Improved meet ‐ in ‐ the ‐ middle attacks on reduced ‐ round Joltik ‐ BC

Joltik ‐ BC is an internal tweakable block cipher of the authenticated encryption algorithm Joltik, which was a second ‐ round finalist in the CAESAR competition. The authors study the key ‐ recovery attacks on Joltik ‐ BC under meet ‐ in ‐ the ‐ middle attack. Utilising the subtweakey difference cancellation, the freedom of the tweak and the differential enumeration, they attack on nine ‐ round Joltik ‐ BC ‐ 64 ‐ 64 by constructing a precise six ‐ round meet ‐ in ‐ the ‐ middle distinguisher with 2 53 plaintext–tweak combinations, 2 52.91 Joltik ‐ BC blocks and 2 54.1 nine ‐ round Joltik ‐ BC ‐ 64 ‐ 64 encryptions. Moreover, they attempt to attack on 11 ‐ round Joltik ‐ BC ‐ 128 ‐ 64 for the first time by constructing a seven ‐ round meet ‐ in ‐ the ‐ middle distinguisher with 2 53 plaintext–tweak combinations, 2 114 Joltik ‐ BC blocks and 2 123 11 ‐ round Joltik ‐ BC ‐ 128 ‐ 64 encryptions.


| INTRODUCTION
As an important part of cryptography, block cipher can be used for data encryption, message authentication code and pseudorandom number generation. Recently, the design and analysis of tweakable block cipher has attracted increasing attention. Liskov et al. proposed tweakable block ciphers [1] in CRYPTO 2002. They have a public input tweak that can increase the diversity of block ciphers, which is different to traditional block ciphers. It is relatively more convenient and less costly to change the tweak than the secret key. Therefore, tweakable block ciphers are widely used in cryptographic schemes, for example, format-preserving encryption, disk encryption and authenticated encryption algorithms [2,3].
In ASIACRYPT 2014, a common framework was put forward by Jean et al. called TWEAKEY [4] used to construct tweakable block ciphers. The authors presented three particular instances of the framework, including Deoxys-BC, Joltik-BC and Kiasu-BC, all of which were AES-based tweakable block ciphers [5]. In TWEAKEY framework, instead of distinguishing the key and tweak, the key and the tweak cascading are treated as a whole, called TWEAKEY, and the tweak schedule algorithm and the key schedule algorithm as the tweakey schedule algorithm. Because the structure is very simple and the resistance is reasonably strong to related-key attacks, the TWEAKEY framework has received most attention from researchers. The analysis of specific algorithm instances helps to assess its security and will also assist designers in building more valuable tweakable block ciphers in the future.
Joltik-BC is an internal tweakable block cipher of Joltik as a second-round finalist in CAESAR competition, which is an authenticated encryption algorithm. The results of security analysis on Joltik-BC were initially carried out against meet-inthe-middle attacks and differential attacks [6]. A related-key impossible differential attack on 10-round Joltik-BC-64-64 was proposed by Zong et al. [7] in 2018. Then, a meet-in-themiddle attack on nine-round Joltik-BC-64-64 was presented by Liu et al. [8] combined with the subtweakey difference cancellation in 2019. In the same year, Li et al. [9] constructed a meet-in-the-middle attack on 10-round Joltik-BC-128-64 taking advantage of the tweak differential property. In Table 1, the valid attack results of Joltik-BC are summarised.
The authors analyse the security of Joltik-BC-64-64 and Joltik-BC-128-64 against the meet-in-the-middle attack. Firstly, they clearly distinguish the tweak and the key to propose a precise six-round meet-in-the-middle distinguisher using the subtweakey difference cancellation property, the tweak difference and the differential enumeration technique, based on the results of Joltik-BC-64-64 given in [8]. Then, by adding one round to the top and two to the bottom, they present a meet-in-themiddle attack with 2 53 plaintext-tweak combinations, 2 52.91 Joltik-BC blocks and 2 54.1 nine-round Joltik-BC-64-64 encryptions. Similarly by constructing a seven-round meetin-the-middle distinguisher in the offline, they present a meet-in-the-middle attack on 11-round Joltik-BC-128-64 for the first time with 2 53 plaintext-tweak combinations, 2 114 Joltik-BC blocks and 2 123 11-round Joltik-BC-128-64 encryptions. Section 2 provides some preliminaries and briefly introduces some points including the specification of Joltik-BC, the property of the tweakey schedule algorithm and the development of meet-in-the-middle attack. Section 3 gives the specific process and complexity on nine-round Joltic-BC-64-64, followed by the proposition of the new result of the meet-in-the-middle attack on Joltic-BC-128-64 in Section 4 and a summary in Section 5.  Figure 1 shows the overall structure of Joltik-BC.

