Automatic boomerang attacks search on Rijndael

2.1 Rijndael

Rijndael- C len - K l e n (where C len is the block size and K len is the key size) is a set of 25 different SPN block ciphers designed by Daemen and Rijmen [17]. Each instance varies according to the block size (128, 160, 192, 224, or 256 bits) and to the key size (128, 160, 192, 224, or 256 bits), but the ciphering process is the same for all variants, except for the ShiftRows operation and the number of rounds (given in Table 1). It has been chosen as the new AES by the NIST [18], with a 128-bit block size and a key length that can be set to 128, 192, or 256 bits. The number of rounds N r depends on text size C len and the key size K len and varies between 10 and 14. For all versions, the i th round input block is represented by a 4 × N b matrix of bytes, denoted by X [ i ] , where N b = ( C len ∕ 32 ) is the number of columns. Each byte at row j and column k of this block is denoted by X [ i , j , k ] . X [ i ] is thus the state at the beginning of round i . Note that X [ i ] is also the state after applying the AddRoundKey function on the previous round X [ i − 1 ] . The round function is repeated N r − 1 times, and it is composed of one nonlinear function (SubBytes) and three linear functions (ShiftRows, MixColumns, and AddRoundKey) described below.

1. SubBytes is a bytewise transformation that is applied to each byte of the current block using an 8-bit to 8-bit nonlinear S-box, denoted by SBOX. We denote S X [ i ] the state of round i , after applying SubBytes, i.e., S X [ i , j , k ] = SBOX ( X [ i , j , k ] ) ∀ j ∈ [ 0 , 3 ] ∀ k ∈ [ 0 , N b − 1 ] .

2. ShiftRows is a linear mapping that rotates to the left the rows of the current matrix S X [ i ] . Shift values, denoted by P N b [ j ] , depend on the number of columns N b and the row number j and are defined by the following table:

   P = N b j = 0 j = 1 j = 2 j = 3 4 0 1 2 3 5 0 1 2 3 6 0 1 2 3 7 0 1 2 4 8 0 1 3 4 .

   We denote Y [ i ] the state of round i after applying ShiftRows, i.e., Y [ i , j , k ] = S X [ i , j , ( P N b [ j ] + k ) mod N b ] ∀ j ∈ [ 0 , 3 ] ∀ k ∈ [ 0 , N b − 1 ] .

3. MixColumns is a linear multiplication of each column of the current state by a constant matrix M in the Galois field GF( 2 8 ). We denote Z [ i ] the state of round i after applying MixColumns, i.e., for each row l ∈ [ 0 , 3 ] and each column k ∈ [ 0 , N b − 1 ] , we have:

   Z [ i , l , k ] = ∑ j ∈ [ 0 , 3 ] M [ l , j ] ⊗ Y [ i , j , k ] ,

   where ⊗ denotes the multiplication in GF( 2 8 ) and M is the following 4 × 4 circulant matrix:

   2 3 1 1 1 2 3 1 1 1 2 3 3 1 1 2 .

4. AddRoundKey performs a bitwise XOR between the subkey R K [ i ] of round i and the current state Z [ i ] : X [ i + 1 , j , k ] = Z [ i , j , k ] ⊕ R K [ i , j , k ] , ∀ j ∈ [ 0 , 3 ] , ∀ k ∈ [ 0 , N b − 1 ] .

The subkeys R K [ i ] are generated from the master key K using a KeySchedule algorithm composed of byte shifting, SBOX substitutions and XORs, which are is fully described in Algorithm 1. We denote by N k = K len ∕ 32 the number of columns of the master key K . Each subkey R K [ i ] is extracted from the expanded key W K computed by Algorithm 1 in the following way:

Those N r − 1 rounds are surrounded at the top by an initial key addition with the subkey R K [ 0 ] and at the bottom by a final transformation composed by a call to the round function where the MixColumns operation is omitted.

2.2 Boomerang attacks

The boomerang attack is a variant of the differential attack that was introduced by David Wagner in 1999 [1].

Given an initial message M 1 , an adversary first constructs a second message M 2 = M 1 ⊕ α . She encrypts M 1 and M 2 to obtain C 1 and C 2 , respectively. Then, she adds a difference δ to those two ciphertexts to obtain C 3 = C 1 ⊕ δ and C 4 = C 2 ⊕ δ . Finally, she deciphers C 3 and C 4 to obtain M 3 and M 4 , respectively, and she compares M 3 ⊕ M 4 with the initial difference α = M 1 ⊕ M 2 .

