operations in the following order.

SBoxLayer(SB): A 3-bit S-box
is applied to the first 3m bits of the state in parallel. For the remaining n − 3m bits, an identity mapping is applied. 2. LinearLayer(L): The n-bit state is multiplied with an invertible n × n matrix L i in G F (2).
The matrix L i is randomly chosen from all invertible binary n × n matrices. 3. ConstantAddition(AC): The n-bit state is XORed with an n-bit binary round constant RC i . The round constant RC i is randomly chosen from all binary vectors of length n. The n-bit state is XORed with the n-bit round key K i+1 . To generate K i+1 , a matrix U i+1 is randomly chosen from all full rank n × k binary matrices, and then the K i+1 is obtained by multiplying the k-bit master key with U i+1 .
The whitening key K 0 is also calculated by multiplying the master key with a random full-rank n × k binary matrix U 0 .

Definitions
And the reference text s 0 is called the anchor of the d-difference.
We denote the plaintext by p and the ciphertext by c. The state after WK is denoted by X 0 . In the i-th round, the input state of SB is denoted by X i and the output state of SB is denoted by X i_S , as shown below: In particular, the 1-difference of plaintexts is denoted by p . In the i-th round, we denote the 1-difference of the input state of SB by i , and the 1-difference of the output state of SB by i_S , as shown below: Definition 2 (Compact 1-Differential Trail [19]) Let 0 → 1 → · · · → r be a 1differential trail, in which we may not know all i (0 ≤ i ≤ r ). If all ( j , j_S ) (0 ≤ j ≤ r − 1) and r are known, we call it an r -round compact 1-differential trail.
be a d-differential trail, in which we may not know all (α j , α j_S ) (0 ≤ j ≤ r − 1) and α r . If all (α j , α j_S ) (0 ≤ j ≤ r − 1) and α r are known, we call it an r -round compact d-differential trail.

The difference enumeration attack framework
In this section, we briefly revisit the original difference enumeration attack [27] on instances with a partial S-box layer and the extended difference enumeration attack [19] on instances with a full S-box layer.
At ToSC 2018, the LowMC team proposed a difference enumeration attack [27] to analyze the security of LowMCv2 with a low data complexity. The difference enumeration attack consists of two phases. The first phase is called the difference enumeration phase, which is to recover internal d-differences for a chosen (d + 1)-tuple of plaintexts and the corresponding ciphertexts. In this phase, a meet-in-the-middle approach is applied. The second phase is the key-recovery phase, which is to derive the secret key from the recovered compact ddifferential trail.
However, the original difference enumeration attack [27] is not quite efficient when it comes to a full S-box layer. To refine the original difference enumeration attack, in the difference enumeration phase, Liu et al. [19] consider to choose a desirable input difference such that it will activate as few S-boxes as possible in the first two rounds. Moreover, they consider to enumerate the solutions of a linear equation system. In the key-recovery phase, for a retrieved 4-round compact 1-differential trail, they recover the full key by solving linear equations with k-bit master key and some internal variables.
The algebraic techniques used in this extended attack are based on the following observations on LowMC S-box.

Observation 1 [19] For each valid non
, the inputs conforming to such a difference transition will form an affine space of dimension 1. In addition, (y 0 , y 1 , y 2 ) becomes linear in (x 0 , x 1 , x 2 ). A similar property also applies to the inverse of the S-box.
Observation 2 [19] For each non-zero input 1-difference ( x 0 , x 1 , x 2 ), its valid output 1-differences form an affine space of dimension 2. A similar property also applies to the inverse of the S-box.
Observation 3 [19] For an inactive S-box, the input becomes linear in the output after guessing two output bits, and the output becomes linear in the input after guessing two input bits. The same property holds for its inverse.

Approach overview and new observations on the LowMC S-box
In this section, we give an overview of our new difference enumeration attack on LowMC with a full S-box layer, and show our new observations on LowMC S-box.

Overview of our approach
In our new difference enumeration attack, we consider the 2-difference, and we call it 2-difference enumeration attack in the following. It also consists of two phases, i.e. the 2-difference enumeration phase and the key-recovery phase.
First, for the construction with a full S-box layer, the cost of enumerating d-differences in the original difference enumeration attack [27] is rather high, especially when d > 1. And if we enumerate 2-differences for more than one round, the time complexity will be Fig. 2 The framework of the 2-difference enumeration attack higher than that of the brute force attack. In order to overcome this obstacle, we choose a desirable input 2-difference such that the number of inactive S-boxes in the 0th round is maximized, as depicted in Fig. 2. Moreover, based on the algebraic techniques used in [19], we introduce some variables to represent internal 2-differences, and then construct and solve linear equations to find the valid 2-differences in the middle 2 rounds.
Second, for a recovered 4-round compact 2-differential trail, we can derive the master key by some algebraic techniques. Specifically, by exploiting the special property of the LowMC S-box, we can linearize the S-box. And if a S-box is active, the input and output will satisfy some linear equations. Finally, we can obtain a linear equation system in terms of the master key and some internal variables. Each solution of this equation system corresponds to a candidate master key, and check its correctness via a plaintext-ciphertext pair.