| Description of Joltik-BC
Adopting an AES-like structure, Joltik-BC includes the two versions of Joltik-BC-128 and Joltik-BC-192. The designers used a 4 � 4 matrix to express the internal state of Joltik-BC. Table 2 shows the Joltik-BC parameters for each version.
Joltik-BC is an iterative substitution permutation network, with one round consisting of four operations: SubNibbles(SN): Apply a 4-bit Sbox S adopted by Piccolo [10] to each nibble of the internal state, as shown in Table 3. The authors define the i-th 64-bit round tweakey as STK i and represent KT for the concatenation of the key K and the tweak T, which is expressed as KT = K‖T. In the specific operation, the tweakey KT is then divided into several 64-bit words. Therefore, in detail, the size of KT is 128 bits for the Joltik-BC-64-64 as the first 64 bits of KT is represented by W 1 and the second word is represented by W 2 . Then, the size of KT is 192 bits for Joltik-BC-128-64 and the authors denoted the first, second and third 64-bit words of KT by W 1 , W 2 and W 3 , respectively. The subtweakey is defined as Here RC i are the key schedule round constants. The 64-bit words T K j i are outputs produced by a special tweakey schedule algorithm: Joltik-BC-128-64. Thus, the tweakey schedule algorithm is represented as where the function g α is a finite field multiplication of each nibble by the element α and the nibble permutation h is defined as

� �
For Joltik-BC-64-64, T K 1 i is denoted as k 0 i and T K 2 i as t i or k 1 i for convenience, then the tweakey schedule algorithm is represented as i , then the tweakey schedule algorithm is represented as where t 0 = T, k 0 0 is the K most significant 64-bit words and k 1 0 is the K least significant 64-bit words. Then similarly,

| Description of the meet-in-the-middle attack
As an effective chosen plaintext attack proposed by Diffie and Helman when they analysed DES in 1977 [11], meet-in-themiddle attack utilises the cipher-slice idea and the space-time tradeoff technique in security analysis of hash function and block cipher. Recently, many techniques and methods have been proposed to improve the results of meet-in-the-middle analysis.
Demirci and Selcuk proposed a new meet-in-the-middle attack model [12] in 2008, called Demirci-Selcuk meet-in-themiddle attack, which combined the idea of collision analysis [13] with meet-in-the-middle attack in the process of analysing AES. Its general idea is that a block cipher E is divided into three consecutive parts, E = E 2 •E 0 •E 1 , as shown in Figure 2.
The attack process consists of the offline phase and the online phase. In the former, that is the precomputation phase E 0 , a precomputation table needs to be established to store specific input and output by constructing a meet-in-the middle distinguisher; in the latter, that is the key recovery phase, the adversary expects to encrypt some chosen plaintexts and decrypt the corresponding ciphertexts by guessing some related subkeys k 1 and k 2 used in E 1 and E 2 . Then, the adversary looks forward to check whether the internal values match with the precomputation table. In general, the guessed subkeys may be true if the values computed in the latter satisfy the precomputation table; if not, it will be filtered out.
In 2010, Dunkelman et al. [14] presented a differential enumeration technique to solve the large storage complexity of Demirci-Selcuk meet-in-the-middle attack: when the input difference and the output difference satisfy the specific differential structure, the range of internal state can be limited. Meanwhile, the key-bridging technique was proposed to find the algebraic relationship between subkeys and reduce the time complexity of online analysis on Demirci-Selcuk attack. In 2014, Wang et al. [15] put forward the key-dependent sieve technique to further narrow the value range of internal state to reduce the storage complexity of Demirci-Selcuk analysis by combining with the differential enumeration technique. Subsequently, the Demirci-Selcuk meet-in-the-middle analysis technique was used to analyse various types of block ciphers [16][17][18][19]. In 2019, Ahmadi et al. [20] proposed the generalised meet-in-the-middle attack and achieved an automated attack along with some certain ideas which were applied on different block ciphers.