In their basic form, boomerang distinguishers are built by rewriting E as the composition of two sub-ciphers (i.e., E = E 1 ∘ E 0 ) and by finding a good differential for each part where the overall structure is seen as a rectangle shown in Figure 1. If p and q denote the probabilities of the differentials over the upper and lower trails E 0 and E 1 (i.e., p = Pr ( α → E 0 β ) and q = Pr ( δ → E 1 − 1 γ ) ), respectively, a first approximation returns that the probability induced by Figure 1 is thus close to p 2 q 2 .

Figure 1

A related-key boomerang attack with four keys. This figure is inspired from the one of [20].

In [3], the main principle of a boomerang attack has been extended to the related-key case. In addition to the classical boomerang attack, four keys ( K 1 , K 2 , K 3 , K 4 ) are concerned, each one allowing to cipher one branch of the rectangle as displayed in Figure 1. The differences in the keys are chosen to be compatible with the differences between the plaintexts and are such that K 2 = K 1 ⊕ λ , K 4 = K 3 ⊕ λ , K 3 = K 1 ⊕ θ , and K 4 = K 2 ⊕ θ . This of course happens with a certain probability when the KeySchedule is nonlinear.

Recently, Cid et al. [4] have analyzed how to exactly compute the probability in the middle round using a dedicated table called the BCT for SPN ciphers. However, Song et al. [19] and Delaune et al. [5] analyzed more carefully the interactions of the boomerang on several rounds in the middle and introduce some other tables (even in the related-key setting). More precisely, the BCT is only applied on one round (the middle one), whereas the other tables are applied on several rounds (with differences that may not be fixed everywhere). A part of those tables is described in the next subsection for the SPN case.

2.3 Delaune et al.’s model

Delaune et al. [5] proposed a model divided into two steps to search for optimal boomerang distinguishers on SPN ciphers (possibly in the related-key setting). In Step 1, a MILP model searches for truncated boomerangs. Each Step 1 solution is the input of a Step 2 search that tries to instantiate the truncated boomerang with concrete differences to maximize the overall probability of the boomerang distinguisher. Our own search is organized in the same way and divided into the two same steps.

A related-key boomerang attack uses two differential trails; the first one is called the upper trail and determines α and β , the input and output differences of the distinguisher for the upper trail. The other one is called the lower trail and determines γ and δ , the input and output differences of the distinguisher for the lower trail (note that the lower trail is in the decryption direction, from ciphertext to plaintext). In the model proposed by Delaune et al. [5], the upper and lower trails are searched together on all the rounds.

For each differential byte δ A , two variables are defined:

1. a Boolean variable Δ A , which is true if δ A contains a difference, and false otherwise^[2], i.e., Δ A = ( δ A ≠ 0 ) ;

2. a Boolean variable free A , which indicates whether the difference δ A is free of conditions and can take any value with a uniform probability.

Constraints are added between Δ variables to model linear operators of SKINNY (ART, ShiftRows, and MixColumns). We do not detail these constraints as they are straightforwardly derived from the definition of linear operators. In addition, for each m-ary linear operation ( o 1 , … , o m ) = f ( i 1 , … , i m ) , a constraint is added to ensure that all output variables are free whenever any input variable is free, i.e.,

Let us now consider the case of the nonlinear operator Sbox. For each couple of differential bytes ( δ A , δ S A ) such that δ A is the input difference of an Sbox and δ S A is the corresponding output difference, the constraint

is added to express the fact that there is an input difference iff there is an output difference, in both upper and lower trails. Then, the following constraints are defined to link together Δ and free variables. First, if δ A up is free, then δ S A up is also free because the upper trail follows the encryption direction. The contrary happens for the lower trail because it follows the decryption direction:

In addition, if δ S A up is free, then δ A up must contain a difference. Again the lower trail is in the decryption direction.

Each S-box probability is computed with a different table (Differential Distribution Table [DDT], DDT 2 , BCT, Lower BCT [LBCT], Upper BCT [UBCT], Extended BCT [EBCT]). The right table is chosen depending on the values of the variables Δ A up , Δ A lo , free A up , free A lo , free S A lo , and free S A up as defined in Model 1. We always consider a valid propagation of differences for those tables. A last constraint ensures, when a table is selected for an S-Box, that we know the required parameters to compute its transition probability.

