Improved Differential-Linear Attack with Application to Round-Reduced Speck32/64

Abstract

AbstractSince the differential-linear cryptanalysis was introduced by Langford and Hellman in 1994, there have been many works inheriting and developing this technique. It has been used to attack numerous ciphers, and in particular, sets the record for Serpent, ICEPOLE, Chaskey, 8-round AES, and so on. In CRYPTO 2020, Beierle et al. showed that the data complexity of differential-linear attack can be significantly reduced by generating enough right pairs artificially. In this paper, we manage to find the property in the differential propagation of modular addition. Based on this, we can select special bits to flip to produce right pairs in a certain differential-linear attack. For application, we focus on the differential-linear attack of the ARX cipher Speck32/64. With the differential-linear trail we concatenate, we construct 9-round and 10-round distinguishers with the correlation of \(2^{11.58}\) and \(2^{14.58}\), respectively. Then we use enough flipped bits to reduce the complexity of the key recovery attack. As a result, we can use only \(2^{25}\) chosen plaintexts to attack 14-round Speck32/64 with the time complexity of about \(2^{62}\), which has a slight improvement than before. To our best knowledge, this is the first differential-linear attack of the Speck family.KeywordsDifferential-linear cryptanalysisARXSpeck32/64