Cryptanalysis of Full-Round BipBip

. BipBip is a low-latency tweakable block cipher proposed by Belkheyar et al. in 2023. It was designed for pointer encryption inside a new memory safety mechanism called Cryptographic Capability Computing (C 3 ). BipBip encrypts blocks of 24 bits using a 40-bit tweak and a 256-bit master key and is composed of 11 rounds. In this article, we provide a Demirci-Selçuk Meet-in-the-Middle (DS-MITM) attack against the 11-round (full) variant that breaks the security claim of the designers


Introduction
Memory safety vulnerabilities, such as access errors or memory leaks are considered to be the most common security problems in computer systems.In 2021, a group of researchers from Intel Labs proposed a new memory safety mechanism, called Cryptographic Capability Computing (C 3 ) [LRD + 21].This mechanism was particularly interesting as it was the first one to be stateless, not requiring extra storage for metadata.In practice, C 3 encrypts 64-bit pointers.However, only 24 bits of each pointer are encrypted and the remaining 40 bits serve as a tweak.While each pointer is only encrypted once upon memory allocation, it needs to be decrypted within the processor core whenever it is dereferenced.Therefore, to guarantee a good system performance it is crucial for the decryption to be low-latency.
In 2023, Belkheyar, Daemen, Dobraunig, Ghosh and Rasoolzadeh designed BipBip [BDD + 23], a low-latency tweakable block cipher, to be used inside the C 3 mechanism.BipBip uses 24-bit blocks and 40-bit tweaks while the master key is 256-bit long.It is an 11-round iterative design that permits for ASIC implementations with a latency of 3 cycles at a 4.5 GHz clock frequency on a modern 10 nm CMOS technology.Because of the special format and performance requirements, BipBip has several particular design features.First, it has a very small block size of 24 bits only.Another particularity is that it has a very long key compared to the block size that needs to be absorbed in very few rounds only due to the low latency requirements.This is done with the help of a wide, non-linear tweakey schedule.
The designers of BipBip claimed a security of 96 bits against attackers and provided a preliminary security analysis inside the design document.In particular, they gave an extended and very complete analysis of the resistance of the cipher against differential and linear attacks.This analysis shows that BipBip is not vulnerable to these two classical cryptanalysis techniques.Among the other attacks, the one that showed to best apply against BipBip was the Demirci-Selçuk Meet-in-the-Middle (DS-MITM) cryptanalysis technique [DS08].
The Demirci-Selçuk Meet-in-the-Middle attack was introduced by Demirci and Selçuk in 2008 and applied to reduced-round versions of the Advanced Encryption Standard (AES).Subsequent enhancements by various researchers [DKS10, DFJ13, DF13, LJW14, LJ16] refined this method, leading to the most effective known attacks on AES variants.The versatility of the DS-MITM approach has been demonstrated through its application to many different ciphers, including PRINCE [DP15], TWINE [BDP15], Camelia [LJWD15,DLJW15], HALFLOOP [LRS23], and SKINNY [SSS + 23], among others.In parallel, quantum versions of the attack have been proposed recently [HS18,BNS19] demonstrating the potential of this technique in the field of quantum cryptanalysis.
The application of the DS-MITM to BipBip permitted to its designers to break 9 out of the 11 rounds with a data complexity of 2 6 ciphertexts and a time complexity of 2 90 encryptions and 2 90 memory look-ups.While they did not manage to successfully extend this attack to 10 rounds, they wrote that such an extension could eventually be possible by a more careful analysis of the cipher's inner components.No third-party cryptanalysis has been proposed until now against BipBip and the 9-round DS-MITM attack of [BDD + 23] remains for the moment the best attack against this cipher.
Determining the exact level of security that BipBip offers in practice is very important as this cipher has very attractive features, offers competitive performances and will very probably be implemented inside the C 3 architecture.Analyzing this cipher is also very challenging, as its structure significantly differs from the traditional tweakable block ciphers, notably by its extremely small block size.This task is even more important as we know today that many lightweight ciphers showed to be less secure than what their designers initially claimed [LAAZ11, TLS16, BDHN23, WNL + 23, LAW + 23, LIM21, ZCWW23, TI22, SCW23].This sometimes wrong estimate of the security level lightweight ciphers offer can be explained by the fact that the inner components of these ciphers have most of the time a simpler algebraic expression and more aggressive parameters than mainstream designs.For example, the number of rounds is often chosen in a much less conservative way, leaving potentially a very thin security margin behind.