The goal is to find the values that satisfy all constraints and have the maximal probability. This is done by minimizing the sum of − log 2 ( p ) for each individual probability p . To do so, once the right table is chosen, we integrate the best possible transition probability of the chosen table to include it in the general probability computation, which is our objective function. Then, our overall probability computes the best possible probability that can be reached using the various tables, while differences are consistently propagated.

So, Step 1 outputs boomerang trails considering that the probability computation is the best one even if this best probability cannot be reached when instantiating the exact difference values. This is the role of Step 2 to instantiate the difference values and to compute the best possible probability.

3.1 Step 1: Automatic search of related-key truncated boomerang distinguishers

As summed up in Section 3, the first step of a related-key boomerang attack may be divided into two parallel searches of related-key truncated differential characteristics (one for the upper trail and the other for the lower trail) and some glue needs to be added for the middle part using the Boolean free variables propagation. For each differential byte δ A (where A ∈ { X [ i , j , k ] , S X [ i , j , k ] , Y [ i , j , k ] , Z [ i , j , k ] , R K [ i , j , k ] : i ∈ [ 1 , N r − 1 ] , j ∈ [ 0 , 3 ] , k ∈ [ 0 , N b − 1 ] } ), we define four Boolean variables, i.e., Δ A up , free A up , Δ A lo , and free A lo , and the meaning of these variables is the same as in the study by Delaune et al. [5].

As Rijndael also has Sboxes in the key schedule, we also introduce four Boolean variables for each differential byte δ R K [ i , j , k ] that passes through an S-box (as defined in Algorithm 1), denoted by Δ S R K up [ i , j , k ] , free S R K up [ i , j , k ] , Δ S R K lo [ i , j , k ] , and free S R K lo [ i , j , k ] : these variables model the fact that there is an output difference and that this output difference is free of condition for the upper and lower trails, respectively.

Since Rijndael’s KeySchedule is represented by a two-dimensional matrix, we introduce the same Δ and free variables for W K up , W K lo , S W K up , and S W K lo , which correspond to the variables R K up , R K lo , S R K up , and S R K lo . The R K and W K variables are linked by the following equations:

Constraints are added between Δ variables to model Rijndael operators, and we use the same constraints as those introduced in Models 1 and 2 in the study by Rouquette et al. [22], except that these constraints are duplicated for the upper and the lower trail, respectively. For example, the constraint associated with AddRoundKey in Model 1 in the study by Rouquette et al. [22] is:

In our model, this constraint becomes:

We do not detail these constraints here and refer the readers to Models 1 and 2 in the study by Rouquette et al. [22].

Besides these constraints, we add the new constraints defined in Model 2:

1. Constraints (B1)–(B5) relate free variables together: (B1) corresponds to AddRoundKey, (B2) corresponds to ShiftRows, (B3) corresponds to MixColumns, and (B4) and (B5) correspond to the KeySchedule. Note that for each round operation (AddRoundKey, ShiftRows, and MixColumns), we have one constraint in the encryption direction for the upper trail, and one constraint in the decryption direction for the lower trail. For the KeySchedule, there are also two constraints, but they are both in the encryption direction because subkeys are all computed from the master key, in both trails.

2. Constraints (B6) and (B7) define the S-Box rules that glue the two trails as done in the study by Delaune et al. [5].

3. Constraint (B8) defines the objective function o b j that must be minimized (as we consider − log 2 values). There are six tables implied in the computation of the objective function: DDT, DDT 2 , BCT, EBCT, LBCT, and UBCT. The predicates used to choose the correct tables are given in Model 1. These predicates are extended to R K variables in a straightforward way by replacing X with R K . Each predicate isT_X and isT_RK (with T ∈ { DDT , DDT 2 , BCT , EBCT , LBCT , UBCT } ) is multiplied by the − log 2 of the maximum probability of table T, denoted by P T .

Implementation. Our Step 1 model has been implemented in MiniZinc [23], which is a high-level and solver-independent language for modeling constraint satisfaction and optimization problems. MiniZinc models are then compiled into FlatZinc, a solver input language that is understood by a wide range of solvers (such as Choco [9], Chuffed [24], or Picat-SAT [8]). In our experiments, we have used Picat-SAT as it is the most efficient for our Step 1 problem.

