New Attacks on LowMC instances with a Single Plaintext/Ciphertext pair

. Cryptanalysis of the LowMC block cipher when the attacker has access to a single known plaintext/ciphertext pair is a mathematically challenging problem. This is because the attacker is unable to employ most of the standard techniques in symmetric cryptography like linear and diﬀerential cryptanalysis. This scenario is particularly relevant while arguing the security of the PICNIC digital signature scheme in which the plaintext/ciphertext pair generated by the LowMC block cipher serves as the public (veriﬁcation) key and the corresponding LowMC encryption key also serves as the secret (signing) key of the signature scheme. In the paper by Banik et al. (IACR ToSC 2020:4), the authors used a linearization technique of the LowMC S-box to mount attacks on some instances of the block cipher. In this paper, we ﬁrst make a more precise complexity analysis of the linearization attack. Then, we show how to perform a 2-stage MITM attack on LowMC. The ﬁrst stage reduces the key candidates corresponding to a fraction of key bits of the master key. The second MITM stage between this reduced candidate set and the remaining fraction of key bits successfully recovers the master key. We show that the combined computational complexity of both these stages is signiﬁcantly lower than those reported in the ToSC paper by Banik et al.


Introduction
The LowMC family of block ciphers was first proposed by Albrecht et al. in [ARS + 15] and was designed specifically for use in FHE and MPC applications due to its low multiplicative complexity.The block cipher uses a 3-bit S-box which is the only non-linear transformation in the construction.Both the linear layers and round key generation are done by multiplying with full rank matrices over GF (2) of appropriate dimensions.The designers propose several instances of the block cipher, some of which have partial non-linear layers i.e. in which the S-boxes are not applied over the entire internal state of the cipher.
Recently, LowMC has been used in the PICNIC digital signature scheme in the following way.Let E(K, pt) be the LowMC encryption of the plaintext pt using the key K.The plaintext/ciphertext pair (pt, ct = E(K, pt)) is used as the public key of the signature scheme (verification key) and encryption key K is used as the secret key (signing key).If an adversary can recover the encryption The authors in [BBDV20] report attack complexities in number of linear/quadratic expression evaluations.However it is always preferable to have computational complexity reported in terms of number of encryptions.We actually show in this paper that the best complexity of these attacks are equivalent to n 2r × 2 rs encryptions (r denotes the number of rounds used in the encryption), as will be discussed later in this paper.In [BBDV20], the authors then presented a speedup of a factor of 8 over the MITM attack by using the 3-xor problem.
In [Din], the authors showed an ingenious method of finding roots of multiple polynomial systems over GF (2).The n variables of the equation system are partitioned into two disjoint sets y = y 0 , y 1 , . . ., y m−1 and z = z 0 , z 1 , . . ., z p−1 (with n = m + p).It is argued that any random linear combination of the polynomials in the original equation system, has an isolated solution with high probability, i.e. if (ŷ, ẑ) is an isolated solution then (ŷ, z ) is not a solution for all z = ẑ.The authors then observed that all such isolated solutions could be recovered bit-by-bit by computing p + 1 partial sums for each candidate solution ŷ ∈ {0, 1} m .The first step is to randomly combine the original equation system into a system with smaller number of equations whose solutions can be found by brute force.These solutions are then used to compute partial sums and construct a candidate solution of the original equation system.This generic method of solving equations works quite well if the algebraic degree of the system is small and so it was applied to attack 3, 4 and 5 round LowMC with complete nonlinear layers for some specific block-lengths.However, the method can not be applied to LowMC instances with partial non-linear layers, since the number of rounds in such instances are generally much higher, and the degree of the internal state variables (as a function of the key) doubles every round.[LIM21] reports an algebraic attack on LowMC.However the authors use the n 2.8 estimate (ignoring constant factors) to solve Gaussian elimination, to report the complexity of their attack.As such it is unclear if the complexity bounds they report are tight.

Contribution and Organization of the Paper
In this paper we present new improved attacks on LowMC instances that use the linearization technique of the LowMC S-box as a starting point.We first provide a more precise complexity analysis of the linearization attack and of its proof.Then, we present improved attacks on both a) the 2 and 3-round complete nonlinear layer instance, and b) the 0.8 • n s and n s -round LowMC instance with partial non-linear layers.We show that the attack complexity can be reduced if we perform the MITM in two separate stages: the first stage reduces the set of possible key candidates of a fraction of key bits to smaller set.A second MITM stage is then performed on this reduced candidate set and the candidates in the remaining fraction of the key bits.The paper shows how to efficiently formulate equations to perform the 2 MITM stages, and proves conclusively that the correct key can be found with certainty.It also shows that the combined computational complexity of the 2 attack stages is significantly lower than the complexities reported in [BBDV20].Table 1  of the attacks reported in this paper and compares with the corresponding complexities reported in [BBDV20].Note that in this table, we have recalculated all computational complexities in terms of number of encryptions.The rest of the paper is organized in the following manner.In Section 2, we begin by presenting a mathematical description of LowMC and some information about the LowMC cryptanalysis challenge.In Section 3, we list out some of the issues with the computational complexity reported in [BBDV20] and explain how we have tried to compute all complexities in terms of number of encryptions.In Section 4, we present our attack on the 2-round and 3-round LowMC instances with complete non-linear layers.In Section 5, we present our attack on the 0.8 • n s and n s -LowMC instance with partial non-linear layers.In Section 6, we present some experimental results on reduced LowMC instances with smaller blocksizes.This is done to prove that the attacks presented in Section 4, 5 can indeed be applied to full-size LowMC instances.Section 7 concludes the paper.