Our contributions
In this article, we describe a Demirci-Selçuk Meet-in-the-Middle (DS-MITM) attack against 11-round BipBip, the first attack against the full version for this cipher.Our attack follows the framework proposed in [DKS10], where the differential enumeration technique (DET) is used to reduce both the time and memory complexities of the precomputation phase.The memory complexity of our attack is 2 92.25 24-bit blocks while its time complexity and its probability of success depend on the data available to the attacker.Given the full codebook for s different tweaks, corresponding to a data complexity of s × 2 24 , the time complexity is equivalent to 2 92.13 + s × 2 90.92 BipBip encryptions, for a probability of success equal to 1 − (1 − 2 −48 ) s×2 47 .A summary of our attacks for s = 1, 2 and 3, as well as a comparison with the previous best cryptanalysis results against BipBip is shown in Table 1.As shown, we are able to generate under a secret key valid (plaintext/ciphertext/tweak) tuples with a probability twice as big as expected.For this reason, our attacks can be considered to break the security claim made by the designers of BipBip, but only under the assumption that the attacker has access to a very fast memory.In any case, our results demonstrate that the security claim is very tight and while they do not present a threat for the use of BipBip in practice, they permit to provide a better understanding of the security properties and the security margin of this cipher.The rest of the article is organised as follows.Section 2 describes the BipBip cipher and provides a brief introduction to Demirci-Selçuk MITM attacks.Section 3 describes our attack against full-round BipBip.Finally, Section 4 discusses the success probability of the attack and how it is related to the security claim of the designers.BipBip is a tweakable block cipher designed to have low-latency decryption when implemented on ASICs [BDD + 23].BipBip has a block size of 24 bits, a master key length of 256 bits, and a tweak length of 40 bits.Figure 1 depicts the high-level structure of the data flow in BipBip's decryption.BipBip consists of three main parts: the datapath, the tweak schedule, and the key schedule.The key schedule forms the tweak-round keys κ i , for 1 ≤ i ≤ 11 and the whitening key κ 0 by selecting bits from the 256-bit master key K.The tweak schedule processes the tweak T and the tweak-round keys κ i to derive the data-round keys k i .The datapath starts with the addition of the whitening key κ 0 to the ciphertext C, followed by the alternating application of the datapath rounds R and R ′ and data-round key additions with k i to finally output the plaintext P .As the master key is 256-bit long and there are 11 data-round keys k i of 24 bits each, these ones can be considered to be (almost) independent.

Brief Introduction to BipBip and Notations
The datapath uses two round functions, one called core round function R and the other one shell round function R ′ .The shell round function has no mixing layer and therefore has lower latency than the core round function.The core round function R consists of an S-box layer S, a linear mixing layer θ d , and two bit-shuffles π 1 and π 2 .The shell round function R ′ includes the same S-box layer S and a different bit-shuffle π 3 .We have: We describe now these inner components in detail.

S-box
Bit Shuffles π 1 , π 2 and π 3 The 24 bits of the datapath state are permuted by where P 1 , P 2 and P 3 are permutations of Z/24Z specified by the following tables: From now on and for the sake of convenience, π 2 • θ d • π 1 , the linear layer of the core rounds, will be denoted by L C while π 3 , the linear layer of the the shell rounds, will be denoted by L S .