3.2 Step 2: Instantiating the related-key truncated boomerang distinguishers

In this section, we describe how to solve Step 2, which aims at computing the maximal probability of a related-key boomerang distinguisher corresponding to a given truncated distinguisher computed in Step 1 (as explained in the previous section). We first describe the mathematical model and then show how it may be easily implemented using a CP language.

For each round i ∈ [ 1 , N r − 1 [ , each row j ∈ [ 0 , 3 ] , and each column k ∈ [ 0 , N b [ , if free A up [ i , j , k ] (resp. free A lo [ i , j , k ] ) is true in the Step 1 solution, then the corresponding differential byte δ A up [ i , j , k ] (resp. δ A lo [ i , j , k ] ) at Step 2 may take any value with uniform probability and is free of constraints. Hence, we do not introduce differential byte δ A for these truncated variables. Otherwise, when free A up [ i , j , k ] (resp. free A lo [ i , j , k ] ) is false, we introduce an integer variable δ A up [ i , j , k ] (resp. δ A lo [ i , j , k ] ) in the Step 2 model.

For S-Box variables, the possible values of this integer variable depend on the value of its associated Δ Boolean variable (assigned at Step 1): if Δ X up [ i , j , k ] (resp. Δ X lo [ i , j , k ] , Δ S X up [ i , j , k ] , and Δ S X lo [ i , j , k ] ) is false, then δ X up [ i , j , k ] (resp. δ X lo [ i , j , k ] , δ S X up [ i , j , k ] , and δ S X lo [ i , j , k ] ) is assigned to 0; otherwise, its set of possible values is [ 1 , 256 [ . The same operation is done for the δ R K up , δ R K lo , δ S R K up , and δ S R K lo variables.

Considering that ShiftRows , MixColumns , and AddRoundKey are linear functions, it is possible to infer the free state of the δ Y up , δ Y lo , δ Z up , and δ Z lo variables from the free state of δ X up , δ X lo , δ S X up , δ S X lo , δ R K up , δ R K lo , δ S R K up , and δ S R K lo variables. Hence, the δ Y up , δ Y lo , δ Z up , and δ Z lo differential variables are only introduced in Step 2 when they are not free .

Finally, we introduce integer variables that represent − log 2 probabilities associated with S-boxes. For each round i ∈ [ 0 , N r − 1 ] , each row j ∈ [ 0 , 3 ] , and each column k ∈ [ 0 , N b [ , we define an integer variable p [ i , j , k ] that corresponds to the − log 2 probability of crossing both the upper trail S-box (from δ X up [ i , j , k ] to δ SX up [ i , j , k ] ) and the lower trail S-box (from δ SX lo [ i , j , k ] to δ X lo [ i , j , k ] ). The values of Δ and free Boolean variables computed at Step 1 are used to determine which constraint must be used to link p [ i , j , k ] variables with their corresponding differential variables as defined in Model 3. The same operation can be applied to the S-Box columns of the KeySchedule by introducing p R K [ i , j , k ] variables. p R K [ i , j , k ] is the probability for the Round Key byte at round i , row j , and column k to pass its S-Box. Knowing that not all the Round Key columns go through an S-Box, we only introduce a p R K [ i , j , k ] variable when necessary.

δ X , δ S X , δ Y , δ Z , δ K , and δ R K variables are constrained with respect to SubBytes, ShiftRows, MixColumns, AddRoundKey, and KeySchedule as described in Model 3 of [22], using table constraints. However, this model is duplicated for the upper and lower trails, respectively.

The objective function is then the sum of all p [ i , j , k ] and p R K [ i , j , k ] integer variables, and the goal is to minimize this sum.

Implementation. Our Step 2 model widely uses table constraints, which are constraints of the form ( x 1 , … , x n ) ∈ T , where x 1 , …, x n are integer variables and T is a set of allowed tuples (of arity n ). Table constraints are one of the main advantages of using CP because those tables can be defined on large alphabet and are directly handled by CP solvers.

This model has been implemented with the Choco CP library version 4.10.6 [9].