Preliminaries
The LowMC round function is a typical SPN construction given in Fig. 1.It consists of an n-bit block undergoing either a partial or a complete substitution layer consisting of s 3-bit S-boxes where 3s ≤ n.It is followed by an affine layer which consists of multiplication of the block with an invertible n × n matrix over F 2 and addition with an n-bit round constant.Finally the block is xored with an n-bit round key.If the master secret key K is of size n-bits (which is true for all the instances in the LowMC challenge), then each round key is obtained by multiplication of K with an n×n invertible matrix.As in most SPN constructions, a plaintext is first xored with a whitening key which for LowMC is simply the secret key K, and the round functions are executed r times to give the ciphertext.From the point of view of cryptanalysis, we note that the design is completely known to the attacker, i.e. all the matrices and constants used in the round function and key update are known.Note that in general instantiations of LowMC, the key size and block size are not the same.The whitening key and all the round keys are extracted by multiplying the master key with full rank matrices over GF (2).However for all the instances of LowMC used in the LowMC challenge the block size and key size are the same.This being so, the lengths of the master key, whitening key and all the subsequent round 2 238 *Complexities recalculated and do not always match those reported in [BBDV20] ** [Din] reports complexities in bit operations.We recalculate them in number of encryptions.
keys are the same.Effectively, this makes all these keys related to each other by multiplication with an invertible matrix over GF (2).Thus all round keys can be extracted by multiplying the whitening key with an invertible matrix.So for all practical purposes used in this paper, the whitening key can also be seen as the master secret key.This is true since given any candidate whitening key, all round keys can be generated from it, and thus given any known plaintext-ciphertext pair, it is possible to verify if that particular candidate key has been used to generate the corresponding plaintext/ciphertext pair.As such we use the terms master key/whitening key interchangeably.
The LowMC challenge specifies 9 challenge scenarios for key recovery given only 1 plaintext-ciphertext pair, i.e. the data complexity d = 1.
The number of rounds r for instances with the full S-box layer is either 2, 3, or 4 and for instances with a partial S-box layer can vary between 0.8× n s , n s and 1.2 × n s .When these are not integers, the number of rounds is taken as the next higher integer.The key length k for all instances is n bits.PICNIC v3.0 [Zav] incidentally uses LowMC instances with the parameter sets [n, s, r] given by [128,10,20], [192,10,30

Linearization Attack
The starting point of the attack in [BBDV20] was the following lemma that helps linearize the LowMC S-box by guessing only one balanced quadratic expression on its input bits.Lemma 1. [BBDV20] Consider the LowMC S-box S defined over the input bits x 0 , x 1 , x 2 .If we guess the value of any 3-variable quadratic Boolean function f which is balanced over the input bits of the S-box, then it is possible to re-write the S-box as affine function of its input bits.
The authors used the majority function f = x 0 x 1 + x 1 x 2 + x 0 x 2 for this purpose which is both quadratic and balanced.This is true since the the LowMC S-box output bits can be written as: The same is true for the inverse LowMC S-box (which is incidentally affine equivalent to the forward S-box): The authors had given a computer exercise based proof in [BBDV20] of the above lemma.We present an improved proof of the above in Appendix A. Using the above fact, the first attack proposed in [BBDV20] used only the linearization technique to obtain affine equations relating plaintext and ciphertext.The idea is as follows.The values of the majority function at the input of all the S-boxes in the encryption circuit were guessed: this made expression relating the plaintext and ciphertext completely linear in the key variables, i.e. of the form: where A is an n × n matrix over GF (2).Thereafter the key could be found by using Gaussian elimination.A wrong key found by this method could be discarded by recalculating the encryption and checking if the given plaintext mapped to the given ciphertext.
The above method would work if the total number of S-boxes in the encryption circuit is strictly less than the size of the key in bits.This happens for a) 2-round LowMC with complete non-linear layers and b) 0.8× n s -round LowMC with partial non-linear layers.However the authors pointed out 2 issues in this approach: 1.If the total number of S-boxes in the encryption circuit is t, then the algorithm requires in the worst case requires at least 2 t computations of the encryption function (for the verification of each computed candidate key).It additionally requires 2 t Gaussian elimination calculations.For large blocksizes, the authors claimed this could prove to be a significant bottleneck.2. For any guess of the majority values, the matrix A computed above may not necessarily be invertible.If the dimension of the kernel of the matrix A is d A , then we can see that O(2 d A ) keys would satisfy any equation of the form A • K = const.Thus the verification would require running the verification for 2 d A candidate keys.
The authors could not find a closed form for the value of d A and so could not assign a tight bound on the computational complexity incurred in this approach.However we find that some of these issues can be resolved to get a closed form expression of the complexity of the linearization algorithm.First of all, the expected number of solutions for the system A • [k 0 , k 1 , . . ., k n−1 ] T = const is 1 if the system is random.If const lies in the image of the linear transformation defined by A then the system has 2 d A solutions, and it has 0 solutions otherwise.Now the probability that const lies in the image of A is exactly 2 −d A and so the average number of solutions by Bayes theorem is 2 and testing this solution costs us one encryption.Note that multiplying an n×n matrix with an n-bit column vector requires n 2 bit operations.Every LowMC round therefore requires at least 2n 2 bit operations (n 2 for computing the affine layer and another n 2 for generating the round key).Assuming calculation of the S-box layer can be done in linear time using a lookup table and also since key xor with state also takes linear time, the sum total of all the other bit operations in the round are linear in n.Suppressing these, the total bit operations required in performing a LowMC encryption is around 2rn 2 .Solving a system of linear equations by Gaussian elimination (GE) costs around n 3 bit operations which is equivalent to n 3 2rn 2 = n 2r encryptions.Also note the computational complexity required to formulate the linear system A • [k 0 , k 1 , . . ., k n−1 ] T = const.We argue that this is equivalent to n encryptions.After guessing the majority bits, the system becomes completely linear.Therefore finding the i-th column of A and the i-th bit of const is equivalent to performing one encryption with the basis key vector [0, 0, . . ., k i , . . ., 0, 0].Hence the result follows.Therefore the total computational complexity required to perform the attack using only linearization in terms of number of encryptions is 2 rs (Guessing majority bits) × [ n (Formulating the linear system)+ n 2r (Solving the linear system)+ 1 (Testing one solution on average)].
We can simplify this to n • 2 rs encryptions.Also note that 2 rs is the worst case complexity for guessing rs bits.The average case complexity is 2 rs−1 .However since we want to compare this complexity to the complexity of exhaustive search 2 n which is also a worst case complexity we use 2 rs for all our complexity estimations.