Tweak Schedule
The tweak schedule operates on a 53-bit tweak state.It consists of the application of two types of round functions G and G ′ , and the addition of the tweak-round keys κ i .The tweak-round keys come from the key schedule that extracts them from the master key.
The tweak schedule receives a 40-bit tweak T and extends it to a 53-bit value T * with T * = T ||1||0 12 .The tweak schedule round function is composed of five operations, which are a non-linear layer χ, two linear mixing layers θ and θ ′ , and two bit permutations π 4 and π 5 .The two types of round functions can be described as  where the five operations are where 0 ≤ i < 53 and the index is calculated modulo 53.
BipBip derives two 24-bit data-round keys k i and k i+1 from the 53-bit internal state of x i by using two extractor functions E 0 and E 1 :

Key Schedule
The 24-bit whitening key κ 0 and the six 53-bit tweak-round keys κ 1 , . . ., κ 6 are computed from the master key K in the following way: where the index is computed modulo 256.
Notations For the i-th round of BipBip where 0 ≤ i < 11, the states before the S-box, linear layer and data-round key addition will be denoted by x i , y i and z i , respectively.The ciphertext and plaintext are denoted by C and P .Thus, x 0 = C ⊕ κ 0 and P = z 10 ⊕ k 11 .For a state s (s can be x i , y i , z i , P or C), ∆s represents its difference; s j is the j-th bit of s and naturally s j0,...,jm−1 are m bits of s.If j 0 , . . ., j m−1 are consecutive, we also write them as s j0−jm−1 .Finally, s 0 is the least significant bit (LSB) whereas s 23 is the most significant bit (MSB).An illustration of the above notations is given in Figure 2.

Security Claim
The BipBip security claim is provided in [BDD + 23] in reference to the probability of correctly guessing that a ciphertext C i maps to a plaintext P i under a certain tweak T i for an instance of BipBip denoted by E K , where the master key K has been chosen randomly and the pair (P i , C i ) has not been queried before.The bound on the probability of a correct guess is where µ = 0.5, q is the total number of queries to both encryption and decryption of E K , q Ti is the number of queries to both encryption and decryption of E K with the tweak of value T i and t is the computation time with the unit amount of computation equivalent to evaluating E K .In the DS-MITM attack, a cipher is divided into three consecutive parts E 0 , E 1 , and E 2 and we denote by s 0 , s 1 , s 2 , s 3 the following internal states:

Demirci-Selçuk MITM Cryptanalysis
In the rest of this section, we first provide the definition of the δ-set (and more precisely of the b-δ-set) a central notion in DS-MITM attacks.Then, we describe the basic MITM attack.Finally, we recall the differential enumeration technique, an enhanced method for this cryptanalysis, proposed by Dunkelman, Keller and Shamir in [DKS10] at ASIACRYPT 2010.
Definition 1 (b-δ-set and δ-set [DF16]).A b-δ-set is a set of 2 b states in s 1 which are all different in the b active bits and constant in the remaining ones.Whenever the value of b can be easily determined from the context, we will simply write δ-set to refer to this same collection of states.
The basic MITM attack, as described in the seminal paper of [DS08], consists of two phases, the offline phase and the online one.The main idea is to compute the sequence of differences in some b o bits of the state s 2 from a δ-set, through E 1 during the offline phase and through (E 2 ) −1 • E • (E 0 ) −1 during the online phase, assuming an access to E. In other words, we want to build the sequence [∆ 1 s 2 b1,...,b bo , . . ., ∆ 2 b −1 s 2 b1,...b bo ] for an ordered collection of 2 b messages forming a δ-set on the state s 1 , and where ∆ i x stands for the difference on the state x between the message labeled 0 and and the i-th message of the δ-set.Note that in both phases, the sequence of differences is computed by first guessing the value of each involved S-box for one message of the δ-set and then by propagating the differences.2. Store the sequences in a table H.

Online Phase
3. Pick a plaintext P and guess the necessary parameters to propagate differences from the b-δ-set to the plaintext through the inverse of E 0 .Identify a collection of 2 b plaintexts, containing P and forming a b-δ-set on state s 1 .
4. Query the oracle for the corresponding 2 b ciphertexts (s 3 ).
5. On the ciphertext side, guess the internal parameters, decrypt the above 2 b ciphertexts through (E 2 ) −1 , compute the ((2 b −1)×b o )-bit difference sequence and check whether it belongs to H.If not, the guess can be discarded.
Note that during the offline phase it is possible to associate to each sequence the value of the internal parameters that led to it in order to recover them during the online phase.We also emphasize that the procedure only involves guessing state cells but these are related to each other by the data-round keys and thus the internal parameters contain key material as well.