3.3 Combining the two steps

Step 1 is in fact composed of two different sub-problems: the first one, Step1-Opt, searches for the best possible value of o b j (denoted by o b j * ), and the second one, Step1-Next, searches for Step 1 solutions with the o b j value fixed to o b j * . As there are usually many Step 1 solutions, we do not compute all of them at once, but we enumerate them one at a time, and for each enumerated Step 1 solution, Step 2 is performed to search for the best related-key differential characteristic corresponding to it, as done in the study by Rouquette et al. [22]. This search that interleaves Step1-next and Step 2 is iterated until finding the optimal related-key differential characteristic, or detecting that the optimal probability exceeds the block or key exhaustive search according to the Rijndael instance. Note that it may be possible that the optimal related-key differential characteristic has more than o b j * active S-boxes (either because there is no Step 2 solution with o b j * active S-boxes, or because it is possible to have a larger probability with more active S-boxes). Hence, the interleaved process increases o b j * until proving optimality of the best found differential characteristic.

Note also that Delaune et al. [5], in their original article, also proposed a way to compute the clusters induced. One of the main differences between Rijndael and SKINNY relies on the fact that the linear part of SKINNY is composed of XOR, whereas the one of Rijndael includes multiplication in a finite field. As stated in [25,26], it is out of computational reach to compute such clusters for the AES and thus Rijndael. So, due to the very high computational cost of our method without the cluster computation, we do not include any cluster in our approach.

4.1 From the distinguisher to the attack

Once an efficient related-key boomerang distinguisher between rounds 1 and N r − 2 is found, there exist several techniques to extend it to a key recovery attack (see, e.g., [27] for a complete survey). We focus here on the method proposed by Zhao et al. [28] even if it concerns algorithms with linear key schedule but it could be adapted for algorithms with nonlinear key schedule. Thus, we will apply their techniques to recover master key bits in round 0 and round N r − 1 that do not contain MixColumns operation. Due to the very high diffusion of Rijndael, we do not investigate to add more rounds at the beginning or at the end of the cipher. So, let us first introduce the technique described by Zhao et al. [28].

The parameters on which the complexities of an attack are computed are the following ones:

1. The distinguisher E d with N d rounds is placed in the middle of the attack. The input difference of the distinguisher is α , whereas the output difference is δ .

2. We add N a rounds E a at the beginning and N f rounds E f at the end.

3. At the beginning, in the deciphering direction, for N a rounds, the difference α is extended backward and with probability 1 to a truncated difference α ′ , with r a possibly active bits and n − r a inactive bits.

4. At the end, in the ciphering direction, for N f rounds, the difference δ is extended with probability 1 to a truncated difference δ ′ , with r f possibly active bits and n − r f inactive bits.

Then, the attack could work on N a + N d + N f rounds by guessing some key materials appearing before and after the distinguisher and by counting how many times the distinguishing property happens. The correct key bits have the higher counters. In the following, the guessed key bits at the beginning are denoted by m a and the guessed key bits at the end are denoted by m f .

The attack of [28] works as follows where s is the expected number of right pairs:

1. Build y = s ⋅ 2 n ∕ 2 − r a ∕ p 2 q 2 r structures of 2 r a plaintexts each, and store them with their associated plaintexts.

2. For each possible value of the m a key bits,

   1. initialize 2 m f key counters;

   2. partially encrypt each plaintext M 1 of each structure using the guessed m a key bits up to the beginning of E d . Add α to the computed value and decrypt it up to the plaintext, to obtain M 2 . Construct the set S (of size y ⋅ 2 r a ) given by S = { ( M 1 , C 1 , M 2 , C 2 ) such that E a ( M 1 , K 1 ) ⊕ E a ( M 2 , K 2 ) = α } ;

   3. insert S into a hash table H indexed by the n − r f bits that are inactive in δ ′ , each collision defines a quartet ( C 1 , C 2 , C 3 , C 4 ) ;

   4. use these quartets to determine the correct m f key bits. The time complexity of this stage is denoted by ε .

The time complexity of the attack is dominated by stage 2.(b) or 2.(d). The complexity, given in the number of encryptions, for stage 2.(b) is

whereas the complexity of stage 2.(d) is

Since stage 2.(b) does partial encryptions over E b , μ can be approximated by N a N a + N d + N f , while ε corresponds to the cost of gradually decrypting rounds to check the validity of a key guess and could be approximated by 1 s .

Then, the success probability P s of the related-key boomerang attack could be approximated by the success probability of a differential attack given in [29]:

where S N is the signal-to-noise ratio, so is equal to p 2 q 2 r ∕ 2 − n and h is the advantage, h is typically equal to 80 (bits) or higher.

