Miyaji Laboratory

With the recent proliferation of IoT devices, lightweight cryptography―capable of secure and high-speed operation even in resource-constrained environments―has become increasingly important. SPECK, developed by the US National Security Agency (NSA), and CHAM, developed by the National Security Research Institute (NSR) of South Korea, are lightweight block ciphers employing an ARX structure. Due to their high implementation efficiency, they are attracting attention as suitable encryption methods for resource-constrained devices; thus, evaluating their security is a critical research challenge. A powerful attack method against these ciphers involves analysis using Differential-Linear (DL) distinguishers. Block ciphers possess an iterative structure where encryption is performed by repeating an internal transformation process called a round function; the number of repetitions is termed the number of rounds. CHAM64/128 employs 88 rounds, while SPECK64 employs 26 rounds for a 96-bit key length and 27 rounds for a 128-bit key length. Recent DL distinguishers propose dividing multiple round functions into three parts: approximating the front part with differential characteristics, the rear part with linear characteristics, and the middle section with a differential-linear approximation. Gong et al. proposed an analysis utilizing the fact that ARX ciphers possess an "Hourglass-like structure," where differences and masks converge and diffuse in the middle section. Detailed re-exploration of optimal distinguishers for SPECK64 and CHAM64/128 using this structure, as well as experimental evaluation of differential and linear characteristics, remain as future tasks. Additionally, Beierle et al. focused on the specific structure of the set of input/output pairs (Right Pairs) satisfying differential characteristics and proposed a method to reduce the data complexity required for attacks from the conventional O(p^(−2)) to O(p^(−1)). However, the extent to which this method is applicable to specific distinguishers for SPECK and CHAM has not yet been sufficiently verified. In this study, we improved the differential-linear analysis focusing on the hourglass-like structure, targeting SPECK64 and CHAM64/128. For CHAM64/128, by utilizing the property of the hourglass-like structure where consecutive 2-bit masks tend to maintain high correlation, we constructed a new 46-round distinguisher and successfully reduced the time complexity required for the attack from the existing O(257.94) to O(256.52). Furthermore, based on the proposal by Beierle et al., we verified the reduction in computational complexity using Right Pairs that satisfy differential characteristics. As a result, we demonstrated that for several distinguishers, the data complexity required for the attack can be reduced from the conventional O(p^(−2)) to O(p^(−1)). These results demonstrate the effectiveness of the hourglass-like structure in ARX ciphers and indicate the necessity for more precise security evaluations.