Differential Enumeration Technique.
First proposed by Dunkelman et al. in ASI-ACRYPT 2010 [DKS10], the differential enumeration technique uses a truncated differential characteristic of probability p.The idea is that for a pair following the characteristic, the number of possible values for the internal parameters might be much lower than for a random message.Thus, during the offline phase, we only construct the possible sequences for δ-sets such that at least one message belongs to a pair following the characteristic.This is what we call the differential enumeration phase (DEP).However, in return, around 1/p pairs are needed to ensure that at least one follows the differential characteristic.Hence, in the online phase, the adversary first detects a right pair and chooses one of the elements of the right pair to play the role of P in the construction of the δ-set.
Several differential properties of the S-box are usually used to measure the number of deduced values in the differential enumeration technique.
Property 1 (Differential Property of the S-box).Assume that ∆ in and ∆ out are respectively the random input and output differences of a bijective S-box S.Then, the equation has one solution on average.Property 2 (Differential Property of the S-box with a concrete output difference).Let S be a bijective n-bit S-box and let ∆ out be a specific output difference.Further denote by S ∆ in the set of all possible input differences leading to ∆ out through S.Then, for a specific |S ∆ in | solutions on average.

MITM Attack on Full-Round BipBip
In this section, we describe our attack against 11-round, i.e., full BipBip.This DS-MITM attack was found by the automatic tool of Derbez and Fouque [DF16] and its outline is depicted in Figure 3. Details on how to apply this tool to BipBip are given in Appendix A.
For the distinguisher part (from x 3 to y 8 ), the δ-set should be chosen such that the active bits lie in the middle two words of x 3 and the active bits of ∆y 2 are in the second and fourth words (from the bottom).More precisely, the δ-set we use for the attack is given as follows.
δ-set for the attack on 11-round BipBip We define the δ-set for our attack as a set containing 2 6 BipBip states that are all different on the bits 7, 8, 11, 15, 16 and 17 (active bits) and are constant on the remaining (inactive) bits.
The match will be performed on the difference on the bits y 8 12 and y 8 13 .There are theoretically 2 2×63 = 2 126 possible sequences of differences in those bits and we will show that, for the δ-set described above, there are much less such sequences, allowing us to distinguish 6 rounds of the cipher.
Let f be a part of the BipBip decryption that sends x

Figure 3:
The DS-MITM attack on 11-round BipBip.The online phase is from C to z 2 and from z 8 to P .The offline phase is from x 3 to y 8 .Blue words correspond to the active words in the online phase while red words correspond to the active words in the offline phase.Finally, white words are inactive while the patterned ones are those not involved in the attack procedure.
Observation 1.Let X i , 0 ≤ i < 64 be the 64 different elements in a δ-set.Then, the ordered sequence is fully determined by the following 114-bit parameters, x 3 6−17 , x 4 , x 5 , x 6 , x 7 , x 8 6−11 , where x 3 , x 4 , x 5 , x 6 , x 7 and x 8 are intermediate states corresponding to one message of the δ-set.
We can restrict the number of possible values for these parameters from 2 114 to 2 90 by applying the differential enumeration technique.To decrease as much as possible the memory complexity, we fully specify the input and output of the truncated differential characteristic used within the technique.We thus set ∆x 3 = (0x00, 0x26, 0x38, 0x00) and ∆y 8 = (0x00, 0x00, 0x03, 0x00).
The proof of this observation comes directly from Property 1 which states that each input and output difference of an S-box will lead to one solution in average.Consequently, there are at most 2 90 possible sequences when we consider all the possible choices of parameters in Observation 2 whereas theoretically there are 2 126 possibilities.This property can then be used as a distinguisher to mount an attack against full-round BipBip.

Process of the 11-round Attack
Offline Phase We first compute all the 2 90 126-bit sequences according to Observations 1 and 2, and store them into a hash table H.

