Cheng Che, Tian Tian

Differential-Linear Cryptanalysis and Cube Attacks on ChiLow

Introduction

Differential-linear cryptanalysis and cube attacks on chilow. Security analysis of ChiLow, a tweakable block cipher for embedded code. We detail differential-linear cryptanalysis and cube attacks, presenting distinguishing and key recovery findings.

Abstract

ChiLow is a family of tweakable block ciphers specifically designed for embedded code encryption, proposed at EUROCRYPT 2025. Its novel nested tweakkey schedule and a variant of the χ function significantly enhance latency and energy efficiency. This paper presents a security analysis of ChiLow from the perspectives of differential-linear cryptanalysis and cube attacks, filling some gaps in the initial security analysis made by the designers. Our main contributions are threefold: (1) Distinguishing attacks based on differential-linear cryptanalysis that can distinguish full-round ChiLow from random permutations. For ChiLow-(32+τ ), both the time complexity and data complexity of the attack are 281.03; for ChiLow-40, both complexities are 288.91. We note that the data complexities of these distinguishing attacks are valid since an adversary could query multiple devices. (2) Key recovery attacks on full-round ChiLow based on differential-linear cryptanalysis with the time complexity better than the exhaustive key search. These attacks achieve a time complexity of 2121, with data complexities of 279.5 for ChiLow-(32+τ ) and 288.42 for ChiLow-40 exceeding the data limit for one key. (3) A key recovery attack on 6-round ChiLow based on cube attacks, with a time complexity of 268 and a data complexity of 233 respecting the limit of the total number of queries. These results shed some new light on the security boundaries of ChiLow and provide valuable insights for designing low-latency ciphers in embedded systems.

Review

This paper presents a timely and critical security analysis of ChiLow, a recently proposed family of tweakable block ciphers targeting embedded code encryption and slated for presentation at EUROCRYPT 2025. ChiLow is designed with a focus on latency and energy efficiency, incorporating a novel nested tweakkey schedule and a variant of the $\chi$ function. The authors undertake the important task of independently scrutinizing ChiLow's security, filling gaps in the initial analysis provided by its designers through the application of differential-linear cryptanalysis and cube attacks. The authors' contributions are well-defined and span multiple attack vectors. They first detail distinguishing attacks that can differentiate full-round ChiLow-(32+$\tau$) and ChiLow-40 from random permutations, achieving impressive time and data complexities of $2^{81.03}$ and $2^{88.91}$ respectively. A notable justification is provided for these data complexities, asserting their validity in scenarios involving multiple device queries. Furthermore, the paper describes key recovery attacks on full-round ChiLow using differential-linear cryptanalysis, which are demonstrated to be more efficient than exhaustive key search, with a time complexity of $2^{121}$. However, these attacks demand substantial data complexities of $2^{79.5}$ for ChiLow-(32+$\tau$) and $2^{88.42}$ for ChiLow-40, which might exceed the practical limits for a single key. Lastly, a practical key recovery attack on a reduced 6-round version of ChiLow is presented using cube attacks, requiring a time complexity of $2^{68}$ and a more attainable data complexity of $2^{33}$, respecting typical query limits. Overall, this paper provides valuable insights into the security posture of the ChiLow cipher family. The systematic application of both differential-linear cryptanalysis and cube attacks successfully identifies weaknesses and quantifies the security margins for various versions and round numbers of ChiLow. While the high data complexities of some full-round key recovery attacks might pose practical implementation challenges against a single target, they are theoretically significant in demonstrating reduced security compared to the ideal. The cube attack on the 6-round variant, with its reasonable data requirements, stands out as a particularly impactful result. This research not only critically evaluates ChiLow but also offers crucial lessons for the design and robust security analysis of future low-latency ciphers intended for resource-constrained embedded environments.

Full Text

Comments

You need to be logged in to post a comment.