Improving complexity using Gray-Code based approach
The above complexity can be significantly improved if one were to make the majority guesses in a Gray-code like manner.Recall that the encoding is defined as follows: Graycode(i) = i ⊕ (i 1).Note that hamming difference between Graycode(i) and Graycode(i + 1) is always 1 for all values of i.The idea is instead of ordering the majority guesses in lexicographic order, we use the order defined by the Gray-code, i.e. in the i-th step the majority guess sequence is the binary string defined by the bits of Graycode(i).When this is done the matrix A defined above, changes very little from iteration i to i + 1.Thus having already constructed A in the i-th iteration, the corresponding construction in the i + 1th iteration can be done much faster and so the cost of formulating the linear system of equations defined by Eqn (1) can be amortized over all the majority guesses.
Let us state the algorithm formally.Let M = m 0 , m 1 , . . ., m s−1 , m s , m s+1 , . . ., m 2s−1 , . . ., m (r−1)s , m (r−1)s+1 , . . ., m rs−1 be the rs majority guesses for the s number of S-boxes in each of the r rounds.Let M i denote the value of the string M at the i-th iteration which we want to be equal to Graycode(i).Let the linearized system of equations at the i-th iteration be denoted as A i • k = c i .We want to determine how A i+1 , c i+1 relate with respect to A i , c i .Let x → T x⊕v be the linear map from {0, 1} n → {0, 1} n that is obtained as a result of linearizing the S-boxes in any single round with the majority value string Str (note that T is an n × n matrix and v is a n-element vector).Let x → T x + v be the corresponding map when the majority string is Str ⊕ e t (here e t denotes the t-th unit vector of length s and 0 ≤ t < s).Then we define ∆ t = T ⊕ T and λ t = v ⊕v , so that ∆ t x+λ t denotes the change of linear map when the majority guess changes at the t-th S-box.
Let L a denote the n × n matrix used in the linear layer in the a-th round (with 1 ≤ a ≤ r).Also, let Graycode(i) ⊕ Graycode(i + 1) = e j for some j (by slight abuse of notation e j here denotes the j-th unit vector of length rs).If j < s, then it can be deduced that which means that the change of majority guess occurs in the u-th round, then denote j = j − (u − 1)s.B j is now defined as that it is thus possible to precompute for all j ∈ [0, rs − 1] the matrix-vector pair (B j , b j ) before the linearization step begins.Thus the linearization attack can be restated as follows: 1.For all j ∈ [0, rs − 1] precompute the matrix-vector pair (B j , b j ). 2. Compute A 0 , c 0 and try to solve the system A 0 • k = c 0 using GE.

For
Note that since none of the B j 's are sparse matrices, we can not devise a quicker method of doing GE on A i from the knowledge of steps involved in the GE of A i−1 .The additional complexity of constructing A i , c i at each step is given by a matrix and vector addition and so equal to n 2 + n bit operations which roughly corresponds to n 2 +n 2rn 2 ≈ 1 2r encryption operations.Thus if P denotes the cost involved in pre-computation (which is at most a polynomial in rs) then the total complexity of the method can be written as • 2 rs encryptions which gives us an improvement of a factor of 2r over the naive linearization method of the previous subsection.We have recalculated the complexities in Table 1 using this expression.
4 Attacking instances with complete S-box Layers

MITM attack on 2-round LowMC in [BBDV20]
Before we present our attack, let us summarize the attack in [BBDV20] for better understanding of the process.The attack is summarized in Fig. 2. The idea is as follows: let us denote K = [k 0 , k 1 , . . ., k n−1 ] to be the whitening key or the master key.Let us split the key into two parts 2 bits.We denote by R 1 , R 2 the first and second round functions i.e.R 1 (pt + K, RK 1 ) = x and R 2 (x, RK 2 ) = ct, where x denotes the n-bit input to the second round and RK 1 , RK 2 denotes the first, second round keys, respectively, which are of course linear functions of the whitening key K.
The idea is to formulate equations for the bits of x from both the plaintext and ciphertext side.Let us begin from the plaintext in the forward direction.Note that K 1 and K 2 have to be chosen so that the bits of K 1 and K 2 are never multiplied in the first round function.For example if the number of S-boxes in each round s = n/3 is odd, then t can be chosen to be 3(s − 1)/2 (else t = 3s/2).This way, K 1 and K 2 both contain close to n/2 key bits: the bits of K 1 after whitening are input to the first (s − 1)/2 S-boxes and K 2 to the remaining (s + 1)/2 S-boxes if s is odd (else both are input to s/2 S-boxes each).The only source of non-linearity in the first round are the S-boxes, and each S-box either gets the bits of K 1 or K 2 as inputs and so K 1 and K 2 are not mixed in a multiplicative sense in this round.This being the case, after the affine layer and addition of RK 1 , each bit x i can be written as f i (K 1 ) + g i (K 2 ) + c i where each f i , g i are at most quadratic functions over K 1 , K 2 and c i is a single bit constant.Now let us consider the expression for x from the ciphertext side in the backward direction.To do this we first perform the inverse affine function operation on the vector ct ⊕ RK 2 (where RK 2 is expressed in terms of K 1 and K 2 ).Thereafter we guess the s majority bits η 1 , . . ., η s at the input of the second round inverse S-boxes to linearize R 2 .After this, each bit of x can be written as an affine function of the key and the ciphertext.In fact each x i can be further written as where each A i , B i are linear functions over K 1 , K 2 and d i is a single bit constant.Given the equality we can rearrange the terms to get: Thereafter the attack is straightforward: first the algebraic expressions of f i , g i and c i for all i ∈ [0, n − 1] are calculated.Then for each of the 2 s guesses of the second round majority values: Note that each evaluation is done for only t of the n key variables and costs roughly t n of a round computation.Hence the computational complexity incurred in this step is t 4n • 2 t encryptions.Let us argue this point more closely.Note that in the above expression the f i (K 1 ) terms are always constant and does not change with every new guess of majority values.Thus we do not have to re-calculate it every new majority guess, and so this expression (∀ i ∈ [0, n − 1]) can be calculated once and stored in a table.The part that varies with every new majority guess is A i (K 1 ) ⊕ c i : note that calculating the n bit-values A i (K 1 ) is equivalent to a matrix-vector multiplication between a n×t matrix and the t-element vector K 1 and thus takes around nt bit operations.Adding c i and the precomputed f i (K 1 ) requires 2n more bit operations and so a total of nt+2n bit operations are required at every step.Since 2rn 2 = 4n 2 bit operations are required in a single 2-round LowMC encryption, this corresponds to nt+2n 4n 2 ≈ t 4n encryptions, and so the result follows.