To adapt this attack to the case of a nonlinear key-schedule, one has just to compute the correct quartet of keys before the attack. Then, the probability to have a correct quartet only depends on the probability of the S-boxes induced by the KeySchedule and could be directly computed from the distinguisher. The probability of the distinguisher is thus computed without the probability appearing in the KeySchedule. Then, it may be considered as a weak key attack because all the keys could not provide a right quartet. If we denote by P KeySchedule the probability of the KeySchedule and by P E d the probability of the encryption path, then, the cost of this stage is about 4 ∕ P KeySchedule .

4.2 Results

The Step 1 model is implemented in MiniZinc and run on Picat [8], which uses the Lingeling solver [30]. The Step 2 is implemented in Java, using the Choco library version 4.10.6 [9]. We choose the Picat solver to solve the Step 1 as it is a SAT solver, so is especially suited to problems on Boolean formulae. Previous works like [31] have shown that Picat has good performances on multiple Step 1 models. Since the Step 2 contains a lot of table constraints, it appears that CP solvers are more adapted.

All experiments are run on a virtual machine Ubuntu 18.04.5 LTS x86_64 with an Intel Xeon Gold 5118 processor and 32 Gio of RAM. The requirements are : Java 10.0.12 OpenJDK, Gradle 6.8, MiniZinc 2.5.5, Picat 3.1.2, and Choco 4.10.6. Each instance is run on a single thread.

We put a time out of 6 months. After, those 6 months, the results we obtained are summed up in Table A1 for both Step 1 and Step 2 computations for the related-key boomerang distinguisher on Rijndael.

Even if our models could not reach the largest instances of Rijndael, we obtain the following results:

1. Rijndael-128-160 with seven rounds, best probability: 2 − 95 . The version with eight rounds is not reachable.

2. Rijndael-160-128 with four rounds, best probability: 2 − 18 . Rijndeal-160-128 with five rounds is not reachable.

3. Rijndael-192-160 with five rounds, best probability: 2 − 73 . The version with six rounds is not reachable.

1. Rijndael-160-160 for six rounds with an upper bound equal to 2 − 118 ;

2. Rijndael-160-192 for seven rounds with an upper bound equal to 2 − 102 ;

3. Rijndael-160-224 for eight rounds with an upper bound equal to 2 − 114 ;

4. Rijndael-160-256 for nine rounds with an upper bound equal to 2 − 120 ;

5. Rijndael-192-128 for four rounds with an upper bound equal to 2 − 36 ;

6. Rijndael-192-192 for six rounds with an upper bound equal to 2 − 84 .

Figure 2 displays some statistics about computation times. The upper part of the figure represents which step over the three is the most time consuming, while the lower part of the figure represents the computation time. We can see that the Step 1 (Step1-Opt + Step1-Enum) step is the most time-consuming in general, expected for six (over 37) instances. Moreover, we see that the instances where Step 2 is the most time-consuming are not among the most difficult instances. Hence, improvements should target Step 1 modeling and resolution to improve the overall performances.

Figure 2

Computation times for instances X b − Y k , where X is the block length and Y is the key length. The upper part of the chart represents the computation time proportion (in percentage of the total computation time) between Step-1-Opt (), Step-1-Enum (), and Step2 (). In the lower part, the chart represents the computation time (in seconds) for each step: Step1-Opt (), Step1-Enum (), and Step2 () and the cumulative total time ().

4.3 Attack on nine rounds of Rijndael-128-160

The nine rounds attack of Rijndael-128-160 is presented in Figure A2 in Appendix B. The distinguisher works for rounds 1 to 8 and has a probability of 2 − 56 for the encryption part and of 2 − 39 for the KeySchedule.

Thus, the attack implies the following parameters: N a = 1 , r a = 32 , n − r a = 96 , N f = 1 , r f = 32 , n − r f = 96 , m a = 32 , m f = 32 , P E d = 2 − 56 , and P KeySchedule = 2 − 39 . Thus, applying the previous attack, with s = 4 , we need to cipher 2 61 structures of 2 32 plaintexts. The complexity of the attack is dominated by stage 2.(b) and is equal to 2 122 encryptions. The success probability of the attack is equal to 97.67%.

The probability that a right quartet of keys is found is equal to 2 39 , and the complexity to find such a quartet is equal to 2 41 encryptions. Another way to say that is that the number of keys that work for our attack is equal to 2 160 − 39 = 2 121 .