Online Phase
1.By extending ∆x 3 6−17 backwards to ∆C, we see that ∆C is fully active.Thus, we use a structure that contains 2 24 ciphertexts, i.e., the whole codebook.If we use s tweaks we will need s × 2 24 ciphertexts.For each tweak, we decrypt the 2 24 ciphertexts, get the corresponding plaintexts and by pairing them, we obtain 2 47 pairs.In total, we will have s × 2 47 pairs.2. On the ciphertext side, for each ciphertext pair with difference ∆C, by enumerating each value of ∆y 0 and ∆z 1 , we can deduce on average one κ 0 , k 1 and k 2 6−11,18−23 such that ∆x 3 has the desired value.On the plaintext side, by enumerating each value of ∆y 9 , we can deduce on average one value for L −1 S (k 10 ) 6−11 and k 11 such that ∆y 8 has the desired value.
3. Once κ 0 , k 1 , k 2 6−11,18−23 , L −1 S (k 10 ) 6−11 and k 11 have been deduced, we partially decrypt one ciphertext from the ciphertexts pair to z 2 .Then, we partially encrypt the values of the δ-set to the ciphertexts again.Next, we partially encrypt the corresponding plaintexts of the δ-set using (L −1 S (k 10 )) 6−11 and k 11 , and construct the sequence given in Observation 1.

Recovering All Data-Round Keys
The 126-bit difference sequence has a 2 −124 sieving ability since we fix 2 bits of them in the process of checking right pairs.After performing our attack, for a fixed tweak, there will remain 2 90+89−124 = 2 55 values containing 114bit parameters from the hash table H, 90-bit secret keys in the online phase and the corresponding plaintext-ciphertext pair.Therefore, we can know the values of the 2 6 δ-set elements in y 7 by the 114-bit parameters while their values in z 9 can be obtained by the 90-bit keys.Then, we can guess more keys and use another match point to further sieve the keys.For example, after guessing k 8 0−5 and L −1 S (k 10 0−5 ), we can check whether the two δ-sets match in y 8 2,5 .After this step, and since k 3 6−17 and L −1 S (k 9 ) 2,5,12,13 are deduced from state bits after each valid match, we recover the right value for 90 + 90 + 12 + 12 + 4 = 208 bits of the data-round keys as no wrong key should survive (we expect 2 55+12−126 = 2 −59 wrong keys to remain).We finally brute-force the missing 80 bits of the data-round keys.

Time Complexity Analysis Denote by T d the complexity of deducing the input values to
the S-box from the input and output differences, by T H a memory access to H, and by T s an S-box operation.As computing the difference sequences in the offline phase requires going through 18 S-boxes, for each guessed difference, we need 18T d to determine the 114 parameters in Observation 1, (2 6 × 18)T s to encrypt the δ-set and one T H to store the parameters in the hash table.Considering that one BipBip encryption has 44 S-box operations, the time complexity of the offline phase is With a similar analysis, the time complexity of the online phase is

Further Reducing the Time and Memory Complexities
The time complexity can be reduced further by cleverly organizing the computations and investigating the BipBip S-box.First, as shown in both Algorithms 1 and 2, we can handle the 2 6 elements of the δ-set round by round, improving the time complexity related to building the sequences.Second, we notice that the differential used in the differential enumeration technique limits the possible differences of both ∆x 8 and ∆y 9 .This can be used to amortize the cost of propagating the δ-set.
For the offline phase, ∆y 8 12−17 = 0x03, so ∆x 8 can only take 22 among the 64 possibilities, reducing the number of possible values for x 7 .Furthermore, ∆y 7 6−11 can assume only 12 different values and we can thus start by guessing it before ∆x 8 to reduce a bit more the complexity of the offline phase.
Algorithm 1: Efficient Algorithm for the Offline Phase against Full-Round BipBip.

return H
The complexity of Algorithm 1, computed in terms of S-box evaluations, is straightforward and dominated by the four last nested loops.After guessing the possible differences, for each active S-box, we need one T d to deduce the internal state and 2 6 ×T s to encrypt the whole 2 6 elements in the δ-set through this S-box.Finally, 2 90 hash table write operations are required to store all the parameters into H.