A hash table LIST
. By following the previous logic this is computationally equivalent to n−t 4n • 2 n−t encryptions.As a final remark, note that the complexity required to formulate the expressions as explained in the previous section.However, this only appears as an additive term along with t 4n • 2 t and n−t 4n • 2 n−t and since it is much less as compared to both these terms, it can be ignored for simplicity.Although, it was not mentioned in [BBDV20], a Gray-code like approach as outlined in Sec 3.1 may be adopted here too, but since the cost of formulating the linear system is not the dominant term in the final complexity estimate, it does not reduce the computational cost significantly.
A collision in the 2 lists gives us a candidate key and there are on average 2 t • 2 n−t • 2 −n = 1 collisions in every MITM stage.Then a check is performed to see if the majority bits calculated for this candidate key are consistent with the initial guess η 1 , . . ., η s .If yes, the attack terminates.The total complexity for the steps inside the iterations is given as The cost for precomputing the values f i (K 1 ) and g i (K 2 ) over all the points in their input spaces can be done by using Möbius transforms over the respective algebraic forms.Since any t variable Boolean function can be evaluated in t•2 t−1 bit operations using this method, the total complexity of evaluating them is around n • 2 n−t ) bit-operations.This is considerably lower than the complexity T of the MITM part.Specifically, for n = 129, we can take t = 63 and n − t = 66.The total complexity of the attack is around 2 43 • (2 60 + 2 63 ) ≈ 2 43+63 = 2 106 encryptions.

2-stage MITM attack on 2-rounds with full S-box layer
After guessing the majority bits of the second round and linearizing it, we have already seen that the algebraic relation between the plaintext and ciphertext can be written as (2) Note that the functions A i , B i are linear and f i , g i are quadratic.It can be seen that for Equation (2) to hold we need not split K in such a way that K 1 and K 2 have approximately n/2 bits.We can, for example, also split K so that K 1 has around n/3 and K 2 has around 2n/3 bits.The only condition that must be satisfied is that the sizes of K 1 and K 2 are chosen so that they are never mixed multiplicatively in the first round.It is easy to see that if we choose t = |K 1 | and n − t = |K 2 | to be multiples of 3 then this condition is automatically satisfied.Note that, f i , g i can be expressed as affine functions in an extension of the input of double size.This comes from the structure of the Sbox: S(x 0 , x 1 , x 2 ) is an affine function on (x 0 , x 1 , x 2 , x 0 x 1 , x 1 x 2 , x 2 x 0 ).Let f i , g i be the affine functions associated with f i , g i .Therefore the above set of equations can be written as (3) Since K 1 only has the first t = 3w bits of the master key and so K 1 is of size 6w.Since ] can be seen as a linear code of length n and dimension 6w.
Let w be such that K 1 contains around n/3 key bits i.e. w ≈ n/9 and hence K 2 contains the remaining 2n/3 key bits.Since φ is seen as a linear code, let G be the corresponding generator matrix (of size n × 6w ≈ n × 2n/3), which can be efficiently constructed from the algebraic forms of the functions F i .Let H be the parity check matrix of the code (of size (n − 6w) × n ≈ n/3 × n).
The parity check matrix is essentially obtained from the generator matrix by employing one Gaussian elimination.Define Con to be the vector Note that the left side of Equation (3), when written in matrix notation for all i = 0, 1, . . ., n − 1 is essentially φ(K 1 ) + Con.Therefore we have . This follows from the fact that since G and H are the generator and parity check matrices of a linear code, we must have H • G = 0. We can split K 2 into two halves K 21 and K 22 such that both halves contain approximately n/3 key bits each.Let's say |K 21 |= 3u and |K 22 |= n−3w−3u (our strategy would be to have 3u ≈ n − 3w − 3u so that the halves are of equal size).We can rewrite , where g j i are quadratic and B j i are linear for j = 1, 2. Again this is possible if we take |K 21 | and |K 22 | to be multiples of 3, so that the bits of K 21 and K 22 after xor with the plaintext are input to different S-boxes.Due to the structure of LowMC, the quadratic terms from adjacent S-boxes do not combine multiplicatively after one round and so the separation into the 2 expressions is possible.Define the n-bit vectors: Note that if Eqn (3) for i = 0, 1, . . ., n − 1, can be written together as a vector equation.The right hand side of the vector equation is essentially M 1 + M 2 .We have already seen that the left hand side of the vector equation when multiplied by H results in the vector H • Con = e.Multiplying the right side of the vector equation by H, we get the matrix equation: Pre-computation: In this phase we try and compute some expressions that remain constant over different majority guesses.We compute the following vectorial functions over all points over its input space: (a) This follows since any t-variable Boolean polynomial can be evaluated over all its input space using Möbius transform using t • 2 t−1 bit operations.
