Meet-in-the-Middle Attacks on Full ChiLow

This work presents the first full-round attacks on ChiLow-32 and ChiLow-40, two tweakable low-latency block ciphers presented at Eurocrypt 2025.

We first describe a straightforward Meet-in-the-Middle attack on full ChiLow-32 with multiple known plaintext-ciphertext pairs. To improve this attack, we carefully reduce the number of guesses required by (1) tracing differences in order to remove linear key dependencies and (2) moving from key guesses to state guesses. Using a novel method that is based on the propagation of differences and linear masks, we are able to map out the state dependencies for computing the difference at the matching point. This results in an attack on ChiLow-32 with time complexity \(2^{120.34}\) using 160 known plaintext-ciphertext pairs, and an attack with time complexity \(2^{102.09}\) using 64 chosen ciphertexts.

Using these techniques, and an additional trick to better balance the complexities of the meet-in-the-middle branches, we propose an attack on ChiLow-40 with time complexity \(2^{122.32}\) and \(2^{8}\) chosen plaintexts. All of our attacks are within ChiLow’s security model, and are currently the best and only known key recovery attacks on full-round ChiLow-32 and ChiLow-40.

Joint work with Eran Lambooij, Michiel Verbauwhede, Shichang Wang, Tianyu Zhang

ePrint