New observations on the LowMC S-box
Before introducing the details of our attacks on LowMC, it is necessary to describe our new observations on the LowMC S-box with respect to 2-differences. Denote a tuple of 3 input states of the S-box by (X 0 , X 1 , X 2 ) and the corresponding 6-bit input 2-difference .
, its valid output 2-differences will form an affine space of dimension 2. 2. else, its valid output 2-differences will form an affine space of dimension 3.
A similar property also applies to the inverse of the S-box.

Generalization
The above Observations 4 and 5 hold for all 3-bit almost perfect nonlinear (APN) S-boxes. As for Observation 5, this generalization is trivial. As for Observation 4, a simplified proof for this generalization can be referred to Appendix 1.

2-Difference enumeration
In this section, we first introduce how to enumerate 2-differences in the middle 2 rounds by solving linear equations, and then describe the procedure of 2-difference enumeration phase in our attack. Since we only consider 2-differences in the following, we will omit the phrase "with respect to the 2-difference" for simplicity.

Enumerating 2-differences via solving equations
are known in the i-th round and (i + 1)-th round. We aim to enumerate all values of α i_S = ( 1 i_S , 2 i_S ) such that the 2-difference transition α i → α i_S → α (i+1)_S is valid. Consider the general case: there are a inactive S-boxes and b special-active S-boxes in the i-th round, and there are c inactive S-boxes and d special-active S-boxes in the (i + 1)-th round.
First, we introduce some variables to represent internal 2-differences in the i-th round. For the input 2-difference α i , we can introduce at most 6m variables to represent the 6m-bit output 2-difference α i_S = ( 1 i_S , 2 i_S ). However, by exploiting Observation 4, we could introduce 3m −3a −b variables to represent α i_S = ( 1 i_S , 2 i_S ). Specifically, 1) for an inactive S-box, the output 2-difference is determined, i.e. (0, 0, 0, 0, 0, 0), so there is no need to introduce variables to represent them. 2) For a special-active S-box, the valid output 2-differences form an affine space of dimension 2, so we need to introduce 2 variables to represent them. Thus, we need introduce 2b variables (v 0 , v 1 , . . . , v 2b−1 ) to represent the output 2-differences of the b special-active S-boxes. 3) For a non-special-active S-box, the valid output 2-differences form an affine space of dimension 3, so we need to introduce 3 variables to represent them. Thus, to represent the output 2-differences of the (m − a − b) non-special-active S-boxes. As a result, we only need to introduce 2b

written as a linear expression with variables
Then, in the (i +1)-th round, the output 2-difference α (i+1)_S is known, so we can construct an equation system with the above variables (v 0 , v 1 , . . . , v 3m−3a−b−1 ) based on Observation 4. Specifically, (1) for an inactive S-box, the input 2-difference is (0, 0, 0, 0, 0, 0), i.e. in α i+1 the values of 6 bits which are linear in the above variables are known. Thus, six linear equations with the above variables can be obtained. (2) For a special-active S-box, its valid input 2-differences form an affine space of dimension 2, i.e. the value of 6-bit input 2difference satisfies 4 linear equations. Thus, four linear equations with the above variables can be obtained. (3) For a non-special-active S-box, its valid input 2-differences form an affine space of dimension 3, i.e. the value of 6-bit input 2-difference satisfies 3 linear equations. Thus, three linear equations with the above variables can be obtained. Therefore, we can obtain 6c + 4d + 3(m − c − d) = 3m + 3c + d linear equations with the above 3m − 3a − b variables. Since 3m − 3a − b ≤ 3m ≤ 3m + 3c + d, we can expect the equation system has at most one solution. And the solution will correspond to a valid value of α i_S .

Complexity evaluation
The time complexity of solving the above 3m + 3c + d linear equations with 3m − 3a − b variables is estimated as n 3 +2n 2 bit operations. Specifically, we first solve 3m −3a −b linear equations among them by Gaussian elimination (GE), which costs around n 3 bit operations. And we can expect the number of solutions is one. Then we check the correctness of this solution by the remaining (3m + 3c + d) − (3m − 3a − b) linear equations, which costs Since performing a LowMC encryption costs around 2n 2 R bit operations, the time complexity of solving the above equation system is equivalent to n 3 +2n 2 2n 2 R ≈ n 3 2n 2 R encryptions.