1st MITM stage: Note that M 1 and M 2 only contain expressions on the key bits in the sets K 21 and K 22 respectively.Thus we can conduct a first MITM stage in which we create 2 lists L 1 , L 2 .L 1 contains the (n − 6w), n-bit vector pairs H • M 1 , M 1 for all 2 3u values of K 21 .And similarly the list L 2 contains the (n − 6w), n-bit vector pairs H • M 2 + e, M 2 for all 2 n−3w−3u values of K 22 .We look for a collision in the n − 6w co-ordinates of these lists.We are expected to get around 2 3u+(n−3w−3u)−(n−6w) ≈ 2 3w collisions.Thus in the process we get 2 3w key values for the key bit set K 2 = (K 21 , K 22 ).For computing each entry in the list L 1 we do the following: 1. Compute the vectorial linear functions B 1 0 , B 1 1 , . . ., B 1 n−1 over a given point k in K 21 .Each such computation takes |K 21 |•n = 3un bit operations.2. Add to the corresponding precomputed vector . This requires n bit operations.3. Multiply by H.Each such computation takes (n − 6w) • n bit operations.This is computationally equivalent to 3un+n+(n−6w)n 2rn 2 ≈ 3u+n−6w 4n of an encryption for r = 2.A similar argument holds for L 2 .Hence the total computational cost incurred in this step is 3u+n−6w 4n 2nd MITM: Let us now turn to Eqn (2).The left side of this equation is defined over approximately the 3w-bit set K 1 which can have 2 3w values in total.And we have just reduced K 2 to a set of 2 3w values.Thus the next MITM is making two more lists L 3 , L 4 of size 2 3w each in the following way.
enumerated for all the 2 3w values of K 1 .For all the 2 3w values of K 2 that have passed the previous MITM step we make the list L 4 containing the n-bit vector [ We now look for a collision between L 3 and L 4 .On average we have 2 3w+3w−n = 2 6w−n < 1 collisions.This means that the correct key K will necessarily by the output of one of these MITM steps for the correct guess of majority bits in the second round.For constructing L 3 we need to compute the n linear functions A i (K 1 ) over the 3w-bit variable K 1 which by the previous logic, requires 3wn bit operations each and then n bit operations for addition to the precomputed vector f i (K 1 ).Populating L 4 requires computing [g i (K 2 ) ⊕ B i (K 2 )] for all the K 2 that have passed the previous MITM step.However we can compute this vector by simply adding the M 1 , M 2 vectors that have collided in the previous MITM stage.This stage therefore requires 3wn+n 4n 2 • 2 3w encryptions.We are now ready to state the attack formally: over their respective input spaces.3. Guess the majority values η 1 , . . ., η s at the output of 2nd round S-box layer as in the previous attack.This step is done 2 s times in the worst case (note s = n/3).
-Compute A i , B i , d i for all i ∈ [0, n − 1] using the guessed values.
-Compute the functions -Using the F i 's, construct the generator matrix G.
-Using Gaussian elimination, construct the parity check matrix H. - -When a collision is found for K 1 and K 2 check if the majority bits are consistent with the guess of the key.If yes, this key is in fact the encryption key.Otherwise try another guess of η 1 , . . ., η s .
Complexity Estimation: We first consider the time complexity.For each guess of 2 s = 2 n/3 majority values, we have to perform a Gaussian elimination and 2 MITM steps.The cost of Gaussian elimination and the linear terms required to formulate A i , B i , d i and pre-computation may be ignored in comparison with 2 n/3 .Hence the total time complexity for this attack is around For w = u = n/9, the above evaluates to 2 n/3 • (( 1 6 + 1 6 + 1 12 ) • 2 n/3 ) = 5 12 • 2 2n/3 ≈ 2 2n/3−1.26encryptions.Memory Complexity: In the first MITM stage, we created 2 lists L 1 , L 2 which contain (n−6w), n-bit vector pairs for 2 3u possible values of K 21 and (n−6w), nbit vector pairs for 2 n−3w−3u possible values of K 22 , respectively.Note that in practice, 2 different lists are not necessary.We can instead insert each new vector of L 1 and L 2 into a single hash table.The memory complexity here is (2n−6w)•(2 3u +2 n−3w−3u ) bits.In the second MITM stage, we create 2 more lists L 3 , L 4 , both containing 2 3w n-bit vectors.By similar logic, memory complexity here is thereby 2n • 2 3w bits.The pre-computation part generates n-bit vectors over the input spaces of K 1 , K 21 , K 22 .Hence the memory complexity here is n • (2 3w + 2 3u + 2 n−3u−3w ) bits.The total memory complexity for this attack is around If we look at concrete parameters, for n = 129 and s = 43, we can choose the parameters in the following manner: we can choose w = u = 14, which makes • 2 42 = 2 38.4 encryptions.Hence the total attack complexity is 2 s • (2 42.4 + 2 38.4 ) ≈ 2 85 encryptions and around 2 53 bits of memory.This is lower than the linearization attack by a factor of 2 6 for this LowMC instance.

