Shuo Peng, Akram Khalesi, Zahra Ahmadian, Hosein Hadipour, Jiahui He, Kai Hu, Zhongfeng Niu, Shahram Rasoolzadeh, Meiqin Wang

Cube and Integral Attacks on ChiLow-32

Introduction

Cube and integral attacks on chilow-32. Exploit ChiLow-(32+τ)'s algebraic structure. We present practical cube and integral key recovery attacks on 5- and 6-round versions, and a 7-round integral attack.

Abstract

The protection of executable code in embedded systems requires efficient mechanisms that ensure confidentiality and integrity. Belkheyar et al. recently proposed the Authenticated Code Encryption (ACE) framework, with ChiLow as the first ACE-2 instantiation at EUROCRYPT 2025. ChiLow-(32 + τ ) is a 32-bit tweakable block cipher combined with a pseudorandom function, featuring quadratic nonlinear layers called ChiChi (χχ) and a nested tweak/key schedule optimized for low-latency decryptions in secure code execution under strict query limits.In this paper, we exploit the algebraic structure of χχ and study the resistance of ChiLow-(32 + τ ) to cube-like and integral cryptanalysis in single- and multiple-tweak settings. In the multiple-tweak setting, we present conditional attacks that can recover the full key for 5-round ChiLow-(32 + τ ) with practical complexity, and extend the analysis to 6 rounds at a still non-trivial but purely theoretical cost below brute force. We additionally construct borderline cube attacks on 5- and 6-round ChiLow-(32 + τ ), each capable of recovering the full key with practical complexity. Specifically, we recover the full key for 5-round ChiLow-(32 + τ ) using 232 decryptions, 218.58 chosen ciphertext data, and 233.56 bits of memory, and for 6-round ChiLow-(32 + τ ) using 234 decryptions, 233.58 chosen ciphertext data, and 254.28 bits of memory.We then focus on integral cryptanalysis and the challenge of extending the analysis to 7 rounds. We identify integral distinguishers in the single- and multiple-tweak models and extend suitable 2-round and 3-round integral distinguishers to build a 7-round attack. We present a nested strategy to recover all round tweaks and tackle the problem of deriving the master key from round-tweak and key information. Our key-recovery method exploits high-degree monomials that arise in the integral key-recovery phase to reduce the average number of guessed key bits and hence reduce the time complexity. As a result, we mount a 7-round key-recovery attack on ChiLow-(32 + τ ) that requires 26.32 chosen ciphertext data, has a time complexity of about 2108.55 encryptions, and needs negligible memory.Notably, all our attacks remain consistent with the security claims of the design.

Full Text

Comments

You need to be logged in to post a comment.