Recovering valid 2-differential trails
Now we introduce the 2-difference enumeration phase of our attack on 4-round LowMC with a full S-box layer in detail. As depicted in Fig. 3, our 2-difference enumeration phase consists of the following 4 steps: 1. We choose a desirable input 2-difference α 0 such that there are 1 non-special-active S-box and m − 1 inactive S-boxes in the 0th round. 2. Encrypt 3 plaintexts ( p 0 , p 1 , p 2 ) whose 2-difference is α 0 , and obtain the corresponding ciphertexts (c 0 , c 1 , c 2 ). Then we compute the 2-difference α 4 of (c 0 , c 1 , c 2 ) and α 3_S . 3. For each of 8 possible values of α 0_S , we compute the value of α 1 from α 0_S and introduce 3m−3a−b variables (v 0 , v 1 , . . . , v 3m−3a−b−1 ) to represent α 2 using the method described in 5.1, where there are a inactive S-boxes and b special-active S-boxes in the 1st round. Then go to the next step. 4. Enumerate 2-differences backwards for 1 round from α 3_S to α 2_S . According to each value of α 2_S , by the method described in 5.1, we obtain 3m where there are c inactive S-boxes and d special-active S-boxes in the 2nd round. Solve this equation system and we can expect it has at most one solution. For each solution, a valid 4-round compact 2-differential trail is found.

Complexity evaluation
As in [19], we compute the expected number of iterations to enumerate the 2-differences backwards in the 2-difference enumeration phase. In our attack using 3 chosen plaintexts, α 3_S is a random fixed value. We assume that there are t inactive S-boxes and j special-active S-boxes in the 3rd round. In this phase, for each possible value of α 0_S , the expected number of iterations to enumerate the 2-differences backwards is Thus the expected number of iterations to enumerate the 2-differences backwards in total is As in 5.1, we simply estimate the cost of solving the equation system as n 3 2n 2 R = n 2R when enumerating 2-differences backwards each time. Thus, the expected time complexity of solving the equation systems in this phase is Therefore, the expected time complexity of the 2-difference enumeration phase is

Key recovery with algebraic techniques
In this section, we show the algebraic techniques which are used to derive the full key when a 4-round compact 2-differential trail is recovered in our attack. For each compact 2-differential trail we find, there are 1 non-special-active S-box and m −1 inactive S-boxes in the 0th round.
And we consider the general case: there are a inactive S-boxes and b special-active S-boxes in the 1st round, c inactive S-boxes and d special-active S-boxes in the 2nd round, and t inactive S-boxes and j special-active S-boxes in the 3rd round. Now we consider the encryption path from p 0 to c 0 . The procedure starts from the 3rd round and can be divided into the following steps (as depicted in Fig. 4): 1. Denote the round key bits used in the 3rd round by (e 0 , e 1 , . . . , e 3m−1 ). Then X 3_S becomes linear in (e 0 , . . . , e 3m−1 ). For the t inactive S-boxes, introduce extra 3t variables (v 0 , v 1 , . . . , v 3t−1 ) to represent their input bits. Based on Observation 1, for the j specialactive S-boxes, we obtain 2 j linear equations with the output bits of these S-boxes, and the input bits become linear in the output bits for these S-boxes. Based on Observation 5, for the m − t − j non-special-active S-boxes, we obtain 3(m − t − j) linear equations with the output bits of these S-boxes, and the input bits of these S-boxes are determined. Then we obtain 2 j + 3(m − t − j) = 3m − 3t − j linear equations with (e 0 , e 1 , . . . , e 3m−1 ) and X 3 becomes linear in (v 0 , v 1 , . . . , v 3t−1 , e 0 , e 1 , . . . , e 3m−1 ). 2. Move to the 2nd round, and denote the round key bits used in this round by (e 3m , e 3m+1 , . . . , e 6m−1 ). Then X 2_S becomes linear in . . , e 6m−1 ). For each inactive S-box, we guess 2 bits for its output and then its input bits become linear in the output bits according to Observation 3. From the 2 guessed bits, we obtain 2 linear equations with the output bits of the inactive S-box. Similarly to that in the 3rd round, for each special-active S-box, we obtain 2 linear equations with its output bits and its input bits become linear in the output bits. For each non-special-active S-box, we obtain 3 linear equations with its output bits and its input bits are determined. Then we obtain 2c . . , e 6m−1 ) and X 2 becomes linear in these variables. 3. Move to the 1st round, and denote the round key bits used in this round by (e 6m , e 6m+1 , . . . , e 9m−1 ). Then X 1_S becomes linear in (v 0 , v 1 , . . . , v 3t−1 , e 0 , . . . , e 9m−1 ). Similarly to that in the 2nd round and 3rd round, for the special-active S-boxes and non-special-active S-boxes, we obtain 2b . . , e 9m−1 ). 4. Move to the 0th round. For the non-special-active S-box, there are 3 linear equations in terms of the plaintext and the whitening key. 5. Since each round key bit is linear in the k-bit master key, we obtain (3m − 3t − j) and k-bit master key. For each solution of the equation system, we get a candidate master key and check it via the plaintext-ciphertext pair. Then try another guess in the 2nd round and repeat the same procedure until all possible guesses are traversed.