Extending attack to 3-rounds
The attack can be extended to 3-round LowMC in which we keep the basic character of the algorithm and run it by guessing the majority values of the last 2 rounds and linearizing both of them simultaneously.Hence a total of 2 2s values would need to be guessed in stead of 2 s .All other steps remain the same.Thus the computational complexity will be given by: This is so since encryption is now given by 2rn 2 = 6n 2 bit operations.The memory complexity is essentially the same as in the 2-round attack.For w = u = n/9, the above evaluate of computational complexity is 2 2n/3 • ((

Speedup using Gray-Codes
There are 3 places in the above process where a speed-up may be applied using a Gray-code like approach.1.By ordering the majority guesses in a Gray-code like manner as in Sec 3.1 so that the affine expressions formed after linearizing the S-boxes can be generated more efficiently.But we have already seen that this does not result in significant speed-up when employed along with MITM. 2. Using a Gray-code like approach to do the pre-computations.3. Using a Gray-code like approach to generate the values of the expressions that are inserted in the tables in each of the MITM stages.We will see how optimizing this stage results in significant speed-up.
There are several methods of evaluating an n-variable Boolean function over all the 2 n points of its input space, given its algebraic expression.One such method, as we have already seen is the Möbius transform which evaluates the function in-place by performing around n • 2 n−1 bit operations.However the method we will use for this method is the Gray-code based approach suggested by [BCC + 10] which finds all roots of a polynomial over GF(2) by evaluating it over all points of its input space by traversing the space in a Gray-code like manner.We start with the following theorem from [BCC + 10].
Theorem 1. [BCC + 10] All the zeroes of a single multivariate polynomial f in n variables of degree d can be found in essentially d • 2 n bit operations (plus a negligible overhead), using n d−1 bits of read-write memory, and accessing n d bits of constants, after an initialization phase of negligible complexity O(n 2d ).
We present a top-level overview of the approach used in this paper.Consider the derivative δf δi : x → f (x + e i ) ⊕ f (x).Then for any vector x, we have If the algebraic degree of f is d then δf δi is of degree d − 1.Thus the idea is to calculate δf δi recursively for lower degrees till at the lowest level of recursion δf δi is a constant.Since we will only use this method to evaluate linear or quadratic functions, we will use the method outlined in [BCC + 10, pg 209, Fig. (b)], that specifically caters to the case when f is of degree less than or equal to 2. When we use this approach to optimize the precomputation part, we can evaluate each t-variable quadratic Boolean function in 2 t+1 bit-operations.As a result the pre-computation cost can be brought down to 2n • 2 3w + 2 3u + 2 n−3u−3w bit-operations.However, note that the precomputation is not the most dominant term in the total computational cost, and so this gives only a slight improvement.
We now see how we can improve the complexity of the MITM stages by using this approach.Note that we only evaluate linear functions inside the iterations for each majority guess.Since only 2 t bit-operations are required to evaluate any linear function using the Gray-code approach we can accelerate this part considerably.Note that in L 1 we need to store both H • M 1 and M 1 .To do this, we begin by computing the quadratic expressions each one of the n bits M 1 and then each of the (n − 6w)-bits given by H • M 1 .We use the Gray-code approach of [BCC + 10], to evaluate these functions over all the points of their input domains.The number of bit operations required are therefore n Similarly the list L 2 would require around 2n−6w 2rn 2 • 2 n−3u−3w+1 encryptions.The lists L 3 , L 4 are simpler to construct.For L 3 we need to compute the n linear functions A i (K 1 ) which requires n • 2 3w bit operations each and then add to the precomputed vector f i (K 1 ).Populating L 4 , as before can be done by simply adding the M 1 , M 2 vectors that have collided in the previous MITM stage.This stage therefore requires 2n 2rn 2 •2 3w + n 2rn 2 •2 3w ≈ 3n 2rn 2 •2 3w encryptions.This reduces the main terms of the computational complexity to For n = 129, r = 2 and u = w = 14, we have T = 2 80.7 encryptions.For n = 129, r = 3 and u = w = 14, we have T = 2 123.2 encryptions.The memory complexity of this attack is the same as the attack in the previous sub-section plus the additional cost for storing tables required for fast Gray-code based evaluations.Using Theorem 1, this additional memory is (3u • n bits which is negligible when compared to the space occupied by the lists.In order to perform a MITM on the partial S-box layer instances of LowMC, we use a trick used in both [BBDV20,RST18] to transform some of the initial and final rounds so that the total number of different key bits involved in these rounds is 3s per round.The transformations are shown in Figs. 3, 4 and are similar to the ones used in [RST18].In fact the transform used in the backward direction (see Fig. 4) is exactly same as the one used in [RST18, Fig. 1].The idea is that the affine layer and key addition are interchangeable.Since L is a linear function, we have L(x) Hence the key addition can be moved before or after the affine layer as required, by multiplying the round key by the appropriate matrix.Let the set of round key bits in the first a, b and the last c rounds be denoted as and Denote by K rem the remaining n − 3s(a + b + c) key bits such that K a , K b , K c , and K rem are linearly independent expressions of the master key and so any key bit can be expressed as a linear function of them.Note that we implicitly assume here that n ≥ 3s(a + b + c).Let X = [x 0 , x 1 , x 2 , . . ., x n−1 ] be the output of the first a rounds, W = [ω 0 , ω 1 , . . ., ω n−1 ] be the output of the first a+b rounds and Y = [y 0 , y 1 , . . ., y n−1 ] be the input to the last c rounds as shown in Fig. 5. Observe the middle b and d = r − a − b − c rounds closely, as seen in Fig. 6.Let us introduce 6b • s new variables U = [u 0 , u 1 , . . ., u 3bs−1 ] and Z = [z 0 , z 1 , . . ., z 3bs−1 ] such that they represent the input and output bits of the b • s S-boxes in the middle b rounds.Our first aim is to find a linear expression relating the x i 's, y i 's and z i 's and the key bits.Let D = [D 0 , D 1 , . . ., D n−1 ] be the output of the first of the b rounds (see Fig. 6).Then we can write D = Lin 1 (z 0 , z 1 , . . ., z 3s−1 , x 3s , x 3s+1 , . . ., x n−1 ), where Lin 1 denotes a set of n affine functions.
is the output of the next round we can write E as a set of linear functions on (z 3s , z 3s+1 , . . ., z 6s−1 , D 3s , D 3s+1 , . . ., D n−1 ) which means that we can write E = Lin 2 (z 0 , z 1 , . . ., z 6s−1 , x 3s , x 3s+1 , . . ., x n−1 ) as a set of linear functions on X and the first 6s z i 's.Iterating upto all the b rounds, it can be seen that W can be written as a set of linear functions on the entire Z and x 3s , x 3s+1 , . . ., x n−1 .Now if we guess the majority bits at the inputs of the following d rounds, they become completely linear.In that case Y itself becomes linear in W and K a , K b , K c , K rem (since the key bits used in these d rounds can be seen as linear expressions in K a , K b , K c , K rem ).Hence we have The above equation denotes a system of n affine equations (one for each bit in Y ) in all the n bits of the key.Our aim is to get a reduced set of equations by somehow eliminating Z, K b , K rem from this set.Note that the set Λ = {Z, K b , K rem } comprises a total of θ = 3sb+3sb+(n−3s(a+b+c)) variables.Consider the system of n equations given in Equation ( 6).Apart from the θ variables the system has n (for Y ) + (n − 3s) (for X) + (3as + 3cs) (for K a , K c ) = 2n + 3(a + c − 1)s variables.So the above system can be written in matrix notation as M • v = a, where v is the set of 2n + 3(a + c − 1)s + θ = (3n + 3sb − 3s) variables, M is a matrix over GF(2) of size n × (3n + 3sb − 3s), and a is a constant vector.Rearrange v so that the variables in Λ are the first θ elements of v. Then we use Gaussian elimination to sweep out at least the first θ columns of M. Then the last n − θ rows of the matrix would then have the entries in the first θ columns all equal to 0 and thus these are the linear equations in K a , K c , X, Y that we get from this process.Note we have a total of n − θ = 3sa + 3sc − 3sb equations of this form.First MITM: The equations so obtained can be rearranged and written as Aff 1 (K a , X) = Aff 2 (K c , Y ), where Aff 1 , Aff 2 are the set of 3sa + 3sc − 3sb affine functions on K a , X and K c , Y respectively, obtained above.We now state the first MITM step: note that if we guess the value of K a , we can easily obtain the value of X by computing the forward a rounds from the plaintext.If we guess K c we can similarly compute Y , by computing backward the last c rounds from the ciphertext.Hence for all the 2 3sa values of K a we make the first list L 1 that contains all the (3sa − 3sb + 3sc)-bit vectors calculated from Aff 1 (K a , X).

