Revisiting Higher-Order Differential-Linear Attacks from an Algebraic Perspective

The Higher-order Differential-Linear (HDL) attack was introduced by Biham et al. at FSE 2005, where a linear approximation was appended to a Higher-order Differential (HD) transition. It is a natural generalization of the Differential-Linear (DL) attack. Due to some practical restrictions, however, HDL cryptanalysis has unfortunately attracted much less attention compared to its DL counterpart since its proposal. In this paper, we revisit HD/HDL cryptanalysis from an algebraic perspective and provide two novel tools for detecting possible HD/HDL distinguishers, including: (a) Higher-order Algebraic Transitional Form (HATF) for probabilistic HD/HDL attacks; (b) Differential Supporting Function (DSF) for deterministic HD attacks. In general, the HATF can estimate the biases of lth-order HDL approximations with complexity O(2(l+d2l)) where d is the algebraic degree of the function studied. If the function is quadratic, the complexity can be further reduced to O(2(3.8l)). HATF is therefore very useful in HDL cryptanalysis for ciphers with quadratic round functions, such as ASCON and XOODYAK. DSF provides a convenient way to find good linearizations on the input of a permutation, which facilitates the search for HD distinguishers. Unsurprisingly, HD/HDL attacks have the potential to be more effective than their simpler differential/DL counterparts. Using HATF, we found many HDL approximations for round-reduced ASCON and XOODYAK initializations, with significantly larger biases than DL ones. For instance, there are deterministic 2nd-order/4th-order HDL approximations for ASCON/XOODYAK initializations, respectively (which is believed to be impossible in the simple DL case). We derived highly biased HDL approximations for 5-round ASCON up to 8th order, which improves the complexity of the distinguishing attack on 5-round ASCON from 2(16) to 2(12) calls. We also proposed HDL approximations for 6-round ASCON and 5-round XOODYAK (under the single-key model), which couldn't be reached with simple DL so far. For key recovery, HDL attacks are also more efficient than DL attacks, thanks to the larger biases of HDL approximations. Additionally, HATF works well for DL (1st -order HDL) attacks and some well-known DL biases of ASCON and XOODYAK that could only be obtained experimentally before can now be predicted theoretically. With DSF, we propose a new distinguishing attack on 8-round ASCON permutation, with a complexity of 2(48). Also, we provide a new zero-sum distinguisher for the full 12-round ASCON permutation with 255 time/data complexity. We highlight that our cryptanalyses do not threaten the security of ASCON or XOODYAK.