| MEET-IN-THE-MIDDLE ATTACK ON NINE-ROUND JOLTIK-BC-64-64
In theory, for a tweakable block cipher, the distinction between the tweak input and the key input is clear: the former is public and can be fully controlled by the attacker, while the latter is secret [4]. When a block cipher is analysed it is better to distinguish the key and the tweak to achieve accurate attack results.
In [8], the authors proposed a six-round meet-in-the middle distinguisher to attack nine-round Joltik-BC-64-64, but they did not distinguish the concepts of key and tweak. This idea resulted in the complexity beyond exhaustive range when they attacked 10-round Joltik-BC-64-64. Therefore the authors think that the analysis results do not affect the security of the Joltik-BC-64-64 encryption authentication algorithm.
Referring to the ideas in [9], the authors precisely distinguish the concepts of the key and the tweak for Joltik-BC-64-64 and accurately construct a new six-round meet-in-the middle distinguisher in this section. It is useful for to understand the seven-round meet-in-the-middle distinguisher in Section 4. The definition and property as follow are used.
Definition 1 [21] A b-δ-set is a set including the 2 b state values, which are entirely different in b state bits (active bits) and are entirely equal in the remaining state bits (inactive bits).
Property 1 [22] For a given bijective S-box S, let Δ i and Δ 0 be two non-zero differences, then the number of solutions satisfying the equation S(x) ⊕ S(x ⊕Δ i ) = Δ 0 is 1 on average.

| A six-round distinguisher on Joltik-BC-64-64
In this part, it is considered that the nibble w 0 [1] is active and that the corresponding ordered sequence Δx 7 [5,7] can be calculated after six-round Joltik-BC-64-64 encryption. In order to optimise the analysis results, some special tweaks in the phase are selected, such as Δk Firstly, a property of the Joltik-BC-64-64 called Subtweakey Difference Cancellation used in the distinguisher is presented. Property 2 [6,7] The designers affirmed that it occurs once for each 15-round Joltik-BC-64-64 with respect to a subtweakey difference cancellation. Assume that both TK 1 and TK 2 have one active nibble and name the differences of these two active nibbles as a 1 and a 2, respectively. Then, in the first round, the subtweakey difference is a 1 ⊕ a 2 at the active cell and g i 2 ða 2 Þ ⊕ a 1 in the i-th round if ignoring the position permutation h. Due to both a 1 and a 2 being non-zero, the equation g i 2 ða 2 Þ ⊕ a 1 ¼ 0 cannot occur more than one time for every 15 rounds.
According to Property 2, in the second round of the distinguisher, some related keys and tweaks can be selected to make the subtweakey difference cancellation occur. The specific content of the distinguisher is as follows.

| A meet-in-the-middle attack on nineround Joltik-BC-64-64
In the section, a meet-in-the-middle attack is presented with 2 53 plaintext-tweak combinations, 2 52.91 Joltik-BC blocks and 2 54.1 nine-round Joltik-BC-64-64 encryptions based on a six-round distinguisher by adding one round to the top and two to the bottom. As MixNibbles and AddRoundTweakey transformations are both linear, the order of the MixNibbles and the AddRoundTweakey operations are exchanged in the eighth and the ninth rounds, respectively, to obtain an equivalent relation, which can reduce nibbles guessed, as shown in Figure 4.
The attack process consists of two parts: the precomputation phase and the online phase.
The online phase includes the following attack procedures.
Step 4: By exhaustive key search of the remaining eight nibbles of u 0 9 , we can retrieve the master key.

| MEET-IN-THE-MIDDLE ATTACK ON 11-ROUND JOLTIK-BC-128-64
The authors construct a seven-round meet-in-the-middle distinguisher in the offline and present a meet-in-the-middle attack on 11-round Joltik-BC-128-64 for the first time by adding one round to its top and three rounds to its bottom in this section.

| A seven-round distinguisher on Joltik-BC-128-64
In [6], it can e seen that though it is slightly different in key schedule between Joltik-BC-128-64 with Joltik-BC-64-64, the version still satisfies the subtweakey difference cancellation property. According to the property, the specific content of the distinguisher constructed in the same way is as follows.

| CONCLUSION
A favourable meet-in-the-middle attack against Joltik-BC has been presented herein. By utilising the subtweakey difference cancellation, the freedom of the tweak and the differential enumeration, the authors clearly distinguish the tweak and the key to precisely construct a six-round meet-in-the-middle distinguisher. Based on the six-round distinguisher, they present an attack on nine-round Joltik-BC-64-64 with 2 53 plaintext-tweak combinations, 2 52.91 Joltik-BC blocks and 2 54.1 9-round Joltik-BC-64-64 encryptions. Moreover, they give a seven-round meet-in-the-middle distinguisher for the first time to achieve the result in 11-round Joltik-BC-128-64 with 2 53 plaintext-tweak combinations, 2 114 Joltik-BC blocks and 2 123 11-round Joltik-BC-128-64 encryptions.