Guess Majority S
Similarly for all the 2 3sc values of K c we make the second list L 2 that contains all the 3sa−3sb+3sc-bit vectors calculated from Aff 2 (K c , Y ).We look for collisions in the two lists.We can expect around 2 3sa+3sc−(3sa−3sb+3sc) = 2 3sb collisions.We store all the 2 3sb tuples (K a , K c ) so obtained in a list L.
Second MITM: The second part of the attack focuses on getting an affine relation between U , Z and K b .From Fig. 6, we can see that For the second round we have where Lin 1,i is the i-th linear function of Lin 1 described above.The above holds since we have already seen that all D i 's are linear functions in (z 0 , . . ., z 3s−1 , x 3s , . . ., x n−1 ).Similarly for the third round we have = Lin 2,i (z 0 , . . ., z 6s−1 , x 3s , . . ., where Lin 2,i is similarly the i-th linear function of Lin 2 .Iterating over all the b rounds we can write the vector equation, U = K b + P(Z, x 3s , . . ., x n−1 ), where P denotes the set of 3bs linear expressions obtained by putting together the linear expressions Lin 1,i , Lin 2,i etc.We can now replace K b in Equation ( 6) to get Y = Lin(Z, x 3s , x 3s+1 , . . ., x n−1 , K a , U + P(Z, x 3s , . . ., x n−1 ), K c , K rem ) = Lin (Z, x 3s , x 3s+1 , . . ., x n−1 , K a , U, K c , K rem ).
This time we eliminate K rem from the above set of linear equations using the same Gaussian elimination method as in the previous stage.There are n−3s(a+ b + c) variables in K rem that we eliminate, which leaves us with 3s(a + b + c) equations in Z, x 3s , x 3s+1 , . . ., x n−1 , K a , U, K c .We can rearrange the terms in the equation to get Aff 3 (Z, U ) = Aff 4 (X, K a , K c ), where Aff 3 , Aff 4 are a set of 3s(a + b + c) affine functions on Z, U and K a , K c , X respectively.Note that if we guess Z, we can compute U since the S-box is bijective, and we have already seen that guessing K a lets us compute X by computing the a forward rounds from the plaintext.Thus in the next MITM stage we make 2 lists L 3 , L 4 .In L 3 we store the 3s(a + b + c)-bit vector given by the expressions Aff 3 (Z, U ) for each of 2 3bs values of Z.In L 4 we store the 3s(a + b + c)-bit vector given by the expressions Aff 4 (X, K a , K c ) for each of 2 3bs values of (K a , K c ) in L. We again look for collisions in the 2 lists.The expected number of collisions is 2 3bs+3bs−3s(a+b+c) = 2 3sb−3sa−3sc .However the correct value of the key K a , K c is guaranteed to be the outcome of the collision finding stage for the correct guess of the majority values.
Once we get a candidate solution K a , K c , Z, U we can compute the vectors X, Y by computing the a, c rounds forwards/backwards from the plaintext/ciphertext.We can then compute K b = U + P(Z, x 3s , . . ., x n−1 ).As we know the majority of the inputs of the S-boxes in r − a − b − c middle rounds, we can solve an affine equation of form Aff rem (W, K rem ) = Y to recover the value of K rem , which was the only part of the key which remained unknown.After this one can check if the key so obtained produces the required majority values guessed at the beginning.If not the attacker can restart the process with another set of majority values.The expected number of such checks is around 2 s(r−a−b−c)+3sb−3sa−3sc = 2 rs−4sa−4sc+2sb .We formally state the attack: -For every pair (K a , K c ) in the list L, compute Aff 4 (X, K a , K c ).
-For every possible value of Z, compute Aff 3 (Z, U ), where U can be computed efficiently from Z, and look for occurrence with Aff 3 (Z, U ) in the list from the previous step.-For every (K a , K c , Z, U ) satisfying the relation, compute K b , W, Y as shown before.-Linearize the middle r − a − b − c rounds using the majority guess and compute K rem from Aff rem (K rem , K a , K b , K c , W ) = Y .-After the entire key is found, check if they result in the same majority values assumed at the beginning of the attack or else retry with another set of majority values.
complexity of the attack is estimated as: As n and s go to infinity, the optimal parameters become a = b = c = 1 and the asymptotic complexity is equivalent to 4 r * 2 sr , which is an improvement by a factor n/8 compared to the linearization attack.When s remains small (e.g.s = 1), the optimal parameters can be larger.With a = b = c = log 2 (2n) 3s , the complexity is asymptotically 4 log 2 (n) 3sr • 2 sr .If we take sr = n, this is better than exhaustive search by a factor Ω n log(n) .The memory complexity is dominated by the space required for the 2 MITM stages.It can be seen that the total memory complexity in bits can be computed as For the n s -round instances, we get the following results.For n = 128, s = 1, r = 128, if we take a = b = c = 5, we get the total complexity around 2 125 encryptions with 2 22 bits of memory.For n = 128, s = 10, r = 12, if we take a = b = c = 1, we get the total complexity around 2 119 encryptions with 2 38 bits of memory.For the 0.8 × n s -round instances, we get the following results.For n = 128, s = 1, r = 103, if we take a = b = c = 5, we get the total complexity around 2 101 encryptions.For n = 128, s = 10, r = 10, if we take a = b = c = 1, we get the total complexity around 2 99 encryptions.The memory complexity is the same as the corresponding n s -round attacks.

Speed-up using Gray-Codes
Note that the technique outlined in [BCC + 10] to evaluate a function over all points of its input domain, works best for linear or quadratic functions.As such, it is best to employ the attack when the set of functions for which we want to evaluate over the input space is quadratic/linear.This is only possible if we restrict a = c = 1.Let us see why.The first MITM procedure finds collision between two lists using the equation Aff 1 (K a , X) = Aff 2 (K c , Y ).Note that, thus far, X (rep.Y ) has been computed from the plaintext (resp.ciphertext) by guessing K a (resp.K c ) and evaluating the first a rounds in the forward direction (resp.last c rounds in the backward direction).In order to apply Gray-code based speed-up we need to express X and Y as functions of K a and K c .These functions happen to be quadratic only when a = c = 1.This condition automatically ensures that in the second MITM equations are also quadratic.This is true since the second MITM essentially equates Aff 3 (Z, U ) = Aff 4 (X, K a , K c ), and we know that the relation between U, Z is quadratic since these are the input-output bits of the LowMC S-box in the middle b rounds.However note that unlike, in the MITM for the complete non-linear layers, there is no pre-computation in the first MITM that helps us reduce the steps in the second MITM.Aff 4 (X, K a , K c ) needs to be only evaluated for the 2 3sb pairs of K a , K c that survive the 1st MITM.However to employ Gray-code based speed up we need to evaluate Aff 4 over all points of its input space.We could split Aff 4 into Aff 5 (K a , X)+Aff 6 (K c ) and then evaluate each of the Aff 5 and Aff 6 separately.Thus the time required for the first MITM would be It only makes sense to employ Gray-codes if T G1 + T G2 < T 1 + T 2 .For s = 1, the optimal values of a, b, c are considerably higher and it does not make sense to attempt the Gray-code speed-up using this algorithm.In fact even if we attempt to use this method by forcing a = b = c = 1, the complexity is many times higher.Intuitively this makes sense, if a, c and s are both 1 then the lists require exhaustive search over only 3as = 3sc = 3 variables, for which employing even a non-Gray-code approach would take only 2 3 function evaluations.However when s = 10, using such Gray-codes to execute the MITM stages is beneficial.For n = 128, s = 10, r = n s = 12, if we take a = b = c = 1, we get the total complexity around 2 110.6 encryptions which is better than the previous estimate by a factor of around 2 9 .For r = 0.8 × n s = 10 using the same parameters we get the total complexity around 2 90.8 encryptions which again outperforms the previous estimate by a factor of around 2 8 .