Complexity evaluation
Assume that there are t inactive S-boxes and j special-active S-boxes in the 3rd round. For the valid value of α 0_S with a inactive S-boxes and b special-active S-boxes in the 1st round, when recovering a compact 2-differential trail each time, we derive the master key by constructing 8m + 3 − 3a − b − 3t − j linear equations with k + 3t variables after guessing some bits.
then it can be expected that the equation system has at most 1 solution. The expected time complexity of retrieving the master key for this case is If k +3t > 8m +3−3a −b −3t − j, i.e. 6t + j > 5m +3−3a −b, then it can be expected that the equation system has 2 6t+ j−5m−3+3a+b solutions. The expected time complexity of retrieving the master key for this case is A detailed explanation for the complexity T 3 can be referred to Appendix 2.
Output: The master key.
1 Choose a input 2-difference α 0 which has 1 non-special-active S-box and m − 1 inactive S-boxes. 2 Ask the encryption oracle to provide the encryption of ( p 0 , p 1 , p 2 ) whose 2-difference equals α 0 .
Obtain the corresponding ciphertexts (c 0 , c 1 , c 2 ) and compute α 3_S . 3 for valid value of α 0_S do 4 Introduce variables to represent α 2 . 5 for α 2_S enumerated backwards do 6 Construct and solve linear equations. 7 for solution obtained do 8 Come to Algorithm 2. Now we calculate the time complexity and success probability of our attack, which needs a negligible memory. In our attack with 3 chosen plaintexts, α 3_S is a random fixed value. For each S-box in the 3rd round, the probability that this S-box is inactive is 1 64 , the probability that this S-box is special-active is 21 64 , and the probability that this S-box is non-special-active is 42 64 . In the following, we denote the probability of event w happening by Pr[w]. Attack on (129,129,43,2). For (n, k, m, D, R) = (129, 129, 43, 2, 4), as Pr[3t + j ≥ 13] ≈ 0.83, we conclude that with the success probability 0.83, the total time complexity to enumerate 2-differences will be 2 3m+3−3t− j × n 2R ≤ 2 123 based on Eq. 4, and the total time complexity to retrieve the master key will not exceed 8 × max{2 2.73m−3t− j , 2 3t−2.27m−3 } ≤ 2 107.4 based on Eqs. 5 and 6. Thus, we can break the parameter (n, k, m, D, R) = (129, 129, 43, 2, 4) with time complexity less than 2 123 and success probability 0.83. Attack on (192,192,64,2). For (n, k, m, D, R) = (192, 192, 64, 2, 4), as Pr[3t + j ≥ 14] ≈ 0.994, we conclude that with success probability 0.994, the total time complexity to if S-box is non-special-active then 7 Obtain 3 linear equations with its output. 8 Move to the 2nd round. 9 for value of guessed output bits of the inactive S-boxes do 10 Obtain 2m linear equations in total with the output of the m S-boxes.
In addition, as Pr[3t + j ≥ 21] ≈ 0.989, we conclude that with success probability 0.989, the total time complexity to enumerate 2-differences will be 2 3m+3−3t− j × n 2R ≤ 2 242 based on Eq. 4, and the total time complexity to retrieve the master key will not exceed

Experiments
In order to confirm the correctness of our methods, similarly to that in [19], we performed experiments on the toy LowMC instance with parameter (n, k, m, D, R) = (21,21,7,2,4). We provide our code at https://github.com/wxqiao/LowMC_new_attack_2diff. By choosing different desirable input 2-differences, we performed several experiments with 100 random tests each. In each test, for every valid α 0_S , the number of iterations to enumerate 2-differences backwards is equal to the value computed based on Eq. 1 and the number of iterations to enumerate all compact 2-differential trails is much smaller than it. As for the guessing times to recover the master key, it is found that the obtained value indeed matches well with the theoretical value computed based on Eqs. 5 or 6.

Conclusion
In this paper, we present a 2-difference enumeration attack framework to analyze 4-round LowMC with a full S-box layer. With only 3 chosen plaintexts, we attack the 4-round LowMC instances adopting a full S-box layer with block size of 129, 192, and 255 bits, respectively. All these attacks have either a lower time complexity or a higher success probability than those proposed in the previous CRYPTO paper [19].
Since Observation 2 holds for all 3-bit APN S-box [19], the generalization holds for the case when ( 0, 0, 0). For the other case, we can write the accurate 8 valid output 2-differences, and it can be found that the 8 valid output 2-differences form an affine space of dimension 3.