Improved Related-tweak Attack on Full-round HALFLOOP-48

ObjectiveHALFLOOP is a family of tweakable AES-like lightweight block ciphers used to encrypt automatic link establishment messages in fourth-generation high-frequency radio systems. Because the RotateRows and MixColumns operations diffuse differences rapidly, long differentials with high probability are difficult to construct, which limits attacks on the full cipher. This study examines full HALFLOOP-48 and evaluates its resistance to sandwich attacks in the related-tweak setting, a critical method in lightweight-cipher cryptanalysis.MethodsA new truncated sandwich distinguisher framework is proposed to attack full HALFLOOP-48. The cipher is decomposed into three sub-ciphers, $ {{E}}_{0} $, $ {{E}}_{1} $. A model is built by applying an automatic search method based on the Boolean SATisfiability problem (SAT) to each part: byte-wise models for $ {{E}}_{0} $, $ {{E}}_{1} $ and a bit-wise model for $ {E}_{\rm{m}} $. For $ {E}_{\rm{m}} $, a method is proposed to model large S-boxes using SAT, the Affine subspace Dimensional Reduction method (ADR). ADR converts the modeling of a high-dimensional set into two sub-problems for a low-dimensional set. ADR ensures that the SAT-searched differentials exist and that their probabilities are accurate, while reducing the size of Conjunctive Normal Form (CNF) clauses. It also enables the SAT method to search longer differentials efficiently when large S-boxes appear. To improve probability accuracy in $ {E}_{\rm{m}} $, dependencies between $ {{E}}_{0} $ and $ {{E}}_{1} $ are evaluated across three layers, and their probabilities are multiplied. Two key-recovery attacks, a sandwich attack and a rectangle-like sandwich attack, are mounted on the distinguisher in the related-tweak scenario.Results and DiscussionsThe SAT-based model reveals a critical weakness in HALFLOOP-48. A practical sandwich distinguisher for the first 8 rounds withprobability $ {2}^{-43.415} $ is identified. An optimal truncated sandwich distinguisher for 8-round HALFLOOP-48 with probability $ {2}^{-43.2} $ is then established by exploiting the clustering effect of the identified differentials. Compared with earlier results, this distinguisher is practical and extends the reach by two rounds. Using the 8-round distinguisher, both a sandwich attack and a rectangle-like sandwich attack are mounted on full-round HALFLOOP-48 under related tweaks. The sandwich attack requires data complexity of $ {2}^{32.8} $, time complexity $ {2}^{96.2} $ and memory complexity $ {2}^{42.8} $. For the rectangle-like sandwich attack, the data complexity is $ {2}^{16.2} $, with time complexity $ {2}^{99.2} $ and memory complexity $ {2}^{26.2} $. Compared with the previous results, these attacks reduce time complexity by $ {2}^{25.4} $ and memory complexity by $ {2}^{10} $.ConclusionsTo handle the rapid diffusion of differences in HALFLOOP, a new perspective on sandwich attacks based on truncated differentials is developed by combining byte-wise and bit-wise models. The models for $ {{E}}_{0} $ and $ {{E}}_{1} $ are byte-wise and extend these two parts forward and backward into $ {E}_{\rm{m}} $, which is based on bit-wise. To efficiently model the 8-bit S-box in the layer $ {E}_{\rm{m}} $, which is bit-wise. To model the 8-bit S-box in Em efficiently, an affine subspace dimensional reduction approach is proposed. This model ensures compatibility between the two truncated differential trails and covers as many rounds as possible with high probability. It supports a new 8-round truncated boomerang distinguisher that outperforms previous distinguishers for HALFLOOP-48. Based on this 8-round truncated boomerang distinguisher, a key-recovery attack is achieved with success probability 63%. The results show that (1) the ADR method offers an efficient way to apply large S-boxes in lightweight ciphers, (2) the truncated boomerang distinguisher construction can be applied to other AES-like lightweight block ciphers, and (3) HALFLOOP-48 does not provide an adequate security margin for use in the U.S. military standard.