Complexity Analysis
We deduce the S-box input from the input and output differences by an extended DDT whose index is the input and output differences and the value is the corresponding values.We experimentally evaluated the ratio of the time complexity of a lookup of the extended DDT and a BipBipBox and found it to be around 5:1.Therefore, we measure T d as 5T s .Besides, we assume this attack runs on a machine that has a fast memory access and we can measure each T H as one BipBip encryption.
In the differential enumeration phase, we use a distinguisher of probability 2 −48 consisting of 2 −24 from the input difference and 2 −24 from the output difference.Using the whole codebook for a fixed tweak, we can generate 2 47 pairs and thus we expect that asking for the full codebook for s = 2 tweaks should allow to generate enough pairs to get one that follows the differential.
From the above analysis, the data complexity of the attack is 2 × 2 24 = 2 25 , the time complexity is 2 92.19 + 2 × 2 90.98 ≈ 2 93.09BipBip encryptions and the memory complexity is given by the size of the hash table H constructed in the offline phase, that is 114 × 2 90 /24 ≈ 2 92.25 , which is measured by the block size of BipBip.

Impact of our Attack on the Security Claim of BipBip
As shown in the last part of Section 2, the designers provided a security claim for BipBip based on Eq. (2).In this section, we show that our key recovery attack against BipBip breaks this security claim.To this end, we first introduce a procedure for recovering the

Recovering the Master Key from the Data-Round Keys
In this section, we present our method for recovering the master key from the data-round keys.According to Eq. ( 1), the data-round keys are directly extracted from the internal state of the tweak schedule, thus we already know some bits of each state t i from the recovered data-round keys.Table 3 summarizes the number of bits obtained from k i directly (known) and those that still need to be guessed (unknown) for each state t i .Besides, since κ 0 is the first data-round key and is directly extracted from the master key K, we know 4, 4, 5, 8, 3 and 5 bits of the tweak-round keys κ 1 , κ 2 , κ 3 , κ 4 , κ 5 and κ 6 respectively.
The main idea of our attack is to guess the unknown bits of each tweak state t i , deduce the value of κ i , and sieve by the known bits in κ i obtained from the knowledge of κ 0 .Finally, we check if the 62-bit sequence κ 1 ||κ 2 0−8 is the same as κ 5 44−52 ||κ 6 , since these two sequences are both extracted from K 53−114 , where K is the master key.
The process of this attack is as follows: 1.For the 40-bit tweak T used in the attack, compute the 53-bit T * as T * = T ||1||0 12 .2. For each of the 2 5 possible values for t 1 , deduce κ 1 from both T * and t 1 and check whether it is compatible with the 4 bits of κ 1 we already know.We expect 2 5−4 = 2 candidates to remain for (κ 1 , t 1 ).
5. Since there is no key addition between t 4 and t 5 , this step is a bit different.We first guess t 4 , compute t 5 from it and then check t 5 against the value of the 24 bits we already know.We then use both t 3 and t 4 to obtain κ 4 and we finally check the 8-bit constraint on it.Hence, we constructed 2 26 × 2 29−24 × 2 −8 = 2 23 candidates for (κ 1 , t 1 , κ 2 , t 2 , κ 3 , t 3 , κ 4 , t 4 , t 5 ).
7. Finally, obtain 2 25 × 2 5 × 2 −5 = 2 25 candidates for the tweak-round keys.For each of them, we check whether the value of the 62-bit sequence κ 1 ||κ 2 0−8 is the same as κ 5 44:52 ||κ 6 .Since the probability for a wrong key to pass this test is 2 −62 , only the right one should remain.8. Recover the master key K by κ 1 , . . ., κ 5 .The complexity of this procedure is around 2 31 basic operations, which is negligible compared to the complexity of our attack.