Experimental Results
In this section we present experimental data to showcase how our new attacks stack up in comparison to the attacks proposed in [BBDV20] on instances of LowMC with smaller blocksizes.Our results indicate that for all instances targeted in our paper, there is a significant speedup compared to the previous attacks.Moreover, we provide experimental evidence that our attacks successfully recover the key with a better complexity than exhaustive search for both 3-round with full S-box layer and n/s-round with partial S-box layer variants.
All the attacks and variants of the encryption function were implemented in Sage and ran on an Intel Xeon E5-2680 processor with 256 GB of memory.Each attack was run for several randomly generated instances.The complexity figures are reported by computing the base 2 logarithm of the amount of time taken by the attack, divided by the amount of time one encryption takes.1 Full S-box Layer: For the 2-round full S-box layer variant of the cipher, we implemented all three Linearization, 2-step MITM and 2-step MITM with graycode enumeration attacks for n = 18.The results are presented in Fig. 8. On average, the linearization attack required 2 16.38 encryptions to recover the key, where as the 2-stage MITM, and the gray code enumeration attacks required 2 13.31 and 2 6.42 encryptions to yield a solution respectively.
We also implemented the attack using Gray-code enumeration for 3-round variants of block size 12.Fig. 9 show cases the complexity of this attack for several randomly generated samples.Our experimental results indicate that the 3-round variant of this attack yields a solution faster than exhaustive search for all the samples we ran the attack for and the average complexity of our experiments was 2 5.88 encryptions for n = 12, s = 4, r = 3. Partial Non-Linear Layer: For the partial S-box layer variant of the cipher with number of rounds equal to r = n s ×0.8, we implemented the 2-stage MITM attack described in section 5, the linearization method described in [BBDV20] and in addition the special case gray-code enumeration attack described at the end of 5.For n = 16, s = 1 and r = 12 the linearization attack yielded a complexity of 2 10.29 encryptions, and the two-step MITM and the gray-code enumeration attacks yielded a solution in 2 8.46 and 2 8.50 encryptions respectively.
For the 2-step MITM attack, we ran the experiments for 3 instances of a = b = c = 1, a = b = c = 2 and a = b = c = 3.According to our experimental results the best performance was when a = b = c = 1.The results of the 3 attacks are demonstrated in Fig. 10a, and it is evident that both our new attacks are significantly faster than the linearization method.
We also experimented the attack for n = 12, s = 1 and r = n/s = 12 and a = b = c = 1.According to our experimental results demonstrated in Fig. 10b,

Conclusion
In this paper, we present a 2-stage MITM on several instances of LowMC using only a single plaintext/ciphertext.The first MITM stage reduces the key candidates corresponding to a fraction of key bits of the master key.The second MITM stage between this reduced candidate set and the remaining fraction of key bits successfully recovers the master key.We have shown with experimental evidence on smaller versions of LowMC that the combined computational complexity of both these stages is significantly lower than those reported in [BBDV20].t = 3.If f = 1 at (x 0 , x 1 , x 2 ) = (α 0 , α 1 , α 2 ), (β 0 , β 1 , β 2 ) and (γ 0 , γ 1 , γ 2 ), then we need to solve The above systems may have more than one solution depending on whether the 3 × 3 matrices in the LHS are full rank or not.Even if the matrices are full rank we can see that if (u, v, w) and (U, V, W ) are solutions, both g 1 = ux 0 +vx 1 +wx 2 and g 2 = U x 0 + V x 1 + W x 2 + 1 are zero on all the 3 points.Since both these functions can not be identically zero, we have found a non-zero element in the kernel of Im(φ f ).Hence (φ f ) is not bijective when f is unbalanced.For t < 3 points, the matrices on the left are of size t × 3 and the systems above are guaranteed to have multiple solutions since their ranks are definitely less than 3.

5 2 -Fig. 3 :
Fig.3: Transforming the round function in the first r 1 rounds.From A → B, the key material not added to bits input to the S-box in round 1 (shown in orange background) are carried to the next round, through the affine layer and merged with the round key in round 2. B → C → D do the same from the second round onwards.Figure taken from[BBDV20]

Fig. 4 :
Fig. 4: Transforming the round function in the final r 3 rounds.A → B flips the order of the last round Affine layer and round key xor.B → C takes the bits of the last round key that are not added to S-box outputs (shown in orange background), and brings them back by 1 round and merges it with the penultimate round key.C → D flips the order of the Affine layer and round key of the penultimate round, and D → E generalizes the process from this point onwards.Figure taken from [BBDV20]

KFig. 6 :
Fig. 6: The middle b + d rounds 1. Separate the first a + b and last c rounds of the cipher 2. Denote the output of the first a rounds by X, the output of the b rounds by W and the input of the last c rounds by Y .3. Denote the inputs/outputs of the S-boxes in the b rounds by U/Z 4. Guess majority bits of the inputs of the S-boxes of r − a − b − c middle rounds.5.For every majority guess do:First MITM:-Compute the relation Y = Lin(Z, x 3s , . . ., x n−1 , K a , K b , K c , K rem ) -Eliminate K b , K rem , Zfrom the relation and form and equation of form Aff 1 (K a , X) = Aff 2 (K c , Y ).-By exhausting all possible values of K a keep a list of Aff 1 (K a , X), where X is computed knowing K a and plaintext pt.-Try all possible values of K c and find collisions between Aff 2 (K c , Y ) and the list computed in the previous step.Keep a list L of (K a , K c ) values satisfying the condition.Second MITM: -Compute the relation Y = Lin (Z, x 3s , x 3s+1 , . . ., x n−1 , K a , U, K c , K rem ) by replacing K b .-Eliminate K b , K rem to get a relation of form Aff 3 (Z, U ) = Aff 4 (X, K a , K c ).

Fig. 7 :
Fig. 7: The base 2 logarithm of the complexity of the 2-stage MITM attack when n = 128 and s = 1, 10, for n = 0.8 × n s , when a, b, c are kept equal and varied.

Fig. 8 :Fig. 9 :
Fig.8: The histogram of base 2 logarithm of the time complexity of all linearization, 2-stage MITM and 2-stage MITM with gray-code enumeration attacks for n = 18, s = 6, r = 2, in terms of the time it takes to perform a single encryption with the same key, the same affine layers, and the same key update functions.

Fig. 10 :
Fig. 10: (a) The logarithm of the complexity of 2-step MITM, 2-step MITM with gray-code enumeration and linearization attacks for the partial S-box layer variant with parameters n = 16 , s = 1 and r = 12, (b) The logarithm of the complexity of the two-step MITM attack for n = 12, s = 1, r = 12.