Success Rate Analysis
Assuming that we have recovered the master key, we can randomly select a tweak (except the ones which were used to recover the master key) to conduct the following challenge shown in the security claim of BipBip: for a plaintext P (resp.ciphertext C), map it to the corresponding ciphertext (resp.plaintext).
The designers of BipBip claim that the probability p to win this challenge satisfies the following constraint: p ≤ 1 max(2 24−µ − q Ti , 1) + q 2 96 + t 2 96 + qt 2 120 , where µ = 0.5, q is the total number of queries to both encryption and decryption of E K , q Ti is the number of queries to both encryption and decryption of E K with the tweak of value T i and t is the computation time with the unit amount of computation equivalent to evaluating E K .
With the knowledge of the master key, this challenge can be solved with probability 1.Hence, the success rate of our attack corresponds to the probability of recovering the master key, which is itself equal to the success probability of the 11-round DS-MITM attack described in Section 3.
The success probability of our attack is exactly the probability to obtain a pair satisfying the differential used with the differential enumeration technique.Since our attack involves a differential of probability 2 −48 , using the whole codebook for s tweaks allows to generate s × 2 47 pairs and thus the probability that at least one follows the differential is 1 − (1 − 2 −48 ) 2 47 s ≈ 1 − e − s 2 .
In our attack, the data complexity is q = s × 2 24 , the time complexity is t = 2 92.13 + s × 2 90.92 and q Ti is zero since we do not query anything under this tweak.Thus, the success upper bound in the BipBip design document is

Conclusion
In this paper we presented the first attack against 11-round BipBip, the full version of this cipher.While the core of our attack was automatically found by an existing tool, turning it into a valid attack was a complex task, involving clever procedures to compute the sequence of differences through the cipher, looking inside the S-box to restrict the number of possible values of several parameters and inverting the robust key schedule of BipBip.Our results show that the security claim made by the designers of BipBip was too tight and that there is no security margin left behind.Our results also highlight the importance of optimally organizing computations inside algorithms, in particular to avoid redundant ones.Indeed, such procedures permitted us to decrease the complexity of our basic attack by more than a factor 10.

Figure 1 :
Figure 1: High-level structure of BipBip.The key schedule is omitted.

Figure 2 :
Figure 2: The notations for R-round BipBip states and the indices of BipBip state bits, where the linear layer L is L S inside shell rounds and L C inside core rounds.

Phase 1 .
Consider the encryption of a b-δ-set through E 1 by guessing the necessary internal parameters.Deduce the differences in the b o chosen bits of s 2 and construct a sequence of 2 b − 1 b o -bit values.

Figure 4 :
Figure 4: Tweak schedule of BipBip.t i denotes the i-th internal tweak state which generates the data-round keys.

Table 1 :
Summary of the best cryptanalysis results against BipBip.CC stands for Chosen Ciphertexts.Time complexities are evaluated in decryption units, while the memory complexity is given in number of blocks.The parameter s corresponds to the number of tweaks, P u is the upper bound on the success rate set by the designers (Eq.(2)), and "Proba." is the success rate of our attack.

Table 2 :
The S-box (BipBipBox) used in BipBip.All elements in this table are expressed in hexadecimal.x 0 is the least significant bit.
Mixing Layer θ d The mixing layer multiplies the datapath state with a binary circulant matrix: [DS08]i-Selçuk Meet-in-the-Middle (DS-MITM) cryptanalysis[DS08]is a powerful cryptanalysis technique against block ciphers.In order to automatically and efficiently search for DS-MITM characteristics, Derbez and Fouque [DF13, DF16] introduced a specialized framework, implemented in C/C++.This development is part of a broader trend towards automation in the field, with other notable contributions including an integer programmingbased approach [LWWZ13] and a constraint programming-based one [SSD + 18].
As for the offline phase, we count the number of S-boxes computed at each step of the algorithm and we obtain: H BipBip encryptions.

Table 3 :
The number of known and unknown bits of t i .t 1 t 2 t 3 t 4 t 5 t 6 t 7 t 8 the data-round keys.Then, we analyze the success rate and compare it in Section 4.2 to the security claim of BipBip.
To achieve a valid attack, we need to make sure our success rate is higher than the upper bound of probability in the BipBip design document, which means It can be verified that when the number of tweaks s is 1, 2 or 3, the above inequality holds.1.Whens = 1, our success rate is 39.35% and the upper bound in the BipBip design document is 20.46%; 2. When s = 2, our success rate is 63.21% and the upper bound in the BipBip design document is 39.93%; 3. When s = 3, our success rate is 77.69% and the upper bound in the BipBip design document is 65.54%;